Bugtraq mailing list archives
BSDI patch for Pentium workaround has problems
From: mycroft () MIT EDU (Charles M. Hannum)
Date: Fri, 14 Nov 1997 19:33:00 -0500
[I sent the body of this to people at BSDI and Intel after looking at the official release version of the BSDI patch.] In addition to the concerns I posted on bugtraq regarding handling of INTO and BOUND instructions, and the (albeit minor) differences in handling INT $0, INT $1, INT $2, and INT $6 from user code, the new revision of the BSDI patch fails in two additional ways: It directly accesses a linear address in user space using the kernel segment descriptors, ignoring that the process may be in VM86 mode or 16-bit protected mode. (You might be able to ignore protected mode if you don't allow the user to create segment descriptors. We do to support WINE and WABI.) Not only will it therefore get the PC (%eip) fixup wrong in these modes, but it may also cause an unhandled page fault in kernel space, which will cause the kernel to crash. This is highly suboptimal. If you're going to look at the user instruction (which you *need* to do to properly handle BOUND), then you must do the segment translations correctly. Note that there's a race condition here in SMP systems, but in practice this is minor; if the user changes the instruction while we're doing the fixup, the fixup will do something not quite right, but should not create a security hole. I include below three pieces of mail from me about this on bugtraq. (Note that my suggested way of reexecuting the instruction actually can't work correctly in a SMP system, but I include it here for completeness. Basically, the user could change the instruction before it's reexecuted to be something that doesn't trap, then do a bunch of things to cause the cache to be completely flushed, and do the hanging instruction again while we're still pointing to the fully mapped IDT, causing the hang. We could try to work around this using the trace flag to force an exception, but in protected mode the user can change the trace flag.) [Other messages omitted, since I already sent them here.]
Current thread:
- Re: Linux IP fragment overlap bug, (continued)
- Re: Linux IP fragment overlap bug Vadim Kolontsov (Nov 14)
- Re: Linux IP fragment overlap bug David LeBlanc (Nov 14)
- Re: Linux IP fragment overlap bug Morbid Dead Guy (Nov 16)
- Windows 95 IP Fragmentation Bug Fix? Aleph One (Nov 17)
- The Linux patch. G P R (Nov 14)
- The overlapping fragment bug Alan Cox (Nov 14)
- Re: The overlapping fragment bug Philippe Strauss (Nov 14)
- Re: The overlapping fragment bug G P R (Nov 15)
- Pentium processor invalid instruction erratum Aleph One (Nov 14)
- Software backgrounder Aleph One (Nov 14)
- BSDI patch for Pentium workaround has problems Charles M. Hannum (Nov 14)
- Re: L0pht Advisory: IE4.0 David LeBlanc (Nov 10)
- Re: L0pht Advisory: IE4.0 rene () NS VIA NL (Nov 11)
- Intel Pentium Bug: Workaround (1st lvl cache) Ralf Rudolph (Nov 11)