Re: [BROKEN PATCH] syscalls leak data via registers?

From: Richard B. Johnson (root@chaos.analogic.com)
Date: Thu Aug 07 2003 - 10:55:43 EST

Next message: Bjorn Helgaas: "Re: [PATCH] trivial 2.4/2.6 PCI name change/addition"
Previous message: Ed L Cashin: "Re: [TRIVIAL][PATCH] document unused pte bits on i386"
In reply to: Jeremy Fitzhardinge: "Re: [BROKEN PATCH] syscalls leak data via registers?"
Next in thread: Pavel Machek: "Re: [BROKEN PATCH] syscalls leak data via registers?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 7 Aug 2003, Jeremy Fitzhardinge wrote:

> On Thu, 2003-08-07 at 03:30, Pavel Machek wrote:
> > I believe userspace depends on registers to be preserved over system
> > call, except for eax.
>
> That's what I was wondering. Does it? Is that a documented part of the
> syscall interface?
>
> > So what you found is not only security problem,
> > but also crasher bug.
>
> In these sense that it crashes userspace?
>
> J
>

The kernel interface preserves the registers that GCC needs
preserved, i.e., index registers such as EBX, ESI, and EDI.
It may not preserve registers that convey information for
the call unless they are index registers. For instance,
a system call that takes two parameters has those parameters
put into EBX and ECX. Register EAX always contains the
function number. In the case described, only EBX is
guaranteed to be preserved, this because it's an index
register.

Typically parameters are passed as:

        No parameters EAX
        1 parameter EAX EBX
        2 parameters EAX EBX ECX
        3 parameters EAX EBX ECX EDX
        4 parameters EAX EBX ECX EDX ESI
        5 parameters EAX EBX ECX EDX ESI EDI
        6 parameters EAX EBX ECX EDX ESI EDI EBP

Upon return only the index registers plus segments and stack
will be preserved. The other registers can contain anything.
However, this is hardly an 'information' leak. Even if the
address of something in the kernel was returned, it can't
be accessed, and the 'information' is all about the methods
used to perform a function upon behalf of the caller, not
some other task. In other words, if you are reading from
a file, and some register contains 42, you only know that
that value was used somewhere while helping you get the
file data. It is never some data from somebody else's file.
To get to somebody else's data requires a context switch and
all registers and restored are saved across a context switch.
In Unix, the kernel performs functions on behalf of the caller,
within the context of the caller, so register information
is not an information leak.

But, there is the possibility of having data left in memory
by another task, accessed by the current task. These possibilities
are constantly reviewed and fixed when found.

Cheers,
Dick Johnson
Penguin : Linux version 2.4.20 on an i686 machine (797.90 BogoMips).
Note 96.31% of all statistics are fiction.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Bjorn Helgaas: "Re: [PATCH] trivial 2.4/2.6 PCI name change/addition"
Previous message: Ed L Cashin: "Re: [TRIVIAL][PATCH] document unused pte bits on i386"
In reply to: Jeremy Fitzhardinge: "Re: [BROKEN PATCH] syscalls leak data via registers?"
Next in thread: Pavel Machek: "Re: [BROKEN PATCH] syscalls leak data via registers?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Thu Aug 07 2003 - 22:00:39 EST