Re: [RFC] x86: xsave/xrstor support, ucontext_t extensions

[H. Peter Anvin]

Roland McGrath wrote:
> > I don't think there is one. We never copy fxsave completely out of the
> > kernel. x86-64 does FXSAVE directly in/out user space, but the
> > only leak is what there was before.
>
> ptrace/user_regset copies out and in the whole fxsave block from the ptrace
> caller.  (Only the mxcsr word is constrained after copy-in.)

I see two problems with that:

1. potential information leak out of the kernel if the memory area isn't 
zeroed before the first FXSAVE - I haven't verified if so is the case. 
This would be a (potentially very serious) security hole.

2. Hidden state in the kernel - this means user space can set 
nonarchitectural state in the kernel.  There are a few risks with that:

   a. Malware might use it to hide state.
   b. The possibility of using the stability or lack thereof of this
      state to extract information about kernel internals and/or
      provide a covert channel in the presence of hardware changes.
   c. It is not certain that future architectures will not have
      off-limit fields here, like the equivalent of MXCSR.  This is
      somewhat of a tricky judgement, of course, but it seems safer
      to me if we would explicitly list the modifiable fields.

Thoughts?

	-hpa

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/