Andrea Arcangeli wrote:
>
> On Sat, Nov 04, 2000 at 10:50:00AM +1100, Gareth Hughes wrote:
> > if ( HAVE_FXSR ) {
> > if ( __copy_from_user( &tsk->thread.i387.fxsave, (void *)buf,
> > sizeof(struct user_fxsr_struct) ) )
> > return -EFAULT;
> > /* bit 6 and 31-16 must be zero for security reasons */
> > tsk->thread.i387.fxsave.mxcsr &= 0x0000ffbf;
> > return 0;
> > }
>
> The above doesn't fix the security problem. Put the last byte of the userspace
> structure on an unmapped page and it will return -EFAULT lefting the invalid
> mxcsr value that will corrupt the FPU again.
>
> The right version of the above is just in linux mailbox.
>
> The reason I did it more complex at first is because I wanted to go safe,
> I wasn't sure if somebody could SIGCONT the traced task while we was copying
> the data so introducing a race where it was still possible to exploit
> the bug; but as Linus pointed out to me the loop in do_signal prevents that, so
> we can do only one large copy and then fixup (fixing up also in the -EFAULT
> case of course).
Yes, we can certainly mask out the mxcsr value in both cases. I just
think this makes the code a lot simpler and cleaner as a result - three
partial copies seems over the top.
-- Gareth
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Nov 07 2000 - 21:00:15 EST