Re: Do x86 NX and AMD prefetch check cause page fault infinite loop?

[Denis Vlasenko]

On Wednesday 30 June 2004 04:38, Jamie Lokier wrote:
> I was looking at the code which checks for prefetch instructions in
> the page fault path on x86 and x86-64, due to the AMD bug where
> prefetch sometimes causes unwanted faults.
>
> I wondered if simply returning when *EIP points to a prefetch
> instruction could cause an infinite loop of page faults, instead of
> the wanted SIGSEGV or SIGBUS.  I know we went over it before, but I
> had another look.
>
> AMD already confirmed that the erroneous fault won't reoccur when a
> prefetch instruction is returned to from the fault handler.  So a loop
> can only occur if it's _not_ an erroneous fault, but instead the
> __is_prefetch() code is preventing a normal signal from being ever
> raised.
[snip]
> But... what if the page is not executable?  When NX is enabled on
> 32-bit x86, and all x86-64 kernels, or even the exec-shield patch's
> changes to the USER_CS limit (that limit isn't checked in
> __is_prefetch) - those conditions all allow __is_prefetch() to read a
> prefetch instruction, cause the fault handler to return, and repeat.
>
> This can only happen when something branches to a page with PROT_EXEC
> _not_ set, on a kernel which honours that, and the target address is a
> prefetch instruction.

Well. To be safe, just skip prefetch instruction, always.
Hm. An attacker can supply us with whole gigabyte of
prefetches back-to-back... Better skip all prefetches,
with resheduling between every 1000 of them.
-- 
vda
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/