Re: [CVE-2014-9090] x86_64, traps: Stop using IST for #SS

To: Luis Henriques <luis.henriques@canonical.com>
Cc: kernel-team@lists.ubuntu.com, Ben Hutchings <ben@decadent.org.uk>, Moritz Muehlenhoff <jmm@debian.org>, debian-kernel@lists.debian.org, debian-lts@lists.debian.org
Subject: Re: [CVE-2014-9090] x86_64, traps: Stop using IST for #SS
From: Willy Tarreau <w@1wt.eu>
Date: Sat, 6 Dec 2014 18:13:08 +0100
Message-id: <[🔎] 20141206171308.GA3629@1wt.eu>
In-reply-to: <[🔎] 20141205152101.GB7690@hercules>
References: <[🔎] 1417787507-15347-1-git-send-email-luis.henriques@canonical.com> <[🔎] 20141205135726.GA10684@1wt.eu> <[🔎] 20141205152101.GB7690@hercules>

Hi Luis,

On Fri, Dec 05, 2014 at 03:21:01PM +0000, Luis Henriques wrote:
> Your backport of commit 6f442be2fb22 ("x86_64, traps: Stop using IST
> for #SS") seems to be identical to mine, but I'm unable to confirm
> that it is sufficient to fix the security issue.

If that can help, I just found that this public test code from Andy
is sufficient to test the backports :

   https://gitorious.org/linux-test-utils/linux-clock-tests/raw/sigreturn.c

On a plain 2.6.32.64 (x86_64), running the code above built with -m32
kills the kernel, probably from a triple fault since I'm not seeing
any panic message and it immediately reboots :

	$ /tmp/sigreturn 
	[RUN]   
	=> reboot

On the patched kernel :

	$ /tmp/sigreturn 
	[RUN]   64-bit CS (33), 32-bit SS (2b)
		SP: 5aadc0de -> 5aadc0de
	[OK]    all registers okay
	[RUN]   32-bit CS (23), 32-bit SS (2b)
		SP: 5aadc0de -> 5aadc0de
	[OK]    all registers okay
	[RUN]   16-bit CS (7), 32-bit SS (2b)
		SP: 5aadc0de -> 5aadc0de
	[OK]    all registers okay
	[RUN]   64-bit CS (33), 16-bit SS (f)
		SP: 5aadc0de -> 5aadc0de
	[OK]    all registers okay
	[RUN]   32-bit CS (23), 16-bit SS (f)
		SP: 5aadc0de -> 5aadc0de
	[OK]    all registers okay
	[RUN]   16-bit CS (7), 16-bit SS (f)
		SP: 5aadc0de -> 5aadc0de
	[OK]    all registers okay
	[RUN]   64-bit CS (33), bogus SS (17)
	[OK]    Got #GP(0x0) (i.e. Segmentation fault)
	[RUN]   32-bit CS (23), bogus SS (17)
	[OK]    Got #GP(0x0) (i.e. Segmentation fault)
	[RUN]   16-bit CS (7), bogus SS (17)
	[OK]    Got #GP(0x0) (i.e. Segmentation fault)
	[RUN]   64-bit CS (33), bogus SS (23)
	[OK]    Got #GP(0x20) (i.e. GDT index 4, Segmentation fault)
	[RUN]   32-bit CS (23), bogus SS (23)
	[OK]    Got #GP(0x20) (i.e. GDT index 4, Segmentation fault)
	[RUN]   16-bit CS (7), bogus SS (23)
	[OK]    Got #GP(0x20) (i.e. GDT index 4, Segmentation fault)
	[RUN]   32-bit CS (1f), bogus SS (2b)
	[OK]    Got #NP(0x1c) (i.e. LDT index 3, Bus error)
	[RUN]   32-bit CS (23), bogus SS (27)
	[OK]    Got #GP(0x0) (i.e. Segmentation fault)
	$

Hoping this helps. BTW, I'm about to issue -rc1 which includes the
last series of patches as well as the other CVE fixes that you and
Moritz sent me.

Best regards,
Willy

Reply to:

Follow-Ups:
- Re: [CVE-2014-9090] x86_64, traps: Stop using IST for #SS
  - From: Luis Henriques <luis.henriques@canonical.com>

References:
- [CVE-2014-9090] x86_64, traps: Stop using IST for #SS
  - From: Luis Henriques <luis.henriques@canonical.com>
- Re: [CVE-2014-9090] x86_64, traps: Stop using IST for #SS
  - From: Willy Tarreau <w@1wt.eu>
- Re: [CVE-2014-9090] x86_64, traps: Stop using IST for #SS
  - From: Luis Henriques <luis.henriques@canonical.com>

Prev by Date: Re: [CVE-2014-9090] x86_64, traps: Stop using IST for #SS
Next by Date: Re: [Precise][CVE-2014-9090] x86_64, traps: Stop using IST for #SS
Previous by thread: Re: [CVE-2014-9090] x86_64, traps: Stop using IST for #SS
Next by thread: Re: [CVE-2014-9090] x86_64, traps: Stop using IST for #SS
Index(es):
- Date
- Thread