Re: [PATCH REPOST^3] Run IST traps from user mode preemptive on process stack

view
thread

Score:

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Andi Kleen <andi@...>

To: Thomas Gleixner <tglx@...>

Cc: <mingo@...>, <linux-kernel@...>, <jkosina@...>, <zdenek.kabelac@...>

Subject: Re: [PATCH REPOST^3] Run IST traps from user mode preemptive on process stack

Date: Tuesday, May 6, 2008 - 9:03 am

Thomas Gleixner <tglx@linutronix.de> writes:

quoted text> On Fri, 2 May 2008, Andi Kleen wrote:
>> [Fixes a bug originally introduced in 2.6.23 I think. Reposted many times
>> so far, but still not applied. Please apply.]
>
> The print_vma_addr() bug was introduced by commit 03252919 (by you) in
> the 2.6.25 merge window and we fixed it before 25-rc2 via commit e8bff74a.

Well it was worked around, not properly fixed. This patch fixes it properly.
The problem of the original workaround is that it wouldn't print the vma
now in many cases because it couldn't take the semaphore.

The workaround was right back then because it was shortly before 
the release, but it was always a ward that needed fixing properly.

I believe it was a good idea anyways because there were always 
some possible problems with not being able to sleep in these 
exception handlers.

quoted text>
> This introduces two security bugs in one go:
>
> 1.) The IST stack pointer is elevated unconditionaly and with your
> change we can now schedule away in the handler. 

Yes, but that's fine.

quoted text> this same CPU triggers the same trap and elevates it again.

That's not possible generally. None of these interrupts can
nest in a normal kernel.

Do you refer to the DEBUG_STACK ist add/dec? That is not needed
for anything in tree to my knowledge. 

quoted text> 2.) The IST stack pointer is unbalanced in the other direction as well:
> it is incremented on CPUn then the handler is scheduled away and migrated
> to CPUm. After return from the handler the IST stacks of both CPUs are
> corrupted. Exploitable by unprivileged user-space code as well.

The IST is restored again after the handler. You're right that strictly
wouldn't be needed and could be avoided, but i don't think it's exploitable
in any ways.

Regarding user controlled pt_regs: I think you're forgetting that
x86-64 doesn't have vm86 mode and that we can always trust pt_regs
segment indexes. On i386 you would be right, but not here.

-Andi
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[PATCH REPOST^3] Run IST traps from user mode preemptive on ..., Andi Kleen, (Fri May 2, 5:19 am)

Re: [PATCH REPOST^3] Run IST traps from user mode preemptive..., Thomas Gleixner, (Tue May 6, 8:31 am)

Re: [PATCH REPOST^3] Run IST traps from user mode preemptive..., Andi Kleen, (Tue May 6, 9:03 am)

Re: [PATCH REPOST^3] Run IST traps from user mode preemptive..., Ingo Molnar, (Tue May 6, 10:41 am)

Re: [PATCH REPOST^3] Run IST traps from user mode preemptive..., Ingo Molnar, (Tue May 6, 10:39 am)

Re: [PATCH REPOST^3] Run IST traps from user mode preemptive..., Ingo Molnar, (Tue May 6, 10:34 am)

Navigation

Mail archive search

Popular discussions


linux-kernel:
Alan Cox	[PATCH 00/76] Queued TTY Patches
Nick Piggin	[patch 1/6] mm: debug check for the fault vs invalidate race
Andi Kleen	[PATCH] [1/22] x86_64: dma_ops as const
Linus Torvalds	Linux 2.6.27-rc8
git:
Jeff King	Re: What's cooking in git/spearce.git (topics)
Jeff King	Re: [RFC] origin link for cherry-pick and revert
Matt Seitz (matseitz)	Symbolic link documentation
Jon Smirl	Huge win, compressing a window of delta runs as a unit
openbsd-misc:
Richard Stallman	Real men don't attack straw men
Leon Dippenaar	New tcp stack attack
Nuno Magalhães	Can't scp, ssh is slow to authenticate.
Brandon Lee	DELL PERC 5iR slow performance
linux-netdev:
KOSAKI Motohiro	[bug?] tg3: Failed to load firmware "tigon/tg3_tso.bin"
Denys Vlasenko	Re: bnx2 dirver's firmware images
Pavel Emelyanov	[PATCH 0/8] Cleanup/fix the sk_alloc() call
Kok, Auke	Re: [PATCH] drivers/net: remove network drivers' last few uses of IRQF_SAMPLE_RANDOM

Latest forum posts


usb mic not detected	2 hours ago	Applications and Utilities
linux-2.6.10	3 hours ago	Linux kernel
How to detect usb device insertioin and removal event ?	6 hours ago	Linux general
Extended configuration Read/Write	6 hours ago	Windows
Add ext2 inode field	16 hours ago	Linux kernel
the kernel how to power off the machine	1 day ago	Linux kernel
struct gendisk via request_queue	1 day ago	Linux kernel
page initialization during kernel initialization	2 days ago	Linux kernel
Read Transport Layer Data form network packets (tcp/ip)	2 days ago	Linux kernel
Getting blinking screen in Fedora 9	3 days ago	Linux general

Show all forums...

Recent Tags

quote Linus Torvalds 2.6.27-rc8 Intel -rc8 bugs -rc Linux 2.6.27

more tags

Colocation donated by:

Online users

Syndicate