--=_courier-4428-1042142380-0001-2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
This patch, which depends on the previous %ebx -> %ebp patch, removes
all pop instruction in the sysenter return path.
This leaks the thread_info address to user mode but this shouldn't be
a security problem.
This is what happens to the various registers:
%eax: return value from system call: already in place
%ebx, %esi, %edi: saved by the C compiler
%ecx, %edx, %ebp: restored by user mode
%esp, eip: copied to %ecx/%edx and restored by sysexit
%ds, %es: initialized to __USER_DS on kernel entry
%cs, %ss: restored by sysexit based on msr
%fs, %gs: not modified by the kernel (saved around context switch)
eflags: not preserved
FP, XMM: any code that modifies them must save/restore them
Note that while it is possible to change %ebx, %esi, %edi, %ecx, %edx
or %ebp via struct pt_regs, anything that does should set TIF_IRET or
another work flag (and it hopefully already does).
diff --exclude-from=3D/home/ldb/src/exclude -urNdp linux-2.5.54-preldb/arch=
/i386/kernel/entry.S linux-2.5.54-ldb/arch/i386/kernel/entry.S
--- linux-2.5.54-preldb/arch/i386/kernel/entry.S 2003-01-06 16:01:40.000000=
000 +0100
+++ linux-2.5.54-ldb/arch/i386/kernel/entry.S 2003-01-06 04:54:58.000000000=
+0100
@@ -276,9 +276,9 @@ ENTRY(sysenter_entry)
movl TI_FLAGS(%ebp), %ecx
testw $_TIF_ALLWORK_MASK, %cx
jne syscall_exit_work
- RESTORE_INT_REGS
- movl 12(%esp),%edx
- movl 24(%esp),%ecx
+/* if something modifies registers it must also disable sysexit */
+ movl EIP(%esp), %edx
+ movl OLDESP(%esp), %ecx
sti
sysexit
=20
--=_courier-4428-1042142380-0001-2
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+HdLDdjkty3ft5+cRApFIAJ47GGBVI2BoZbfHIABVIN/o9x73NQCglCbw
cXNd2muhYYvFTxmYC6S8RNE=
=Gh/n
-----END PGP SIGNATURE-----
--=_courier-4428-1042142380-0001-2--