Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756651AbaKACbJ (ORCPT ); Fri, 31 Oct 2014 22:31:09 -0400 Received: from ozlabs.org ([103.22.144.67]:57446 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750788AbaKACbI (ORCPT ); Fri, 31 Oct 2014 22:31:08 -0400 From: Rusty Russell To: Andy Lutomirski , Thomas Gleixner , X86 ML , Ingo Molnar , "H. Peter Anvin" , Sebastian Lackner , Anish Bhatt , linux-kernel@vger.kernel.org, Linus Torvalds Cc: Chuck Ebbert , Andy Lutomirski , stable@vger.kernel.org Subject: Re: [PATCH] x86_64, entry: Fix out of bounds read on sysenter In-Reply-To: References: User-Agent: Notmuch/0.17 (http://notmuchmail.org) Emacs/24.3.1 (x86_64-pc-linux-gnu) Date: Sat, 01 Nov 2014 12:58:55 +1030 Message-ID: <874muj4pso.fsf@rustcorp.com.au> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Andy Lutomirski writes: > Rusty noticed a Really Bad Bug (tm) in my NT fix. The entry code > reads out of bounds, causing the NT fix to be unreliable. But, and > this is much, much worse, if your stack is somehow just below the > top of the direct map (or a hole), you read out of bounds and crash. > > Excerpt from the crash: > > [ 1.129513] RSP: 0018:ffff88001da4bf88 EFLAGS: 00010296 > > 2b:* f7 84 24 90 00 00 00 testl $0x4000,0x90(%rsp) > > That read is deterministically above the top of the stack. I > thought I even single-stepped through this code when I wrote it to > check the offset, but I clearly screwed it up. > > Fixes 8c7aa698baca x86_64, entry: Filter RFLAGS.NT on entry from userspace > > Reported-by: Rusty Russell > Cc: stable@vger.kernel.org > Signed-off-by: Andy Lutomirski Tested-by: Rusty Russell Thanks for the fast response... Rusty. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/