Re: Possible bug in arch/i386/kernel/process.c for reloading of debug registers (DRx)?

From: Jamie Lokier (
Date: Sat Feb 08 2003 - 14:31:49 EST

Andi Kleen wrote:
> > What if DRx contains sensitive data? ...Its probably pretty
> > unlikely. Still it allows for example easy communication between tasks
> > that should not be able to communicate.
> The user never sees the stale value, it is eaten by the kernel's do_debug
> handler.

DR6 isn't cleared. Here is a nice security exploit for you:

        - Task A sets DR0 and DR7 to enable a watchpoint (or breakpoint).
        - It also clears DR6.
        - Task A wakes up task B, which has DR7 clear.
        - Task A then communicates with "sshd" or some other sensitive task.

        - Because of lazy DR7 clearing, sshd inherits the watchpoints.
        - If sshd reads the memory address mentioned in DR0, it will
          call do_debug in the kernel, which clears DR7 and continues.
        - However, DR6 bit B0 is now set.

        - Eventually task B is scheduled. It inherits the value of DR6
          from sshd, and therefore knows if sshd read from a particular
          memory location.

        - Task A and task B cooperate to analyse what values sshd is
          examining in its lookup tables, and therefore retrieve the
          server key or something. (Hand waving at this point).

-- Jamie
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

This archive was generated by hypermail 2b29 : Sat Feb 15 2003 - 22:00:20 EST