From: "H. Peter Anvin" <hpa@zytor.com>
To: Richard Henderson <rth@redhat.com>
Cc: "H.J. Lu" <hjl.tools@gmail.com>,
Bernd Schmidt <bernds@codesourcery.com>,
gcc-patches@gcc.gnu.org,
Eric Botcazou <ebotcazou@adacore.com>
Subject: Re: [x32] PATCH: Remove ix86_promote_function_mode
Date: Tue, 21 Jun 2011 00:33:00 -0000 [thread overview]
Message-ID: <4DFFDA4C.5050603@zytor.com> (raw)
In-Reply-To: <4DFFCE63.3090209@redhat.com>
On 06/20/2011 03:49 PM, Richard Henderson wrote:
>>
>> As I have already stated, if we *cannot* require pointers to be
>> zero-extended on entry to the kernel, we're going to have to have
>> special entry points for all the x32 system calls except the ones that
>> don't take pointers.
>
> If it's a security concern, surely you have to do it in the kernel
> anyway, lest someone call into the kernel via their own assembly
> rather than something controlled by the compiler...
>
That was the point... right now we rely on the ABI to not have any
invalid representations (except, as far as I know, on s390). This means
any arbitrary register image presented to the kernel will be a set of
valid C objects; we then accept or reject them as being semantically
valid using normal C code in the kernel.
The issue occurs when the kernel can be entered with something in the
register that is invalid according to the calling convention, and not
have it rejected.
The current x86-64 ABI rules, for example, imply that if
%rdi = 0x3fb8c9119537d37d and the type of the first argument is
uint32_t, that is a valid argument with the value 0x9537d37d. The extra
upper bits are ignored, and so no security issue arises.
The issue with requiring the upper bits to be normalized occurs with
code like:
static const long foo_table[10] = { ... };
long sys_foo(unsigned int bar)
{
if (bar >= 10)
return -EINVAL;
return foo_table[bar];
}
If the upper bits are required to be zero, gcc could validly translate
that to:
sys_foo:
cmpl $10, %edi
jae .L1
movq foo_table(,%rdi,3), %rax
retq
.L1:
movq $-EINVAL, %rax
retq
Enter this function with a non-normalized %rdi and you have a security
hole even though the C is perfectly fine.
-hpa
next prev parent reply other threads:[~2011-06-20 23:40 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-20 13:55 H.J. Lu
2011-06-20 13:57 ` Bernd Schmidt
2011-06-20 14:13 ` H.J. Lu
2011-06-20 14:41 ` H. Peter Anvin
2011-06-20 14:44 ` Jeff Law
2011-06-20 15:11 ` H.J. Lu
2011-06-20 14:46 ` H.J. Lu
2011-06-20 15:28 ` H. Peter Anvin
2011-06-20 22:58 ` Richard Henderson
2011-06-21 0:33 ` H. Peter Anvin [this message]
2011-06-21 0:34 ` Richard Henderson
2011-06-21 1:15 ` H. Peter Anvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DFFDA4C.5050603@zytor.com \
--to=hpa@zytor.com \
--cc=bernds@codesourcery.com \
--cc=ebotcazou@adacore.com \
--cc=gcc-patches@gcc.gnu.org \
--cc=hjl.tools@gmail.com \
--cc=rth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).