[EROS-Arch] EROS security bug

Charles Landau clandau@macslab.com
Tue, 13 Mar 2001 10:14:24 -0800 

"Jonathan S. Shapiro" wrote:

> It shouldn't be continuing after the segment fault.

After the segment fault (with no segment keeper), if you continue from the
kenel debugger, the process (0x101, referencer.c) will call its process keeper.
The faulting process still has a good CS value at this point. The keeper
(0x104, driver.c) then writes a zero CS and does a send to the 0x101 process. I
believe the 0x101 process gets a GP fault at that time.

When I finish it, this test will check that memory references succeed when they
should succeed and fail when they should fail. So segment faulting will be a
normal occurrence for this test. I plan to change the test at
http://www.eros-os.org/eros-src/sys/kernel/kern_Segment.cxx#431 to go to the
debugger only if there is no segment keeper AND there is no process keeper. (I
love being able to point to specific lines in the code.)

> Is a different
> process getting the seg fault than the one that has the 0 CS value?

Same process, different times.

> Charles Landau wrote:
> >
> > "Jonathan S. Shapiro" wrote:
> >
> > > A segment selector of zero indicates a "null" segment, which is always a
> > > valid value but not usually a value that will allow the program to make
> > > progress. The bug was that the sa_IsKernel test wasn't checking for the
> > > zero value correctly, and therefore was dispatching the process on the
> > > "it's a kernel process" mis-theory.
> > >
> > > Your test case now generates a segment fault, which is puzzling, because
> > > it should probably generate a bad segment register value. I need to look
> > > into this further.
> >
> > The segment fault is correct; it's referencing a nonexistent address. If
> > you continue from there, the test case will write a null CS, and the
> > process (at OID 0x101) will get a GP fault. Whether that's the expected
> > behavior, I don't know.
> >
> > > Charles Landau wrote:
> > > >
> > > > I don't understand the x86 memory architecture and I'm not sure I want
> > > > to learn. Your fix continues to accept a zero CS, and apparently
> > > > that's OK. So there was only one bug.
> > > >
> >
> > _______________________________________________
> > eros-arch mailing list
> > eros-arch@mail.eros-os.org
> > http://www.eros-os.org/mailman/listinfo/eros-arch