> > // some macros skipped
> >
> > #define GET_SEG(seg) \
> > { __get_user(tmp, &sc->seg); \
> > if ((tmp & 0xfffc) /* not a NULL selectors */ \
> > && (tmp & 0x4) != 0x4 /* not a LDT selector */ \
> > && (tmp & 3) != 3) /* not a RPL3 GDT selector */ \
> > goto badframe; \
> > __asm__ __volatile__("movl %w0,%%" #seg : : "r"(tmp)); }
> >
> > GET_SEG(gs);
> >
> > (end of excerpt)
> >
> > Any ideas?
> >
>
> Yeah, the code only checks that the segment might be put into gs (or any
> other segment register) in a crude way. But if you don't have an LDT or
> try to load an invalid or empty ldt and/or gdt entry, you will get this
> oops. But it can only be used to fill your logs and does not open any
> security hole AFAICT...
>
> It means that crashme tries to see what happens when thrashing the CPU
> context in a signal handler and that Linux should handle some of these
> extreme situations more elegantly...
Hi Gabriel,
Perhaps it would help to verify that an ldt exists if the selector
refers to one? I guess the full solution would be to use the limit check
and verification instructions to ensure that all is correct, but this
would need to be different depending on which register is being loaded.
I don't think we should allow the kernel to be oopsed from userland,
even if it only fills the logs ...
Regards,
Bill
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu