| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHk-=wgqRgk0hjvpjHNixK7xSOS_F3fpt3bL9ZUJVhCL3oGgyw@mail.gmail.com>
Date: Sun, 31 Jan 2021 15:35:22 -0800
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Kyle Huey <me@...ehuey.com>
Cc: Andy Lutomirski <luto@...capital.net>,
Thomas Gleixner <tglx@...utronix.de>,
Andy Lutomirski <luto@...nel.org>,
Gabriel Krisman Bertazi <krisman@...labora.com>,
open list <linux-kernel@...r.kernel.org>,
"Robert O'Callahan" <rocallahan@...il.com>
Subject: Re: [REGRESSION] x86/entry: TIF_SINGLESTEP handling is still broken
On Sun, Jan 31, 2021 at 3:18 PM Kyle Huey <me@...ehuey.com> wrote:
>
> The key to triggering this bug is to enter a ptrace syscall stop and
> then use PTRACE_SINGLESTEP to exit it. On a good kernel this will not
> result in any userspace code execution in the tracee because on the
> way out of the kernel's syscall handling path the singlestep trap will
> be raised immediately. On a bad kernel that stop will not be raised,
> and in the example below, the program will crash.
Thanks, great explanation, and I can certainly see the behavior you mention.
I wonder if the simple solution is to just
(a) always set one of the SYSCALL_WORK_EXIT bits on the child in
ptrace (exactly to catch the child on system call exit)
(b) basically revert 299155244770 ("entry: Drop usage of TIF flags in
the generic syscall code") and have the syscall exit code check the
TIF_SINGLESTEP flag
Hmm?
Linus
Powered by blists - more mailing lists