search for: sysret

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-12:04.sysret Security Advisory The FreeBSD Project Topic: Privilege escalation when returning from kernel Category: core Module: sys_amd64 Announced: 2012-06-12 Credits: Rafal Wojtc...

Hi, I''m trying to use the SYSCALL/SYSRET opcodes with a minios kernel without much success. Going by the manuals (and linux sources) I first have to setup the STAR and LSTAR registers to define the segment and instruction pointer to be used for SYSCALL: /* * LSTAR and STAR live in a bit strange symbiosis. * They both...

Hi, This was the commit of SA-12:04.sysret to RELENG_7_4, which makes sense to me: http://svnweb.freebsd.org/base/releng/7.4/sys/amd64/amd64/trap.c?r1=216618&r2=236953 But when it was applied to RELENG_8_1, it looks wrong, as if it was applied in the wrong place. The indentation is broken, and the code inserted looks like it wouldn...

...rog) cat(st1, file = tmpProg, append = TRUE) cat(st2, file = tmpProg, append = TRUE) cat(st3, file = tmpProg, append = TRUE) cat(st4, file = tmpProg, append = TRUE) if(.Platform$OS.type == "windows") sascmd <- paste(shQuote(sascmd), "-sysin") sasrun <- try(sysret <- system(paste(sascmd, tmpProg))) if(!inherits(sasrun, "try-error") & sysret == 0){ unlink(tmpProg) unlink(tmpProgLog) if(length(sectionnames) == 1) return(foreign::read.xport(tmpXport)) else { zz <- read.xport(tmpXport) names(zz) <- sn re...

...t we don't need to fix >>> up the stack and instead follow entry_SYSENTER_32's IRET path directly >>> to xen_iret. >>> >>> We can do the same thing for compat mode even though stack does not need >>> to be fixed. This will allow us to drop usergs_sysret32 paravirt op (in >>> the subsequent patch) >> >> Looks generally quite nice. Minor comments below: >> >>> --- a/arch/x86/entry/entry_32.S >>> +++ b/arch/x86/entry/entry_32.S >>> @@ -308,7 +308,8 @@ sysenter_past_esp: >>> >>>...

...iret from xen_sysexit we don't need to fix >> up the stack and instead follow entry_SYSENTER_32's IRET path directly >> to xen_iret. >> >> We can do the same thing for compat mode even though stack does not need >> to be fixed. This will allow us to drop usergs_sysret32 paravirt op (in >> the subsequent patch) > > Looks generally quite nice. Minor comments below: > >> --- a/arch/x86/entry/entry_32.S >> +++ b/arch/x86/entry/entry_32.S >> @@ -308,7 +308,8 @@ sysenter_past_esp: >> >> movl %esp, %eax >>...

...end up calling xen_iret from xen_sysexit we don't need to fix > up the stack and instead follow entry_SYSENTER_32's IRET path directly > to xen_iret. > > We can do the same thing for compat mode even though stack does not need > to be fixed. This will allow us to drop usergs_sysret32 paravirt op (in > the subsequent patch) Looks generally quite nice. Minor comments below: > --- a/arch/x86/entry/entry_32.S > +++ b/arch/x86/entry/entry_32.S > @@ -308,7 +308,8 @@ sysenter_past_esp: > > movl %esp, %eax > call do_fast_syscall_32 > -...

...end up calling xen_iret from xen_sysexit we don't need to fix > up the stack and instead follow entry_SYSENTER_32's IRET path directly > to xen_iret. > > We can do the same thing for compat mode even though stack does not need > to be fixed. This will allow us to drop usergs_sysret32 paravirt op (in > the subsequent patch) Looks generally quite nice. Minor comments below: > --- a/arch/x86/entry/entry_32.S > +++ b/arch/x86/entry/entry_32.S > @@ -308,7 +308,8 @@ sysenter_past_esp: > > movl %esp, %eax > call do_fast_syscall_32 > -...

Hello, I am studing Xen hypercall now. I found that hypercall is invoked via hypercall_page, which is only filled with (in no-hypervisor-kernel-mode ): mov $i, %eax int $0x82 ret Why not invoked the hypercall directly by "int $0x82" ? What''s the advantage of using hypercall_page? Thanks, Wu _______________________________________________ Xen-devel mailing list

...ehaviour of the kexec_crash path is: nmi_shootdown_cpus() will: * Disable the crashing cpus NMI/MCE interrupt stack tables. Disabling the stack tables removes race conditions which would lead to corrupt exception frames and infinite loops. As this pcpu is never planning to execute a sysret back to a pv vcpu, the update is safe from a security point of view. * Swap the NMI trap handlers. The crashing pcpu gets the nop handler, to prevent it getting stuck in an NMI context, causing a hang instead of crash. The non-crashing pcpus all get the nmi_crash handler which is...

Hello, we are using 3.4.3 from Gitco.de on 64bit Centos 5.8 and we have PV guests 64bit. According to described security bug we are in danger. What do you suggest? Wait for gitco update or build xen own with patch? Br Peter

Hello, While working on a fix for the rare-but-possible problem of reentrant NMIs and MCEs, I have discovered that it is sadly possible to generate fake NMIs and MCEs which will run the relevant handlers on the relevant stacks, without invoking any of the other CPU logic for these special interrupts. A fake NMI can be generated by a processor in PIC mode as opposed to Virtual wire mode, with a

...truct, ist)); BLANK(); DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx)); + +#ifdef CONFIG_PARAVIRT +#define ENTRY(entry) DEFINE(PARAVIRT_ ## entry, offsetof(struct paravirt_ops, entry)) + BLANK(); + ENTRY(paravirt_enabled); + ENTRY(irq_disable); + ENTRY(irq_enable); + ENTRY(sysret); + ENTRY(iret); + ENTRY(read_cr2); + ENTRY(swapgs); +#endif return 0; } --

...truct, ist)); BLANK(); DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx)); + +#ifdef CONFIG_PARAVIRT +#define ENTRY(entry) DEFINE(PARAVIRT_ ## entry, offsetof(struct paravirt_ops, entry)) + BLANK(); + ENTRY(paravirt_enabled); + ENTRY(irq_disable); + ENTRY(irq_enable); + ENTRY(sysret); + ENTRY(iret); + ENTRY(read_cr2); + ENTRY(swapgs); +#endif return 0; } --

The first patch fixes Xen PV regression introduced by 32-bit rewrite. Unlike the earlier version it uses ALTERNATIVE instruction and avoids using xen_sysexit (and sysret32 in compat mode) pv ops, as suggested by Andy. (I ended up patching TEST with XOR to avoid extra NOPs, even though I said yesterday it would be wrong. It's not wrong) As result of this patch irq_enable_sysexit and usergs_sysret32 pv ops are not used anymore by anyone and so can be removed. B...

The first patch fixes Xen PV regression introduced by 32-bit rewrite. Unlike the earlier version it uses ALTERNATIVE instruction and avoids using xen_sysexit (and sysret32 in compat mode) pv ops, as suggested by Andy. (I ended up patching TEST with XOR to avoid extra NOPs, even though I said yesterday it would be wrong. It's not wrong) As result of this patch irq_enable_sysexit and usergs_sysret32 pv ops are not used anymore by anyone and so can be removed. B...

...not pt_regs). Since we end up calling xen_iret from xen_sysexit we don't need to fix up the stack and instead follow entry_SYSENTER_32's IRET path directly to xen_iret. We can do the same thing for compat mode even though stack does not need to be fixed. This will allow us to drop usergs_sysret32 paravirt op (in the subsequent patch) Signed-off-by: Boris Ostrovsky <boris.ostrovsky at oracle.com> Suggested-by: Andy Lutomirski <luto at amacapital.net> --- arch/x86/entry/entry_32.S | 3 ++- arch/x86/entry/entry_64_compat.S | 6 ++++-- arch/x86/include/asm/cpufeature.h...

The first patch fixes Xen PV regression introduced by 32-bit rewrite. Unlike the earlier version it uses ALTERNATIVE instruction and avoids using xen_sysexit (and sysret32 in compat mode) pv ops, as suggested by Andy. As result of this patch irq_enable_sysexit and usergs_sysret32 pv ops are not used anymore by anyone and so can be removed. v2: * patch both TEST and JZ intructions with a single JMP * Add magic prefix to X86_FEATURE_XENPV comment to avoid havi...

The first patch fixes Xen PV regression introduced by 32-bit rewrite. Unlike the earlier version it uses ALTERNATIVE instruction and avoids using xen_sysexit (and sysret32 in compat mode) pv ops, as suggested by Andy. As result of this patch irq_enable_sysexit and usergs_sysret32 pv ops are not used anymore by anyone and so can be removed. v2: * patch both TEST and JZ intructions with a single JMP * Add magic prefix to X86_FEATURE_XENPV comment to avoid havi...

...86_64/kernel/asm-offsets.c 2007-01-11 21:56:03.000000000 -0200 +++ linux-2.6.19-paravirt1/arch/x86_64/kernel/asm-offsets.c 2007-01-11 09:46:44.000000000 -0200 @@ -79,9 +79,10 @@ int main(void) ENTRY(paravirt_enabled); ENTRY(irq_disable); ENTRY(irq_enable); - ENTRY(irq_enable_sysexit); + ENTRY(sysret); ENTRY(iret); - ENTRY(read_cr0); + ENTRY(read_cr2); + ENTRY(swapgs); #endif return 0; diff -urp linux-2.6.19-paravirt0/arch/x86_64/kernel/entry.S linux-2.6.19-paravirt1/arch/x86_64/kernel/entry.S --- linux-2.6.19-paravirt0/arch/x86_64/kernel/entry.S 2007-01-11 21:56:03.000000000 -0200 +++ l...