Re: ESP corruption bug - what CPUs are affected?

From: Gabriel Paubert
Date: Sat Sep 25 2004 - 14:32:01 EST

Next message: Samuel Thibault: "Re: [2.6] smbfs & "du" illness"
Previous message: Jeremy Allison: "Re: [2.6] smbfs & "du" illness"
In reply to: Stas Sergeev: "Re: ESP corruption bug - what CPUs are affected?"
Next in thread: Stas Sergeev: "Re: ESP corruption bug - what CPUs are affected?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Sep 25, 2004 at 04:25:43PM +0400, Stas Sergeev wrote:
> Hello.
>
> Gabriel Paubert wrote:
> >Maybe I miss something, but it seems that lret (or retl)
> >is not affected by this bug.
> Petr Vandrovec says (he forgot to CC that
> to LKML I think):

At least I did not see it.

> ---
> Looking at VMware's code it seems that RETF suffers from
> this bug too...
> ---
>
> I tested that - he is right, and Intel docs
> make no sense as to not mentioning this.

I suspected that they behaved differently because the
pseudocode in iret's description is quite different
(for iret, it even does not mention restoring ESP!).
But if you expect Intel's doc, or that of any manufacturer
for the matter, to tell the whole truth, you're naïve.

Is ESP really properly restored for V86 bmode or is it that
it does not hit the case of a default 32 bit code segment with
a 16 bit stack?

I'm absolutely amazed by the fact that this bug has been there
since the beginning and only seems to hit users right now.

I don't like adding an intermediate privilege level, but
it looks hard to do through the vdso, and you always have to
push something on the final stack. A hardware task switch
might work, but it has problems with races on the segment
descriptors.

Anyway, I've just read again Intel's doc about mixing 16 and 32 bit
code and I have found the understament of the day:

"For most efficient and trouble-free operation of the processor, 32-bit
^^^^^^^^^^^^
programs or tasks should have the D flag in the code-segment descriptor
and the B flag in the stack-segment descriptor set, and 16-bit programs
or tasks should have these flags clear. Program control transfers from
16-bit segments to 32-bit segments (and vice versa) are handled most
efficiently through call, interrupt, or trap gates."

Regards,
Gabriel
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Samuel Thibault: "Re: [2.6] smbfs & "du" illness"
Previous message: Jeremy Allison: "Re: [2.6] smbfs & "du" illness"
In reply to: Stas Sergeev: "Re: ESP corruption bug - what CPUs are affected?"
Next in thread: Stas Sergeev: "Re: ESP corruption bug - what CPUs are affected?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]