| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CY8PR11MB71349DFC7229D5208824CAFB89C72@CY8PR11MB7134.namprd11.prod.outlook.com>
Date: Tue, 11 Jun 2024 06:57:04 +0000
From: "Zhuo, Qiuxu" <qiuxu.zhuo@...el.com>
To: Kees Cook <kees@...nel.org>, Thomas Gleixner <tglx@...utronix.de>
CC: David Gow <davidgow@...gle.com>, Ingo Molnar <mingo@...hat.com>, "Borislav
Petkov" <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>,
"x86@...nel.org" <x86@...nel.org>, "H. Peter Anvin" <hpa@...or.com>, "Sean
Christopherson" <seanjc@...gle.com>, Peter Zijlstra <peterz@...radead.org>,
Arnd Bergmann <arnd@...db.de>, "Kirill A. Shutemov"
<kirill.shutemov@...ux.intel.com>, Nadav Amit <nadav.amit@...il.com>,
Masahiro Yamada <masahiroy@...nel.org>, Christian Brauner
<brauner@...nel.org>, David Howells <dhowells@...hat.com>, Uros Bizjak
<ubizjak@...il.com>, "linux-kernel@...r.kernel.org"
<linux-kernel@...r.kernel.org>, "linux-hardening@...r.kernel.org"
<linux-hardening@...r.kernel.org>
Subject: RE: [PATCH] x86/uaccess: Fix missed zeroing of ia32 u64 get_user()
range checking
> From: Kees Cook <kees@...nel.org>
> [...]
> Subject: [PATCH] x86/uaccess: Fix missed zeroing of ia32 u64 get_user() range
> checking
>
> When reworking the range checking for get_user(), the get_user_8() case on
> 32-bit wasn't zeroing the high register. (The jump to bad_get_user_8 was
> accidentally dropped.) Restore the correct error handling destination (and
> rename the jump to using the expected ".L" prefix).
>
> While here, switch to using a named argument ("size") for the call template
> ("%c4" to "%c[size]") as already used in the other call templates in this file.
>
> Found after moving the usercopy selftests to KUnit:
>
> # usercopy_test_invalid: EXPECTATION FAILED at
> lib/usercopy_kunit.c:278
> Expected val_u64 == 0, but
> val_u64 == -60129542144 (0xfffffff200000000)
>
> Reported-by: David Gow <davidgow@...gle.com>
> Closes: https://lore.kernel.org/all/CABVgOSn=tb=Lj9SxHuT4_9MTjjKVxsq-
> ikdXC4kGHO4CfKVmGQ@...l.gmail.com
> Fixes: b19b74bc99b1 ("x86/mm: Rework address range check in get_user()
> and put_user()")
> Signed-off-by: Kees Cook <kees@...nel.org>
> [...]
> arch/x86/include/asm/uaccess.h | 4 ++--
> arch/x86/lib/getuser.S | 6 +++++-
> 2 files changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/arch/x86/include/asm/uaccess.h
> b/arch/x86/include/asm/uaccess.h index 0f9bab92a43d..3a7755c1a441
> 100644
> --- a/arch/x86/include/asm/uaccess.h
> +++ b/arch/x86/include/asm/uaccess.h
> @@ -78,10 +78,10 @@ extern int __get_user_bad(void);
> int __ret_gu; \
> register __inttype(*(ptr)) __val_gu asm("%"_ASM_DX); \
> __chk_user_ptr(ptr); \
> - asm volatile("call __" #fn "_%c4" \
> + asm volatile("call __" #fn "_%c[size]" \
> : "=a" (__ret_gu), "=r" (__val_gu), \
> ASM_CALL_CONSTRAINT
> \
> - : "0" (ptr), "i" (sizeof(*(ptr)))); \
> + : "0" (ptr), [size] "i" (sizeof(*(ptr)))); \
> instrument_get_user(__val_gu);
> \
> (x) = (__force __typeof__(*(ptr))) __val_gu; \
> __builtin_expect(__ret_gu, 0); \
> diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S index
> 10d5ed8b5990..a1cb3a4e6742 100644
> --- a/arch/x86/lib/getuser.S
> +++ b/arch/x86/lib/getuser.S
> @@ -44,7 +44,11 @@
> or %rdx, %rax
> .else
> cmp $TASK_SIZE_MAX-\size+1, %eax
> +.if \size != 8
> jae .Lbad_get_user
> +.else
> + jae .Lbad_get_user_8
> +.endif
> sbb %edx, %edx /* array_index_mask_nospec() */
> and %edx, %eax
> .endif
> @@ -154,7 +158,7 @@ SYM_CODE_END(__get_user_handle_exception)
> #ifdef CONFIG_X86_32
> SYM_CODE_START_LOCAL(__get_user_8_handle_exception)
> ASM_CLAC
> -bad_get_user_8:
> +.Lbad_get_user_8:
> xor %edx,%edx
> xor %ecx,%ecx
> mov $(-EFAULT),%_ASM_AX
> --
> 2.34.1
LGTM. Thanks!
Reviewed-by: Qiuxu Zhuo <qiuxu.zhuo@...el.com>
Powered by blists - more mailing lists