| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 25 Apr 2017 19:04:20 -0700
From: Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>
To: Borislav Petkov <bp@...e.de>
Cc: Ingo Molnar <mingo@...hat.com>,
Thomas Gleixner <tglx@...utronix.de>,
"H. Peter Anvin" <hpa@...or.com>,
Andy Lutomirski <luto@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Brian Gerst <brgerst@...il.com>,
Chris Metcalf <cmetcalf@...lanox.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Paolo Bonzini <pbonzini@...hat.com>,
Masami Hiramatsu <mhiramat@...nel.org>,
Huang Rui <ray.huang@....com>, Jiri Slaby <jslaby@...e.cz>,
Jonathan Corbet <corbet@....net>,
"Michael S. Tsirkin" <mst@...hat.com>,
Paul Gortmaker <paul.gortmaker@...driver.com>,
Vlastimil Babka <vbabka@...e.cz>,
Chen Yucong <slaoub@...il.com>,
Alexandre Julliard <julliard@...ehq.org>,
Stas Sergeev <stsp@...t.ru>, Fenghua Yu <fenghua.yu@...el.com>,
"Ravi V. Shankar" <ravi.v.shankar@...el.com>,
Shuah Khan <shuah@...nel.org>, linux-kernel@...r.kernel.org,
x86@...nel.org, linux-msdos@...r.kernel.org, wine-devel@...ehq.org,
Adam Buchbinder <adam.buchbinder@...il.com>,
Colin Ian King <colin.king@...onical.com>,
Lorenzo Stoakes <lstoakes@...il.com>,
Qiaowei Ren <qiaowei.ren@...el.com>,
Nathan Howard <liverlint@...il.com>,
Adan Hawthorn <adanhawthorn@...il.com>,
Joe Perches <joe@...ches.com>
Subject: Re: [v6 PATCH 03/21] x86/mpx: Do not use R/EBP as base in the SIB
byte with Mod = 0
On Wed, 2017-04-12 at 00:08 +0200, Borislav Petkov wrote:
> On Tue, Mar 07, 2017 at 04:32:36PM -0800, Ricardo Neri wrote:
> > Section 2.2.1.2 of the Intel 64 and IA-32 Architectures Software
> > Developer's Manual volume 2A states that when a SIB byte is used and the
> > base of the SIB byte points to R/EBP (i.e., base = 5) and the mod part
> > of the ModRM byte is zero, the value of such register will not be used
> > as part of the address computation. To signal this, a -EDOM error is
> > returned to indicate callers that they should ignore the value.
> >
> > Also, for this particular case, a displacement of 32-bits should follow
> > the SIB byte if the mod part of ModRM is equal to zero. The instruction
> > decoder ensures that this is the case.
> >
> > Cc: Dave Hansen <dave.hansen@...ux.intel.com>
> > Cc: Adam Buchbinder <adam.buchbinder@...il.com>
> > Cc: Colin Ian King <colin.king@...onical.com>
> > Cc: Lorenzo Stoakes <lstoakes@...il.com>
> > Cc: Qiaowei Ren <qiaowei.ren@...el.com>
> > Cc: Peter Zijlstra <peterz@...radead.org>
> > Cc: Nathan Howard <liverlint@...il.com>
> > Cc: Adan Hawthorn <adanhawthorn@...il.com>
> > Cc: Joe Perches <joe@...ches.com>
> > Cc: Ravi V. Shankar <ravi.v.shankar@...el.com>
> > Cc: x86@...nel.org
> > Signed-off-by: Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>
> > ---
> > arch/x86/mm/mpx.c | 29 ++++++++++++++++++++++-------
> > 1 file changed, 22 insertions(+), 7 deletions(-)
> >
> > diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c
> > index d9e92d6..ef7eb67 100644
> > --- a/arch/x86/mm/mpx.c
> > +++ b/arch/x86/mm/mpx.c
> > @@ -121,6 +121,17 @@ static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
> >
> > case REG_TYPE_BASE:
> > regno = X86_SIB_BASE(insn->sib.value);
> > + /*
> > + * If mod is 0 and register R/EBP (regno=5) is indicated in the
> > + * base part of the SIB byte,
>
> you can simply say here: "if SIB.base == 5, the base of the
> register-indirect addressing is 0."
This is better wording. I will change it.
>
> > the value of such register should
> > + * not be used in the address computation. Also, a 32-bit
>
> Not "Also" but "In this case, a 32-bit displacement..."
Will change.
>
> > + * displacement is expected in this case; the instruction
> > + * decoder takes care of it. This is true for both R13 and
> > + * R/EBP as REX.B will not be decoded.
>
> You don't need that sentence as the only thing that matters is ModRM.mod
> being 0.
For the specific case of ModRM.mod being 0, I feel I need to clarify
that REX.B is not decoded and if SIB.base is %r13 the base is also 0.
This comment adds clarity because REX.X is decoded when determining
SIB.index.
>
> > + */
> > + if (regno == 5 && X86_MODRM_MOD(insn->modrm.value) == 0)
>
> The 0 test we normally do with the ! (also flip parts of if-condition):
>
> if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)
Will change it.
>
> > + return -EDOM;
> > +
> > if (X86_REX_B(insn->rex_prefix.value))
> > regno += 8;
> > break;
> > @@ -161,16 +172,21 @@ static void __user *mpx_get_addr_ref(struct insn *insn, struct pt_regs *regs)
> > eff_addr = regs_get_register(regs, addr_offset);
> > } else {
> > if (insn->sib.nbytes) {
> > + /*
> > + * Negative values in the base and index offset means
> > + * an error when decoding the SIB byte. Except -EDOM,
> > + * which means that the registers should not be used
> > + * in the address computation.
> > + */
> > base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE);
> > - if (base_offset < 0)
> > + if (unlikely(base_offset == -EDOM))
> > + base = 0;
> > + else if (unlikely(base_offset < 0))
>
> Bah, unlikely's in something which is not really a hot path. They only
> encumber readability, no need for them.
I will remove them.
Thanks and BR,
Ricardo
Powered by blists - more mailing lists