Re: Do x86 NX and AMD prefetch check cause page fault infinite loop?

[Ingo Molnar]

* Jamie Lokier <jamie@xxxxxxxxxxxxx> wrote:

> But... what if the page is not executable?  When NX is enabled on
> 32-bit x86, and all x86-64 kernels, or even the exec-shield patch's
> changes to the USER_CS limit (that limit isn't checked in
> __is_prefetch) - those conditions all allow __is_prefetch() to read a
> prefetch instruction, cause the fault handler to return, and repeat.
> 
> This can only happen when something branches to a page with PROT_EXEC
> _not_ set, on a kernel which honours that, and the target address is a
> prefetch instruction.
> 
> That can happen due to malicious code, a programming error, or
> corruption.
> 
> The behaviour in such cases _should_ be SIGSEGV due to lack of execute
> permission.  However, I think the behaviour will be an infinite loop.
> 
> I haven't tested this as I don't have the hardware for NX, and don't
> want to apply the non-NX exec-shield or PaX patches on a working
> Athlon box.
> 
> Can anyone confirm this is a real bug, or that it isn't and I missed
> the reason why not?

i understand what you mean, but for this to trigger one would have to
trigger the prefetch erratum _and_ then turn off executability in
parallel, right? So the question is, is there a reliable way to trigger
the pagefault situation, and if yes, how do you turn on NX - because
right before the fault the instruction had to be executable.

	Ingo
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/