Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <96199be6-6ae8-6caf-3940-11d8ffab481f@virtuozzo.com>
Date: Thu, 28 Jun 2018 17:11:46 +0300
From: Vasily Averin <vvs@...tuozzo.com>
To: Solar Designer <solar@...nwall.com>
Cc: owl-dev@...ts.openwall.com
Subject: Re: 32-bit syscall breakage in -431 kernel with KAISER

On 06/28/2018 04:16 PM, Solar Designer wrote:
> On Thu, Jun 28, 2018 at 04:08:29PM +0300, Vasily Averin wrote:
>> On 06/26/2018 10:13 PM, Solar Designer wrote:
>>> per my review of the full struct tss_struct, the stack[] field
>>> offset is:
>>>
>>> 4+8*5+4*2+2*2+1025*8+8 = 8264
>>
>> Alexander,
>> seems you're wrong
>>
>> in my version of rhel5-based -123.1 kernel
>>
>> crash> tss_struct -o
>> struct tss_struct {
>>      [0x0] u32 reserved1;
>>      [0x4] u64 rsp0;
>>      [0xc] u64 rsp1;
>>     [0x14] u64 rsp2;
>>     [0x1c] u64 reserved2;
>>     [0x24] u64 ist[7];
>>     [0x5c] u32 reserved3;
>>     [0x60] u32 reserved4;
>>     [0x64] u16 reserved5;
>>     [0x66] u16 io_bitmap_base;
>>     [0x68] unsigned long io_bitmap[1025];
>>   [0x2070] unsigned long stack_canary;
>>   [0x2078] unsigned long stack[64];
>> }
>> SIZE: 0x3000
>> crash> tss_struct -od
>> struct tss_struct {
>>       [0] u32 reserved1;
>>       [4] u64 rsp0;
>>      [12] u64 rsp1;
>>      [20] u64 rsp2;
>>      [28] u64 reserved2;
>>      [36] u64 ist[7];
>>      [92] u32 reserved3;
>>      [96] u32 reserved4;
>>     [100] u16 reserved5;
>>     [102] u16 io_bitmap_base;
>>     [104] unsigned long io_bitmap[1025];
>>    [8304] unsigned long stack_canary;
>>    [8312] unsigned long stack[64];
>> }
>> SIZE: 12288
>>
>> Seems you missed that 'ist' filed is an array
> 
> Ah, yes, indeed.  But since it has an odd number of elements, this
> leaves stack[] just as unaligned.
> 
> Can you check your RHEL6-based kernels as well?

RHEL6-based kernel have the same definition of tss_struct.
It is widely used, but we did not observed similar troubles locally and had no such troubles from users.

On my test node I observe strange exception right on boot of 64-bit kernel, 
it is not handles properly and writes 0 into EIP and it crashes the kernel.

So I'm going to troubloeshoot qemu with gdb, hope it helps tofind the resoun of the trouble.

Thank you,
	Vasily Averin

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.