Return-Path: <linux-kernel-owner+willy=40w.ods.org@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id <S262807AbSKMVoa>; Wed, 13 Nov 2002 16:44:30 -0500
Received: (majordomo@vger.kernel.org) by vger.kernel.org
	id <S262692AbSKMVoa>; Wed, 13 Nov 2002 16:44:30 -0500
Received: from vana.vc.cvut.cz ([147.32.240.58]:2944 "EHLO vana.vc.cvut.cz")
	by vger.kernel.org with ESMTP id <S262807AbSKMVo2>;
	Wed, 13 Nov 2002 16:44:28 -0500
Date: Wed, 13 Nov 2002 22:51:15 +0100
From: Petr Vandrovec <vandrove@vc.cvut.cz>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Christoph Hellwig <hch@infradead.org>,
       Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: FW: i386 Linux kernel DoS (clarification)
Message-ID: <20021113215115.GA1827@vana>
References: <76D1FF66BB6@vcnet.vc.cvut.cz> <1037224095.11979.156.camel@irongate.swansea.linux.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1037224095.11979.156.camel@irongate.swansea.linux.org.uk>
User-Agent: Mutt/1.4i
Sender: linux-kernel-owner@vger.kernel.org
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2427
Lines: 67

On Wed, Nov 13, 2002 at 09:48:15PM +0000, Alan Cox wrote:
> On Wed, 2002-11-13 at 21:18, Petr Vandrovec wrote:
> > >     pushfl          # We get a different stack layout with call
> > >                 # gates, which has to be cleaned up later..
> > > +   andl $~0x4500, (%esp)   # Clear NT since we are doing an iret
> > 
> > this will clear 'D' and 'T' in caller after we do
> > iret (if lcall7 returns, of course). I'm not sure that callers
> 
> You can adjust that if you want, I copied it about - clearing D is fine,
> in fact it may let us avoid the cld

Hi,
   your original code just behaved as my old code: run modprobe successfully,
and then die. Problem is that copy of eflags on stack is totally unimportant
to us: current value in eflags is what matters. So this is minimal
patch which works here: NT, DF and TF are now cleared only for kernel,
and when we return back from lcall, userspace has its old values.

   Optimization left to readed is creating SAVE_ALL_NOCLD, and using this
one in lcall7 and lcall27.

   With patch below my machine survived test. Unfortunately I do not
have patched kernel with linux-abi to test whether lcall7 still works
correctly.
						Best regards,
							Petr Vandrovec
							vandrove@vc.cvut.cz


--- linux-2.5.47.dist/arch/i386/kernel/entry.S	2002-11-11 12:26:04.000000000 +0100
+++ linux-2.5.47/arch/i386/kernel/entry.S	2002-11-13 22:40:19.000000000 +0100
@@ -66,7 +66,9 @@
 OLDSS		= 0x38
 
 CF_MASK		= 0x00000001
+TF_MASK		= 0x00000100
 IF_MASK		= 0x00000200
+DF_MASK		= 0x00000400
 NT_MASK		= 0x00004000
 VM_MASK		= 0x00020000
 
@@ -132,6 +134,9 @@
 	movl CS(%esp), %edx	# this is eip..
 	movl EFLAGS(%esp), %ecx	# and this is cs..
 	movl %eax,EFLAGS(%esp)	#
+	andl $~(NT_MASK|TF_MASK|DF_MASK), %eax
+	pushl %eax
+	popfl
 	movl %edx,EIP(%esp)	# Now we move them to their "normal" places
 	movl %ecx,CS(%esp)	#
 	movl %esp, %ebx
@@ -154,6 +159,9 @@
 	movl CS(%esp), %edx	# this is eip..
 	movl EFLAGS(%esp), %ecx	# and this is cs..
 	movl %eax,EFLAGS(%esp)	#
+	andl $~(NT_MASK|TF_MASK|DF_MASK), %eax
+	pushl %eax
+	popfl
 	movl %edx,EIP(%esp)	# Now we move them to their "normal" places
 	movl %ecx,CS(%esp)	#
 	movl %esp, %ebx
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/