Re: [RFC] x86: xsave/xrstor support, ucontext_t extensions

From: Roland McGrath
Date: Wed May 21 2008 - 20:49:16 EST

Next message: Roland McGrath: "Re: [RFC] x86: xsave/xrstor support, ucontext_t extensions"
Previous message: David Miller: "Re: [PATCH net-2.6] [NET] The world is not perfect patch."
In reply to: H. Peter Anvin: "Re: [RFC] x86: xsave/xrstor support, ucontext_t extensions"
Next in thread: Andi Kleen: "Re: [RFC] x86: xsave/xrstor support, ucontext_t extensions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> 1. potential information leak out of the kernel if the memory area isn't
> zeroed before the first FXSAVE - I haven't verified if so is the case.
> This would be a (potentially very serious) security hole.

Not a problem (see init_fpu).

> 2. Hidden state in the kernel - this means user space can set
> nonarchitectural state in the kernel. There are a few risks with that:
>
> a. Malware might use it to hide state.

Meh. You can already use FP reg space when abusing non-FP-using programs
(via ptrace or signal frame clobbering). Via ptrace, you can use %db[0-3]
without setting %db7 to make them affect hardware. etc, etc.

> b. The possibility of using the stability or lack thereof of this
> state to extract information about kernel internals and/or
> provide a covert channel in the presence of hardware changes.
> c. It is not certain that future architectures will not have
> off-limit fields here, like the equivalent of MXCSR. This is
> somewhat of a tricky judgement, of course, but it seems safer
> to me if we would explicitly list the modifiable fields.

Meh. The status quo is that (aside from initialization) it gets
whatever the hardware does. FXRSTOR is an unprivileged instruction.
AFAIK the only reason we control the MXCSR value is because we don't
want to handle a #GP in context switch. That would happen if reserved
bits were set in MXCSR. We already have code to do fxrstor and handle
it, which sigreturn uses. We could just use that if it weren't so
trivial to keep MXCSR safe--but since it is, why not keep one fewer
entry in the exception fixup table?

The hardware people know that it is unprivileged and is used in this way
where privileged code uses a data block received from unprivileged code.
If they add things that can make the data lead to new kinds of
exceptions, they will make it require the OS enable something, just like
we already have to set OSFXSR for the MXCSR reserved bits #GP case to be
possible.

Any piece of software state we start using in this buffer just has to
meet these same expectations. (i.e. if any value could cause lossage to
anything but the user's own memory and user-mode CPU state, then we have
to police it at sigreturn/user_regset.set time.)

Thanks,
Roland
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Roland McGrath: "Re: [RFC] x86: xsave/xrstor support, ucontext_t extensions"
Previous message: David Miller: "Re: [PATCH net-2.6] [NET] The world is not perfect patch."
In reply to: H. Peter Anvin: "Re: [RFC] x86: xsave/xrstor support, ucontext_t extensions"
Next in thread: Andi Kleen: "Re: [RFC] x86: xsave/xrstor support, ucontext_t extensions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]