DR6 isn't cleared. Here is a nice security exploit for you:
- Task A sets DR0 and DR7 to enable a watchpoint (or breakpoint).
- It also clears DR6.
- Task A wakes up task B, which has DR7 clear.
- Task A then communicates with "sshd" or some other sensitive task.
- Because of lazy DR7 clearing, sshd inherits the watchpoints.
- If sshd reads the memory address mentioned in DR0, it will
call do_debug in the kernel, which clears DR7 and continues.
- However, DR6 bit B0 is now set.
- Eventually task B is scheduled. It inherits the value of DR6
from sshd, and therefore knows if sshd read from a particular
memory location.
- Task A and task B cooperate to analyse what values sshd is
examining in its lookup tables, and therefore retrieve the
server key or something. (Hand waving at this point).
-- Jamie
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/