| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 9 Aug 2008 10:59:40 -0700 From: Suresh Siddha <suresh.b.siddha@...el.com> To: Herbert Xu <herbert@...dor.apana.org.au> Cc: "Siddha, Suresh B" <suresh.b.siddha@...el.com>, "H. Peter Anvin" <hpa@...or.com>, Wolfgang Walter <wolfgang.walter@...m.de>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Ingo Molnar <mingo@...e.hu>, "viro@...IV.linux.org.uk" <viro@...IV.linux.org.uk>, "vegard.nossum@...il.com" <vegard.nossum@...il.com> Subject: Re: Kernel oops with 2.6.26, padlock and ipsec: probably problem with fpu state changes On Sat, Aug 09, 2008 at 07:37:27AM -0700, Herbert Xu wrote: > On Fri, Aug 08, 2008 at 04:11:21PM -0700, Suresh Siddha wrote: > > > > With out the recent dynamic fpu allocation changes, while we don't see oops, > > there is a possible race still present in older kernels(for example, > > while kernel is using kernel_fpu_begin() in some optimized clear/copy > > page and an interrupt/softirq happens which uses these padlock > > instructions generating DNA fault). > > No this wasn't a problem because kernel_fpu_begin clears TS and > therefore we don't get faults on SSE instructions. > > However, with your patch it will become a problem due to the > fact that it wasn't designed to be nested. No. Here is the case that can fail on 2.6.25 aswell. 0. CPU's TS flag is set 1. kernel using FPU in some optimized copy routine and while doing kernel_fpu_begin() takes an interrupt just before doing clts() 2. Takes an interrupt and ipsec uses padlock instruction. And we take a DNA fault as TS flag is still set. 3. We handle the DNA fault and set TS_USEDFPU and clear cr0.ts 4. We complete the padlock routine 5. Go back to step-1, which resumes clts() in kernel_fpu_begin(), finishes the optimized copy routine and does kernel_fpu_end(). At this point, we have cr0.ts again set to '1' but the task's TS_USEFPU is stilll set and not cleared. 6. Now kernel resumes its user operation. And at the next context switch, kernel sees it has do a FP save as TS_USEDFPU is still set and then will do a unlazy_fpu() in __switch_to(). unlazy_fpu() will take a DNA fault, as cr0.ts is '1' and now, because we are in __switch_to(), math_state_restore() will get confused and will restore the next task's FP state and will save it in prev tasks's FP state. Remember, in __switch_to() we are already on the stack of the next task but take a DNA fault for the prev task. This causes the fpu leakage. We didn't encounter this so far on via platforms because we don't have any optimized routines that use FP/SSE in the kernel? thanks, suresh -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists