Good point. Fixed.
> But this was not my main point, now that all segment register loads and
> even the iret is protected from exceptions, it might be time to remove
> the bogus checks for selectors in restore_sigcontext. Hence the attached
> patch (perhaps to aggressive, I'll admit). It will hopefully make
> signal return faster and some thread libraries happier.
There wasn't any patch..
Anyway, we _do_ have to check certain security things. The exception
vector only checks that the selector is valid and loadable, but we have to
verify that nobody can load a kernel selector (which _is_ allowed in
kernel mode, and as such wouldn't trigger an exception).
So we have to make restore_sigcontext and anything else that loads a
segment that we can't trust check at least that it is a DPL=3 segment.
Note that we don't need to do this in switch_to, because in switch_to we
only restore a segment that we have saved earlier, so we know it has to be
safe. restore_sigcontext() is special in that a user program could have
messed around with the signal stack, and as such the values we load are
not to be trusted.
This is why we still need to check that the segment either is DPL=0 or is
a zero segment, ie test a condition like:
nonzero? DPL != 3
if ((segment & 0xfff8) && (segment & 3) != 3)
BAD SEGMENT
which is what we do now..
Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html