Re: [CVE-2014-9090] x86_64, traps: Stop using IST for #SS

[Luis Henriques]

On Sat, Dec 06, 2014 at 06:13:08PM +0100, Willy Tarreau wrote:
> Hi Luis,
> 
> On Fri, Dec 05, 2014 at 03:21:01PM +0000, Luis Henriques wrote:
> > Your backport of commit 6f442be2fb22 ("x86_64, traps: Stop using IST
> > for #SS") seems to be identical to mine, but I'm unable to confirm
> > that it is sufficient to fix the security issue.
> 
> If that can help, I just found that this public test code from Andy
> is sufficient to test the backports :
> 
>    https://gitorious.org/linux-test-utils/linux-clock-tests/raw/sigreturn.c
> 

Thank you for pointing me at this.  I'll see if I can reproduce with a
Lucid kernel and test the backports.

Cheers,
--
Luís

> On a plain 2.6.32.64 (x86_64), running the code above built with -m32
> kills the kernel, probably from a triple fault since I'm not seeing
> any panic message and it immediately reboots :
> 
>       $ /tmp/sigreturn 
>       [RUN]   
>       => reboot
> 
> On the patched kernel :
> 
>       $ /tmp/sigreturn 
>       [RUN]   64-bit CS (33), 32-bit SS (2b)
>               SP: 5aadc0de -> 5aadc0de
>       [OK]    all registers okay
>       [RUN]   32-bit CS (23), 32-bit SS (2b)
>               SP: 5aadc0de -> 5aadc0de
>       [OK]    all registers okay
>       [RUN]   16-bit CS (7), 32-bit SS (2b)
>               SP: 5aadc0de -> 5aadc0de
>       [OK]    all registers okay
>       [RUN]   64-bit CS (33), 16-bit SS (f)
>               SP: 5aadc0de -> 5aadc0de
>       [OK]    all registers okay
>       [RUN]   32-bit CS (23), 16-bit SS (f)
>               SP: 5aadc0de -> 5aadc0de
>       [OK]    all registers okay
>       [RUN]   16-bit CS (7), 16-bit SS (f)
>               SP: 5aadc0de -> 5aadc0de
>       [OK]    all registers okay
>       [RUN]   64-bit CS (33), bogus SS (17)
>       [OK]    Got #GP(0x0) (i.e. Segmentation fault)
>       [RUN]   32-bit CS (23), bogus SS (17)
>       [OK]    Got #GP(0x0) (i.e. Segmentation fault)
>       [RUN]   16-bit CS (7), bogus SS (17)
>       [OK]    Got #GP(0x0) (i.e. Segmentation fault)
>       [RUN]   64-bit CS (33), bogus SS (23)
>       [OK]    Got #GP(0x20) (i.e. GDT index 4, Segmentation fault)
>       [RUN]   32-bit CS (23), bogus SS (23)
>       [OK]    Got #GP(0x20) (i.e. GDT index 4, Segmentation fault)
>       [RUN]   16-bit CS (7), bogus SS (23)
>       [OK]    Got #GP(0x20) (i.e. GDT index 4, Segmentation fault)
>       [RUN]   32-bit CS (1f), bogus SS (2b)
>       [OK]    Got #NP(0x1c) (i.e. LDT index 3, Bus error)
>       [RUN]   32-bit CS (23), bogus SS (27)
>       [OK]    Got #GP(0x0) (i.e. Segmentation fault)
>       $
> 
> Hoping this helps. BTW, I'm about to issue -rc1 which includes the
> last series of patches as well as the other CVE fixes that you and
> Moritz sent me.
> 
> Best regards,
> Willy
> 


-- 
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141208113656.GD7491@hercules