On Thu, Jul 24, 2008 at 11:31:42AM -0700, Linus Torvalds wrote:
quoted text
> 
> 
> On Thu, 24 Jul 2008, Suresh Siddha wrote:
> >
> > In the error condition for restore_fpu_checking() (especially during
> > the 64bit signal return), we are doing init_fpu(), which saves the live
> > FPU register state (possibly belonging to some other process context) into the
> > thread struct (through unlazy_fpu() in init_fpu()). This is wrong and can leak
> > the FPU data.
> >
> > Remove the unlazy_fpu() from the init_fpu(). init_fpu() will now always
> > init the FPU data in the thread struct. For the error conditions in
> > restore_fpu_checking(), restore the initialized FPU data from the thread
> > struct.
> 
> Why? The thread struct is guaranteed to contain pointless data.

init_fpu() will set it to sane init state, from where we can restore.

quoted text
> If we cannot restore the FP state from the signal stack, we should not try
> to restore it from anywhere _else_ either, since nowhere else will have
> any better results.
> 
> I suspect we should just reset the x87 state (which was the _intention_ of
> the code), possibly by just doing "stts + used_math = 0". The signal
> handling code already checks for errors, and will force a SIGSEGV if this
> ever happens.

Yes, this was what I had in mind earlier and should be ok for signal handling
case. But as you also noted below:

quoted text
> (Yes, there is also a restore_fpu_checking() in math_state_restore(), but
> that one _already_ uses &current->thread.xstate->fxsave as the buffer to
> restore from, so trying to do that _again_ when it fails seems to be
> really really wrong - we already _did_ that, and that was what failed to
> begin with)

We are doing init_fpu(), which should make the data sane again.

This is a paranoid case, just to make sure that the next
math_state_restore()  doesn't cause #GP, after someone sets illegal values
through ptrace() or 32bit signal handling (which modifies fpu state in thread
struct). I say paranoid, because we already do the necessary checks
in the corresponding locations like ptrace/32-bit signal handling.

If we don't do init_fpu() + restore from the sane init state, process has
to be killed, in the paranoid failing scenario of math_state_restore()

thanks,
suresh
--
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/