Re: PROBLEM: x86 alignment check bug

[Petr Vandrovec]

On  8 Sep 04 at 14:26, Alan Cox wrote:
> On Mer, 2004-09-08 at 00:51, Zachary Amsden wrote:
> > Exception reporting for alignment check violations on x86 is broken 
> > (unfortunately, rather badly, and rather hard to fix).  Look at the trap 
> > function which fills in the si_addr field during an unaligned memory 
> > access, 2.6.8.1-mm4+, arch/i386/kernel/traps.c, Line 522:
> 
> So it fills in a value with random data that should be zero. Ok thats
> hardly "badly". 

These are not random data.  It is old value of CR2, which happens to
be address of last page fault which occured on this CPU.

By artifically triggering alignment fault you can find at which virtual 
address last pagefault on this CPU occured - so you can have some 
additional information channel which can disclose information about 
other processes running on your box.  And although probably all security
related apps learned that page faults can be sensed from time taken to
answer request, and add random delays to their failure answers, this 
additional channel could be used to more precisely determine where
failure occured.

Yes, likelihood that you can use it to hack passwords on your linux box
is zero, but given that currently si_addr reports garbage for alignment
faults (on all x86 processors), why not always report zero (or all F,
or any other constant value or eip) in si_addr? It has same relevance as 
any other random value, and when compared with semi-random value it does
not provide an additional information about system behavior.
                                                Best regards,
                                                    Petr Vandrovec

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/