| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 Nov 2018 16:42:52 -0800
From: Andy Lutomirski <luto@...nel.org>
To: Ingo Molnar <mingo@...nel.org>
Cc: Andrew Lutomirski <luto@...nel.org>,
"Bae, Chang Seok" <chang.seok.bae@...el.com>,
Thomas Gleixner <tglx@...utronix.de>,
"H. Peter Anvin" <hpa@...or.com>, Andi Kleen <ak@...ux.intel.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
"Ravi V. Shankar" <ravi.v.shankar@...el.com>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v5] x86/fsgsbase/64: Fix the base write helper functions
On Thu, Nov 22, 2018 at 12:56 PM Ingo Molnar <mingo@...nel.org> wrote:
>
>
> * Andy Lutomirski <luto@...nel.org> wrote:
>
> > On Fri, Nov 16, 2018 at 3:27 PM Chang S. Bae <chang.seok.bae@...el.com> wrote:
> > >
> > > The helper functions that purport to write the base should just write it
> > > only. It shouldn't have magic optimizations to change the index.
> > >
> > > Make the index explicitly changed from the caller, instead of including
> > > the code in the helpers.
> > >
> > > Subsequently, the task write helpers do not handle for the current task
> > > anymore. The range check for a base value is also factored out, to
> > > minimize code redundancy from the caller.
> > >
> > > v2: Fix further on the task write functions. Revert the changes on the
> > > task read helpers.
> > >
> > > v3: Fix putreg(). Edit the changelog.
> > >
> > > v4: Update the task write helper functions and do_arch_prctl_64(). Fix
> > > the comment in putreg().
> > >
> > > v5: Fix preempt_disable() calls in do_arch_prctl_64()
> >
> > Reviewed-by: Andy Lutomirski <luto@...nel.org>
> >
> > Ingo, Thomas: can we get this in x86/urgent, please?
>
> Sadly this commit introduced a boot failure on both an Intel and an AMD
> 64-bit testbox.
>
> Symptoms range from silent bootup hang in early userspace to segfaults
> like this:
>
> [ 21.885741] random: systemd: uninitialized urandom read (16 bytes read)
> [ 21.964778] systemd[1]: segfault at 28 ip 00005584d8d8247d sp 00007ffc7a05aed0 error 4 in systemd[5584d8d0d000+137000]
> [ 21.977664] Code: c3 4c 89 ff e8 94 78 fa ff eb bb 48 89 c3 eb f1 00 00 00 00 00 00 00 00 00 00 00 00 00 41 55 41 54 55 53 48 89 fd 48 83 ec 28 <64> 48 8b 04 25 28 00 00 00 48 89 44 24 18 31 c0 48 85 ff 74 6e 48
> [ 22.000004] systemd[1]: segfault at 28 ip 00005584d8db0a3d sp 00007ffc7a05a7e0 error 4 in systemd[5584d8d0d000+137000]
> [ 22.012869] Code: 49 89 e9 ba 67 01 00 00 bf 04 00 00 00 31 c0 e8 c9 1c 03 00 59 31 c0 5e e9 ff fa ff ff 41 54 55 53 89 fb 48 81 ec 40 01 00 00 <64> 48 8b 04 25 28 00 00 00 48 89 84 24 38 01 00 00 31 c0 e8 fb 92
>
> I've zapped the commit from x86/urgent because it's clearly not ready
> yet.
>
> I used a fairly regular distro .config and a fairly regular distro -
> nothing fancy.
>
I can reproduce it. Off the top of my head, maybe 0day is using a
different, weird glibc configuration? I think it runs some ancient
version of Yocto.
And I think I've almost root-caused the problem, and I think it's a
preexisting bug exposed by this patch. Lemme double-check and I'll
send a fix.
Powered by blists - more mailing lists