From patchwork Tue Jan 17 15:28:25 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Stefan Liebler X-Patchwork-Id: 18929 Received: (qmail 4204 invoked by alias); 17 Jan 2017 15:28:34 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 3092 invoked by uid 89); 17 Jan 2017 15:28:33 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.5 required=5.0 tests=AWL, BAYES_00, KAM_LAZY_DOMAIN_SECURITY, RCVD_IN_DNSWL_LOW autolearn=no version=3.3.2 spammy=wich, psw, Systems, transaction X-HELO: mx0a-001b2d01.pphosted.com From: Stefan Liebler Subject: Re: [PATCH 2/4] S390: Use own tbegin macro instead of __builtin_tbegin. To: libc-alpha@sourceware.org References: <1481032315-12420-1-git-send-email-stli@linux.vnet.ibm.com> <1481032315-12420-2-git-send-email-stli@linux.vnet.ibm.com> <1484066072.5606.219.camel@redhat.com> Date: Tue, 17 Jan 2017 16:28:25 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17011715-0040-0000-0000-0000031520D6 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17011715-0041-0000-0000-000023D46B44 Message-Id: X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-01-17_09:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1701170210 On 01/12/2017 04:45 PM, Florian Weimer wrote: > On 01/10/2017 05:34 PM, Torvald Riegel wrote: > >> (2) This introduces a facility to probe memory for being accessible or >> not, considering that you say it masks segfaults. It seems that this >> probing may not be visible to the same extent as possible if a signal >> handler were installed. Is this relevant from a security perspective? > > If the fallback implementation has essentially the same behavior, I > don't think there is a transaction-specific security problem. > > One thing to check is if anything in the transaction memory code writes > unprotected function pointers/code addresses to memory. I'm not > familiar with z Systems machine code, so I don't know if that's the case. > > For example, it would be problematic to store the address of the > transaction abort handler in a TLS variable. The first tbegin instruction starts transactional execution mode. Then the Transaction-Abort PSW is set to the instruction after the tbegin instruction. If this transaction or multiple nested transactions are aborted, the instruction in Transaction-Abort PSW (after the outermost tbegin) is executed and the condition code set to 1-3. The code behind tbegin has to determine what to do next. There is no instruction to extract Transaction-Abort PSW. > >>> + /* Begin transaction: save all gprs, allow \ >>> + ar modification and fp operations. Some \ >>> + program-interruptions (e.g. a null \ >>> + pointer access) are filtered and the \ >>> + trancsaction will abort. In this case \ > > Typo: “transaction” okay. > > Thanks, > Florian > I've attached the diff here and will later make one patch with changelog for this and the other two patches. diff --git a/sysdeps/unix/sysv/linux/s390/htm.h b/sysdeps/unix/sysv/linux/s390/htm.h index 32d5a88..af7144f 100644 --- a/sysdeps/unix/sysv/linux/s390/htm.h +++ b/sysdeps/unix/sysv/linux/s390/htm.h @@ -119,7 +119,7 @@ ar modification and fp operations. Some \ program-interruptions (e.g. a null \ pointer access) are filtered and the \ - trancsaction will abort. In this case \ + transaction will abort. In this case \ the normal lock path will execute it \ again and result in a core dump wich does \ now show at tbegin but the real executed \