| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180214073553.qsdnpetdgd4mkjdx@gmail.com>
Date: Wed, 14 Feb 2018 08:35:53 +0100
From: Ingo Molnar <mingo@...nel.org>
To: Josh Poimboeuf <jpoimboe@...hat.com>
Cc: x86@...nel.org, linux-kernel@...r.kernel.org,
Andy Lutomirski <luto@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
Dave Hansen <dave.hansen@...el.com>,
David Woodhouse <dwmw2@...radead.org>,
Thomas Gleixner <tglx@...utronix.de>
Subject: Re: [PATCH] x86/entry/64: Fix CR3 restore order in paranoid_exit()
* Josh Poimboeuf <jpoimboe@...hat.com> wrote:
> I haven't actually seen any real-world bugs caused by this, so I'm not
> sure how theoretical it is. I just stumbled upon it in code review when
> looking for another bug.
I believe it's a real bug, but the fix is wrong with irq tracing or lockdep
enabled as Dave points out.
I think the reason we haven't seen this bug yet is that "paranoid" entry points
are limited to:
idtentry double_fault do_double_fault has_error_code=1 paranoid=2
idtentry debug do_debug has_error_code=0 paranoid=1 shift_ist=DEBUG_STACK
idtentry int3 do_int3 has_error_code=0 paranoid=1 shift_ist=DEBUG_STACK
idtentry machine_check do_mce has_error_code=0 paranoid=1
Only machine_check is one that will interrupt an IRQS-off critical section
asynchronously - and machine check events are rare.
The other main asynchronous entries are NMI entries, which can be very high-freq
with perf profiling, but they are special: they don't use the 'idtentry' macro but
are open coded and restore user CR3 unconditionally so don't seem to have this
bug.
Thanks,
Ingo
Powered by blists - more mailing lists