On 25 Apr 2017 at 12:23, Peter Zijlstra wrote:
> So what avoids this:
simple, you noted it yourself in your previous mail:
> Well, your setup (panic_on_warn et al) would have it panic the box. That
> will effectively stop the exploit by virtue of stopping everything.
with that in mind the actual code looks like this:
> CPU0 CPU1
>
>
> lock inc %[val]; # 0x7fffffff
> jo 2f
>1: ...
>
> lock dec %[val]; # 0x80000000
> jo 2f
> 1: ...
>
>
>
>
>2: mov $0x7fffffff, %[val]
panic()
> jmp 1b
>
> 2: mov $0x80000000, %[val]
panic()
> jmp 1b
>
... and we never get this far.
