![[LWN Logo]](/images/lwn.banner.gif)
Date: Mon, 8 Feb 1999 08:24:41 -0800
From: David Miller <davem@twiddle.net>
To: weejock@ferret.lmh.ox.ac.uk
Subject: Re: ioctl implementation on UltraPenguin?
Date: Mon, 8 Feb 1999 16:04:07 +0000 (GMT)
From: Matthew Kirkwood <weejock@ferret.lmh.ox.ac.uk>
Could you remind me of the bug details, please?
Ask Sun, the refuse to give me details without signing a
non-disclosure agreement, and I cannot write an acceptable workaround
in the kernel without giving away the details (and thus breaking such
an NDA).
Sun's solution is to disable 64-bit user binary execution on the cpus
which have the hw bugs, and I don't want to do that. But until I
reverse-engineer exactly what the bug is that you can trip from
userland in 64-bit mode, I have to accept the same fix...
Actually, there are two hardware bugs, I've figured out a little bit
about one of them:
1) In 64-bit mode
2) If you allow instructions to execute in the low or
high 2GB of the address space.
3) The instruction sequence is something like:
XXX
call . +/- some_huge_constant
YYY
Where XXX and/or YYY make a memory reference into
the VA hole in the 64-bit address space (which should
trap) and the call displacement causes the 64-bit PC to
{under,over}flow, the cpu stops.
I believe the other hw bug which I know very little about also has
something to do with memory accesses to the VA hole.
If you're concerned, simply turn off CONFIG_BINFMT_ELF in the sparc64
kernel configuration, and you are not vulnerable. This will be the
least of your problems wrt. existing UltraPenguin CDROMs out there, as
you can easily scan the linux-kernel list for vulnerabilities only
fixed in the last week or so, and thus the CDROM kernels are
subsceptable to.
(what I'm trying to say is, this isn't a "burn the CDROMs, oh my
goodness!" issue, the 64-bit userland bug, because so there are so
many other exploits possible which are not even sparc specific)
Later,
David S. Miller
davem@redhat.com
-
To unsubscribe from this list: send the line "unsubscribe sparclinux" in
the body of the message to majordomo@vger.rutgers.edu