On Sat, Nov 04, 2000 at 10:50:00AM +1100, Gareth Hughes wrote:
> if ( HAVE_FXSR ) {
> if ( __copy_from_user( &tsk->thread.i387.fxsave, (void *)buf,
> sizeof(struct user_fxsr_struct) ) )
> return -EFAULT;
> /* bit 6 and 31-16 must be zero for security reasons */
> tsk->thread.i387.fxsave.mxcsr &= 0x0000ffbf;
> return 0;
> }
The above doesn't fix the security problem. Put the last byte of the userspace
structure on an unmapped page and it will return -EFAULT lefting the invalid
mxcsr value that will corrupt the FPU again.
The right version of the above is just in linux mailbox.
The reason I did it more complex at first is because I wanted to go safe,
I wasn't sure if somebody could SIGCONT the traced task while we was copying
the data so introducing a race where it was still possible to exploit
the bug; but as Linus pointed out to me the loop in do_signal prevents that, so
we can do only one large copy and then fixup (fixing up also in the -EFAULT
case of course).
Andrea
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Nov 07 2000 - 21:00:15 EST