linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Pavel Machek <pavel@suse.cz>
To: Jeremy Fitzhardinge <jeremy@goop.org>
Cc: Linux Kernel List <linux-kernel@vger.kernel.org>
Subject: Re: [BROKEN PATCH] syscalls leak data via registers?
Date: Thu, 7 Aug 2003 12:30:43 +0200	[thread overview]
Message-ID: <20030807103043.GB211@elf.ucw.cz> (raw)
In-Reply-To: <1059815183.18860.55.camel@ixodes.goop.org>

Hi!

> It looks to me like the syscall calling convention, on x86 at least,
> leaks kernel data out via the registers.
[scary stuff]
> When sys_foo returns, the value of %ebx has been changed to 77 on the
> stack, so when it returns to user-mode, the whole world can see that
> arg1 was assigned 77 at some point.
> 
> It seems to me the bug is in restoring the register values on return to
> user-mode.  As I understand it, the x86 ABI says that the called
> function owns the stack memory which contains the function's arguments,
> so it is completely within gcc's right to reuse the memory as spill
> space (or anything else) when generating code for that function. 
> Therefore, the code in entry.S should not restore those values to
> registers - it should just trash all the registers (except %eax, of
> course) before returning.
> 
> I tried writing a patch which replaces the RESTORE_ALL with the
> equivalent which simply skips %esp over the other registers, pops %eax
> and then assigns it to %ebx-%ebp (it makes as good a trash value as
> any), but this crashes when calibrating the delay loop.  Hm, looks like
> the RESTORE_ALL on the syscall return path is also used by the interrupt
> return path - that probably shouldn't trash registers.

I believe userspace depends on registers to be preserved over system
call, except for eax. So what you found is not only security problem,
but also crasher bug.
								Pavel

-- 
When do you have a heart between your knees?
[Johanka's followup: and *two* hearts?]

  reply	other threads:[~2003-08-07 10:31 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-08-02  9:06 [BROKEN PATCH] syscalls leak data via registers? Jeremy Fitzhardinge
2003-08-07 10:30 ` Pavel Machek [this message]
2003-08-07 15:11   ` Jeremy Fitzhardinge
2003-08-07 15:55     ` Richard B. Johnson
2003-08-07 20:31     ` Pavel Machek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20030807103043.GB211@elf.ucw.cz \
    --to=pavel@suse.cz \
    --cc=jeremy@goop.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).