Subject: Re: [Lguest] [PATCH] lguest: Fix Malicious Guest GDT Host Crash
From: Rusty Russell <rusty@rustcorp.com.au>
To: Zachary Amsden <zach@vmware.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>, lguest <lguest@ozlabs.org>,
       Andrew Morton <akpm@linux-foundation.org>,
       lkml - Kernel Mailing List <linux-kernel@vger.kernel.org>
In-Reply-To: <46BB3692.5010003@vmware.com>
References: <1186657033.17752.58.camel@localhost.localdomain>
	 <46BB3692.5010003@vmware.com>
Content-Type: text/plain
Date: Fri, 10 Aug 2007 22:04:00 +1000
Message-Id: <1186747440.23993.34.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1167
Lines: 31

On Thu, 2007-08-09 at 08:45 -0700, Zachary Amsden wrote:
> Rusty Russell wrote:
> > We kill the Guest if it causes a fault in the Switcher: it's the
> > Guest's responsibility to make sure it's not using segments when it
> > changes them.
> 
> Linux doesn't obey that rule.  It changes descriptors behind FS/GS all 
> over the place.  Well, not all over the place, only when updating LDT 
> entries

Hi Zach,

	I think it's OK.  To clarify, it's only fatal when the guest changes
them in a way that will fault if they're reloaded: not any change.
Lguest doesn't support LDT, so that's not a problem.

> , TLS entries, and during context switch.

These two go through load_TLS -> lguest_load_tls which is patched by
this same change to load 0 into gs before doing the hypercall.  The
other segment registers are set by the kernel, and so we know they don't
refer to changing entries.

Is there anything I've missed?
Rusty.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/