LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Ingo Molnar <mingo@elte.hu>
To: pageexec@freemail.hu
Cc: Sam Ravnborg <sam@ravnborg.org>,
	Arjan van de Ven <arjan@infradead.org>,
	linux-kernel@vger.kernel.org, torvalds@linux-foundation.org
Subject: Re: vmsplice exploits, stack protector and Makefiles
Date: Thu, 14 Feb 2008 08:30:03 +0100	[thread overview]
Message-ID: <20080214073003.GA25699@elte.hu> (raw)
In-Reply-To: <20080214061648.GB31327@elte.hu>


* Ingo Molnar <mingo@elte.hu> wrote:

> > was removed from arch/x86/kernel/process_64.c:__switch_to? that's 
> > the only reason i can think of that would trigger this trace.
> 
> I hand-ported your fixes [the patch was whitespace damaged] so i'm 
> quite sure i got every bit of it - but find it below for reference. I 
> think the percpu changes in .25 might have interfered somewhere. Will 
> investigate.

ok, Arjan found the bug: it was that idle threads didnt have their 
canary set up right.

[ note that this is still not complete because the initial idle thread
  still has a zero canary. But it at least boots now. ]

	Ingo

------------------------->
Subject: x86: setup stack canary for the idle threads
From: Arjan van de Ven <arjan@linux.intel.com>

The idle threads for non-boot CPUs are a bit special in how they
are created; the result is that these don't have the stack canary
set up properly in their PDA. Easiest fix is to just always set
the PDA up correctly when entering the idle thread; this is a NOP
for the boot cpu.

Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
---
 arch/x86/kernel/process_64.c |    9 +++++++++
 1 file changed, 9 insertions(+)

Index: linux-x86.q/arch/x86/kernel/process_64.c
===================================================================
--- linux-x86.q.orig/arch/x86/kernel/process_64.c
+++ linux-x86.q/arch/x86/kernel/process_64.c
@@ -166,6 +166,15 @@ static inline void play_dead(void)
 void cpu_idle(void)
 {
 	current_thread_info()->status |= TS_POLLING;
+
+#ifdef CONFIG_CC_STACKPROTECTOR
+	/*
+	 * If we're the non-boot CPU, nothing set the PDA stack
+	 * canary up for us. This is as good a place as any for
+	 * doing that.
+	 */
+	write_pda(stack_canary, current->stack_canary);
+#endif
 	/* endless idle loop with no priority at all */
 	while (1) {
 		tick_nohz_stop_sched_tick();

  reply	other threads:[~2008-02-14  7:30 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-02-12 17:00 Arjan van de Ven
2008-02-12 18:50 ` Sam Ravnborg
2008-02-12 19:08   ` Arjan van de Ven
2008-02-12 19:36     ` Sam Ravnborg
2008-02-13 13:38 ` pageexec
2008-02-13 15:29   ` Ingo Molnar
2008-02-13 16:29     ` Randy Dunlap
2008-02-13 15:48       ` pageexec
2008-02-14 12:20         ` Jan Engelhardt
2008-02-13 16:48     ` Ingo Molnar
2008-02-13 16:15       ` pageexec
2008-02-14  6:16         ` Ingo Molnar
2008-02-14  7:30           ` Ingo Molnar [this message]
2008-02-14 10:23             ` pageexec
2008-02-13 15:53   ` Linus Torvalds
2008-02-13 16:01     ` Ingo Molnar
2008-02-13 17:16       ` Sam Ravnborg
2008-02-14  6:12         ` Ingo Molnar
2008-02-14  7:43   ` Sam Ravnborg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080214073003.GA25699@elte.hu \
    --to=mingo@elte.hu \
    --cc=arjan@infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pageexec@freemail.hu \
    --cc=sam@ravnborg.org \
    --cc=torvalds@linux-foundation.org \
    --subject='Re: vmsplice exploits, stack protector and Makefiles' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).