lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 May 2022 17:32:04 +0000 From: Sean Christopherson <seanjc@...gle.com> To: Kees Cook <keescook@...omium.org> Cc: Paolo Bonzini <pbonzini@...hat.com>, Vitaly Kuznetsov <vkuznets@...hat.com>, Wanpeng Li <wanpengli@...cent.com>, Jim Mattson <jmattson@...gle.com>, x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>, kvm@...r.kernel.org, Joerg Roedel <joro@...tes.org>, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org Subject: Re: [PATCH] KVM: x86/emulator: Bounds check reg nr against reg array size On Fri, May 20, 2022, Kees Cook wrote: > GCC 12 sees that it might be possible for "nr" to be outside the _regs > array. Add explicit bounds checking. I think GCC 12 is wrong. There are four uses of reg_rmw() that don't use hardcoded registers: $ git grep reg_rmw | grep -v VCPU_REGS_ emulate.c:static ulong *reg_rmw(struct x86_emulate_ctxt *ctxt, unsigned nr) 1 emulate.c: ulong *preg = reg_rmw(ctxt, reg); 2 emulate.c: p = (unsigned char *)reg_rmw(ctxt, modrm_reg & 3) + 1; 3 emulate.c: p = reg_rmw(ctxt, modrm_reg); 4 emulate.c: assign_register(reg_rmw(ctxt, reg), val, ctxt->op_bytes); #1 has three users, but two of those use hardcoded registers. $ git grep register_address_increment | grep -v VCPU_REGS_ emulate.c:register_address_increment(struct x86_emulate_ctxt *ctxt, int reg, int inc) emulate.c: register_address_increment(ctxt, reg, df * op->bytes); and that last one is string_addr_inc(), which is only called with RDI or RSI. #2 can't overflow as the register can only be 0-3 (yay AH/BH/CH/DH operands). #3 is the !highbyte path of decode_register(), and is a bit messy, but modrm_reg is always sanitized. $ git grep -E "decode_register\(" emulate.c:static void *decode_register(struct x86_emulate_ctxt *ctxt, u8 modrm_reg, a emulate.c: op->addr.reg = decode_register(ctxt, reg, ctxt->d & ByteOp); b emulate.c: op->addr.reg = decode_register(ctxt, ctxt->modrm_rm, c emulate.c: ctxt->memop.addr.reg = decode_register(ctxt, ctxt->modrm_rm, true); For (b) and (c), modrm_reg == ctxt->modrm_rm, which is computed in one place and is bounded to 0-15: base_reg = (ctxt->rex_prefix << 3) & 8; /* REX.B */ ctxt->modrm_rm = base_reg | (ctxt->modrm & 0x07); For (a), "reg" is either modrm_reg or a register that is encoded in the opcode, both of which are again bounded to 0-15: unsigned reg = ctxt->modrm_reg; if (!(ctxt->d & ModRM)) reg = (ctxt->b & 7) | ((ctxt->rex_prefix & 1) << 3); and ctxt->modrm_reg = ((ctxt->rex_prefix << 1) & 8); /* REX.R */ ctxt->modrm_reg |= (ctxt->modrm & 0x38) >> 3; #4 is em_popa() and is just funky hardcoding of popping RAX-RDI, minus RSP. I did the same exercise for reg_reg() and write_reg(), and the handful of non-hardcoded use are all bounded in similar ways. > In function 'reg_read', > inlined from 'reg_rmw' at ../arch/x86/kvm/emulate.c:266:2: Is there more of the "stack" available? I don't mind the WARN too much, but if there is a bug lurking I would much rather fix the bug. > ../arch/x86/kvm/emulate.c:254:27: warning: array subscript 32 is above array bounds of 'long unsigned int[17]' [-Warray-bounds] > 254 | return ctxt->_regs[nr]; > | ~~~~~~~~~~~^~~~ > In file included from ../arch/x86/kvm/emulate.c:23: > ../arch/x86/kvm/kvm_emulate.h: In function 'reg_rmw': > ../arch/x86/kvm/kvm_emulate.h:366:23: note: while referencing '_regs' > 366 | unsigned long _regs[NR_VCPU_REGS]; > | ^~~~~
Powered by blists - more mailing lists