Re: [CVE-2014-9090] x86_64, traps: Stop using IST for #SS
Hi Luis,
On Fri, Dec 05, 2014 at 03:21:01PM +0000, Luis Henriques wrote:
> Your backport of commit 6f442be2fb22 ("x86_64, traps: Stop using IST
> for #SS") seems to be identical to mine, but I'm unable to confirm
> that it is sufficient to fix the security issue.
If that can help, I just found that this public test code from Andy
is sufficient to test the backports :
https://gitorious.org/linux-test-utils/linux-clock-tests/raw/sigreturn.c
On a plain 2.6.32.64 (x86_64), running the code above built with -m32
kills the kernel, probably from a triple fault since I'm not seeing
any panic message and it immediately reboots :
$ /tmp/sigreturn
[RUN]
=> reboot
On the patched kernel :
$ /tmp/sigreturn
[RUN] 64-bit CS (33), 32-bit SS (2b)
SP: 5aadc0de -> 5aadc0de
[OK] all registers okay
[RUN] 32-bit CS (23), 32-bit SS (2b)
SP: 5aadc0de -> 5aadc0de
[OK] all registers okay
[RUN] 16-bit CS (7), 32-bit SS (2b)
SP: 5aadc0de -> 5aadc0de
[OK] all registers okay
[RUN] 64-bit CS (33), 16-bit SS (f)
SP: 5aadc0de -> 5aadc0de
[OK] all registers okay
[RUN] 32-bit CS (23), 16-bit SS (f)
SP: 5aadc0de -> 5aadc0de
[OK] all registers okay
[RUN] 16-bit CS (7), 16-bit SS (f)
SP: 5aadc0de -> 5aadc0de
[OK] all registers okay
[RUN] 64-bit CS (33), bogus SS (17)
[OK] Got #GP(0x0) (i.e. Segmentation fault)
[RUN] 32-bit CS (23), bogus SS (17)
[OK] Got #GP(0x0) (i.e. Segmentation fault)
[RUN] 16-bit CS (7), bogus SS (17)
[OK] Got #GP(0x0) (i.e. Segmentation fault)
[RUN] 64-bit CS (33), bogus SS (23)
[OK] Got #GP(0x20) (i.e. GDT index 4, Segmentation fault)
[RUN] 32-bit CS (23), bogus SS (23)
[OK] Got #GP(0x20) (i.e. GDT index 4, Segmentation fault)
[RUN] 16-bit CS (7), bogus SS (23)
[OK] Got #GP(0x20) (i.e. GDT index 4, Segmentation fault)
[RUN] 32-bit CS (1f), bogus SS (2b)
[OK] Got #NP(0x1c) (i.e. LDT index 3, Bus error)
[RUN] 32-bit CS (23), bogus SS (27)
[OK] Got #GP(0x0) (i.e. Segmentation fault)
$
Hoping this helps. BTW, I'm about to issue -rc1 which includes the
last series of patches as well as the other CVE fixes that you and
Moritz sent me.
Best regards,
Willy
Reply to: