Hi!
> It looks to me like the syscall calling convention, on x86 at least,
> leaks kernel data out via the registers.
[scary stuff]
> When sys_foo returns, the value of %ebx has been changed to 77 on the
> stack, so when it returns to user-mode, the whole world can see that
> arg1 was assigned 77 at some point.
>
> It seems to me the bug is in restoring the register values on return to
> user-mode. As I understand it, the x86 ABI says that the called
> function owns the stack memory which contains the function's arguments,
> so it is completely within gcc's right to reuse the memory as spill
> space (or anything else) when generating code for that function.
> Therefore, the code in entry.S should not restore those values to
> registers - it should just trash all the registers (except %eax, of
> course) before returning.
>
> I tried writing a patch which replaces the RESTORE_ALL with the
> equivalent which simply skips %esp over the other registers, pops %eax
> and then assigns it to %ebx-%ebp (it makes as good a trash value as
> any), but this crashes when calibrating the delay loop. Hm, looks like
> the RESTORE_ALL on the syscall return path is also used by the interrupt
> return path - that probably shouldn't trash registers.
I believe userspace depends on registers to be preserved over system
call, except for eax. So what you found is not only security problem,
but also crasher bug.
Pavel
-- When do you have a heart between your knees? [Johanka's followup: and *two* hearts?] - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Aug 07 2003 - 22:00:37 EST