2002-04-03 21:56:39

by Pavel Machek

[permalink] [raw]
Subject: Warn users about machines with non-working WP bit

Hi!

This might be good idea, as those machines are not safe for multiuser
systems.

--- clean.2.5/arch/i386/mm/init.c Sun Mar 10 20:06:31 2002
+++ linux/arch/i386/mm/init.c Mon Mar 11 21:49:14 2002
@@ -383,7 +383,7 @@
local_flush_tlb();

if (!boot_cpu_data.wp_works_ok) {
- printk("No.\n");
+ printk("No (that's security hole).\n");
#ifdef CONFIG_X86_WP_WORKS_OK
panic("This kernel doesn't support CPU's with broken WP. Recompile it for a 386!");
#endif

Pavel
--
(about SSSCA) "I don't say this lightly. However, I really think that the U.S.
no longer is classifiable as a democracy, but rather as a plutocracy." --hpa


2002-04-03 22:25:30

by Brian Gerst

[permalink] [raw]
Subject: Re: Warn users about machines with non-working WP bit

Pavel Machek wrote:
>
> Hi!
>
> This might be good idea, as those machines are not safe for multiuser
> systems.
>
> --- clean.2.5/arch/i386/mm/init.c Sun Mar 10 20:06:31 2002
> +++ linux/arch/i386/mm/init.c Mon Mar 11 21:49:14 2002
> @@ -383,7 +383,7 @@
> local_flush_tlb();
>
> if (!boot_cpu_data.wp_works_ok) {
> - printk("No.\n");
> + printk("No (that's security hole).\n");
> #ifdef CONFIG_X86_WP_WORKS_OK
> panic("This kernel doesn't support CPU's with broken WP. Recompile it for a 386!");
> #endif
>
> Pavel

The "bug" is really the lack of a feature present on 486+ cpus. A 386
will allow the kernel to write to a write-protected user page (but not a
write-protected kernel page). In user mode, write protect works as it
should. The kernel works around this by doing extra checks when writing
to user pages (check the *_user() functions). It is not a security
hole, because if the kernel wasn't compiled with the workaround, it
refuses to boot on those cpus.

--

Brian Gerst

2002-04-03 22:27:50

by Pavel Machek

[permalink] [raw]
Subject: Re: Warn users about machines with non-working WP bit

Hi!

> > This might be good idea, as those machines are not safe for multiuser
> > systems.
> >
> > --- clean.2.5/arch/i386/mm/init.c Sun Mar 10 20:06:31 2002
> > +++ linux/arch/i386/mm/init.c Mon Mar 11 21:49:14 2002
> > @@ -383,7 +383,7 @@
> > local_flush_tlb();
> >
> > if (!boot_cpu_data.wp_works_ok) {
> > - printk("No.\n");
> > + printk("No (that's security hole).\n");
> > #ifdef CONFIG_X86_WP_WORKS_OK
> > panic("This kernel doesn't support CPU's with broken WP. Recompile it for a 386!");
> > #endif
> >
> > Pavel
>
> The "bug" is really the lack of a feature present on 486+ cpus. A 386
> will allow the kernel to write to a write-protected user page (but not a
> write-protected kernel page). In user mode, write protect works as it
> should. The kernel works around this by doing extra checks when writing
> to user pages (check the *_user() functions). It is not a security

It is, because those checks are racy when clone() is in use. Linus
stated that few times.
Pavel
--
Casualities in World Trade Center: ~3k dead inside the building,
cryptography in U.S.A. and free speech in Czech Republic.