lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <83b9c187-7fbf-3e05-6321-de7fa05fd868@arm.com>
Date:   Wed, 17 Jan 2018 09:03:48 +0000
From:   Marc Zyngier <marc.zyngier@....com>
To:     Nicolin Chen <nicoleotsuka@...il.com>
Cc:     mark.rutland@....com, catalin.marinas@....com, will.deacon@....com,
        oleg@...hat.com, cdall@...aro.org, tbaicar@...eaurora.org,
        julien.thierry@....com, Dave.Martin@....com, robin.murphy@....com,
        james.morse@....com, ard.biesheuvel@...aro.org,
        xiexiuqi@...wei.com, mingo@...nel.org,
        linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH RFC v1] arm64: Handle traps from accessing CNTVCT/CNTFRQ
 for CONFIG_COMPAT

On 17/01/18 02:13, Nicolin Chen wrote:
> On Tue, Jan 16, 2018 at 01:37:46PM -0800, Nicolin Chen wrote:
>> On Tue, Jan 16, 2018 at 09:19:13PM +0000, Marc Zyngier wrote:
>>
>>>> I understand that it should take care of the condition field as
>>>> a general instruction handler. Just for curiosity: If we confine
>>>> the topic to read access of CNTVCT/CNTFRQ, what'd be the penalty
>>>> by ignoring the condition field and executing it anyway?
>>>
>>> Do you mean, apart from severely corrupting userspace execution?
>>> That's a rhetorical question, right?
>>
>> I don't quite understand the corrupting userspace execution part.
>> What I see for a conditional CNTVCT read is more likely:
>> 	if (condition) {	// in this case, if (true)
>> 		r1 = lower32(cntvct);
>> 		r2 = higher32(cntvct);
>> 	}
>>
>> Could you please elaborate a bit? Thank you.
> 
> I guess I got it now. The concern seems to be Thumb instructions.

Not only.

> So ignoring a condition for a Thumb instruction may cause its IT
> scope shifting. For ARM mode, the only penalty could be two Rts
> getting written -- which shouldn't corrupt userspace execution.
> 
> Please correct me if I am wrong or not thorough.

Consider the following:
	
	mov	r0, #0
	mov	r1, #0
	cmp	r1, #3
	mrrceq	r0, r1, cntvct // simplified version

Oh look, you've corrupted r0 and r1, which should never have be changed.
Whatever uses the content r0 and r1 after the mrrc will misbehave. How
is that an acceptable behaviour? How do you expect userspace to cope
with such a brain damage?

If you intend to emulate the CPU, you must emulate it fully, to the
letter of the architecture. No ifs, no buts.

	M.
-- 
Jazz is not dead. It just smells funny...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ