Re: [RFC] x86: xsave/xrstor support, ucontext_t extensions

From: H. Peter Anvin
Date: Wed May 21 2008 - 20:10:20 EST

Roland McGrath wrote:
I don't think there is one. We never copy fxsave completely out of the
kernel. x86-64 does FXSAVE directly in/out user space, but the
only leak is what there was before.

ptrace/user_regset copies out and in the whole fxsave block from the ptrace
caller. (Only the mxcsr word is constrained after copy-in.)

I see two problems with that:

1. potential information leak out of the kernel if the memory area isn't zeroed before the first FXSAVE - I haven't verified if so is the case. This would be a (potentially very serious) security hole.

2. Hidden state in the kernel - this means user space can set nonarchitectural state in the kernel. There are a few risks with that:

a. Malware might use it to hide state.
b. The possibility of using the stability or lack thereof of this
state to extract information about kernel internals and/or
provide a covert channel in the presence of hardware changes.
c. It is not certain that future architectures will not have
off-limit fields here, like the equivalent of MXCSR. This is
somewhat of a tricky judgement, of course, but it seems safer
to me if we would explicitly list the modifiable fields.



To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at