Re: [CVE-2014-9090] x86_64, traps: Stop using IST for #SS

To: Willy Tarreau <w@1wt.eu>
Cc: kernel-team@lists.ubuntu.com, Ben Hutchings <ben@decadent.org.uk>, Moritz Muehlenhoff <jmm@debian.org>, debian-kernel@lists.debian.org, debian-lts@lists.debian.org
Subject: Re: [CVE-2014-9090] x86_64, traps: Stop using IST for #SS
From: Luis Henriques <luis.henriques@canonical.com>
Date: Mon, 8 Dec 2014 11:36:56 +0000
Message-id: <[🔎] 20141208113656.GD7491@hercules>
In-reply-to: <[🔎] 20141206171308.GA3629@1wt.eu>
References: <[🔎] 1417787507-15347-1-git-send-email-luis.henriques@canonical.com> <[🔎] 20141205135726.GA10684@1wt.eu> <[🔎] 20141205152101.GB7690@hercules> <[🔎] 20141206171308.GA3629@1wt.eu>

On Sat, Dec 06, 2014 at 06:13:08PM +0100, Willy Tarreau wrote:
> Hi Luis,
> 
> On Fri, Dec 05, 2014 at 03:21:01PM +0000, Luis Henriques wrote:
> > Your backport of commit 6f442be2fb22 ("x86_64, traps: Stop using IST
> > for #SS") seems to be identical to mine, but I'm unable to confirm
> > that it is sufficient to fix the security issue.
> 
> If that can help, I just found that this public test code from Andy
> is sufficient to test the backports :
> 
>    https://gitorious.org/linux-test-utils/linux-clock-tests/raw/sigreturn.c
> 

Thank you for pointing me at this.  I'll see if I can reproduce with a
Lucid kernel and test the backports.

Cheers,
--
Luís

> On a plain 2.6.32.64 (x86_64), running the code above built with -m32
> kills the kernel, probably from a triple fault since I'm not seeing
> any panic message and it immediately reboots :
> 
> 	$ /tmp/sigreturn 
> 	[RUN]   
> 	=> reboot
> 
> On the patched kernel :
> 
> 	$ /tmp/sigreturn 
> 	[RUN]   64-bit CS (33), 32-bit SS (2b)
> 		SP: 5aadc0de -> 5aadc0de
> 	[OK]    all registers okay
> 	[RUN]   32-bit CS (23), 32-bit SS (2b)
> 		SP: 5aadc0de -> 5aadc0de
> 	[OK]    all registers okay
> 	[RUN]   16-bit CS (7), 32-bit SS (2b)
> 		SP: 5aadc0de -> 5aadc0de
> 	[OK]    all registers okay
> 	[RUN]   64-bit CS (33), 16-bit SS (f)
> 		SP: 5aadc0de -> 5aadc0de
> 	[OK]    all registers okay
> 	[RUN]   32-bit CS (23), 16-bit SS (f)
> 		SP: 5aadc0de -> 5aadc0de
> 	[OK]    all registers okay
> 	[RUN]   16-bit CS (7), 16-bit SS (f)
> 		SP: 5aadc0de -> 5aadc0de
> 	[OK]    all registers okay
> 	[RUN]   64-bit CS (33), bogus SS (17)
> 	[OK]    Got #GP(0x0) (i.e. Segmentation fault)
> 	[RUN]   32-bit CS (23), bogus SS (17)
> 	[OK]    Got #GP(0x0) (i.e. Segmentation fault)
> 	[RUN]   16-bit CS (7), bogus SS (17)
> 	[OK]    Got #GP(0x0) (i.e. Segmentation fault)
> 	[RUN]   64-bit CS (33), bogus SS (23)
> 	[OK]    Got #GP(0x20) (i.e. GDT index 4, Segmentation fault)
> 	[RUN]   32-bit CS (23), bogus SS (23)
> 	[OK]    Got #GP(0x20) (i.e. GDT index 4, Segmentation fault)
> 	[RUN]   16-bit CS (7), bogus SS (23)
> 	[OK]    Got #GP(0x20) (i.e. GDT index 4, Segmentation fault)
> 	[RUN]   32-bit CS (1f), bogus SS (2b)
> 	[OK]    Got #NP(0x1c) (i.e. LDT index 3, Bus error)
> 	[RUN]   32-bit CS (23), bogus SS (27)
> 	[OK]    Got #GP(0x0) (i.e. Segmentation fault)
> 	$
> 
> Hoping this helps. BTW, I'm about to issue -rc1 which includes the
> last series of patches as well as the other CVE fixes that you and
> Moritz sent me.
> 
> Best regards,
> Willy
>

Reply to:

References:
- [CVE-2014-9090] x86_64, traps: Stop using IST for #SS
  - From: Luis Henriques <luis.henriques@canonical.com>
- Re: [CVE-2014-9090] x86_64, traps: Stop using IST for #SS
  - From: Willy Tarreau <w@1wt.eu>
- Re: [CVE-2014-9090] x86_64, traps: Stop using IST for #SS
  - From: Luis Henriques <luis.henriques@canonical.com>
- Re: [CVE-2014-9090] x86_64, traps: Stop using IST for #SS
  - From: Willy Tarreau <w@1wt.eu>

Prev by Date: Re: [Precise][CVE-2014-9090] x86_64, traps: Stop using IST for #SS
Next by Date: Re: [Precise][CVE-2014-9090] x86_64, traps: Stop using IST for #SS
Previous by thread: Re: [CVE-2014-9090] x86_64, traps: Stop using IST for #SS
Next by thread: Re: [SECURITY] [DLA 103-1] linux-2.6 security update
Index(es):
- Date
- Thread