lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1362089112-27470-1-git-send-email-bp@alien8.de>
Date:	Thu, 28 Feb 2013 23:05:12 +0100
From:	Borislav Petkov <bp@...en8.de>
To:	LKML <linux-kernel@...r.kernel.org>
Cc:	"H. Peter Anvin" <hpa@...or.com>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Borislav Petkov <bp@...e.de>
Subject: [PATCH] scripts/decodecode: Make faulting insn ptr more robust

From: Borislav Petkov <bp@...e.de>

It can accidentally happen that the faulting insn (the exact instruction
bytes) is repeated a little further on in the trace. This causes that
same instruction to be tagged twice, see example below.

What we want to do, however, is to track back from the end of the whole
disassembly so many lines as the slice which starts with the faulting
instruction is long. This leads us to the actual faulting instruction
and *then* we tag it.

While we're at it, we can drop the sed "g" flag because we address only
this one line.

Also, if we point to an instruction which changes decoding depending
on the slice being objdumped, like a Jcc insn, for example, we do not
even tag it as a faulting instruction because the instruction decode
changes in the second slice but we use that second format as a regex on
the fsrst disassembled buffer and more often than not that instruction
doesn't match.

Again, simply tag the line which is deduced from the original "<>"
marking we've received from the kernel.

This also solves the pathologic issue of multiple tagging like this:

  29:*  0f 0b                   ud2         <-- trapping instruction
  2b:*  0f 0b                   ud2         <-- trapping instruction
  2d:*  0f 0b                   ud2         <-- trapping instruction

Double tagging example:

Code: 34 dd 40 30 ad 81 48 c7 c0 80 f6 00 00 48 8b 3c 30 48 01 c6 b8 ff ff ff ff 48 8d 57 f0 48 39 f7 74 2f 49 8b 4c 24 08 48 8b 47 f0 <48> 39 48 08 75 0e eb 2a 66 90 48 8b 40 f0 48 39 48 08 74 1e 48
All code
========
   0:   34 dd                   xor    $0xdd,%al
   2:   40 30 ad 81 48 c7 c0    xor    %bpl,-0x3f38b77f(%rbp)
   9:   80 f6 00                xor    $0x0,%dh
   c:   00 48 8b                add    %cl,-0x75(%rax)
   f:   3c 30                   cmp    $0x30,%al
  11:   48 01 c6                add    %rax,%rsi
  14:   b8 ff ff ff ff          mov    $0xffffffff,%eax
  19:   48 8d 57 f0             lea    -0x10(%rdi),%rdx
  1d:   48 39 f7                cmp    %rsi,%rdi
  20:   74 2f                   je     0x51
  22:   49 8b 4c 24 08          mov    0x8(%r12),%rcx
  27:   48 8b 47 f0             mov    -0x10(%rdi),%rax
  2b:*  48 39 48 08             cmp    %rcx,0x8(%rax)     <-- trapping instruction
  2f:   75 0e                   jne    0x3f
  31:   eb 2a                   jmp    0x5d
  33:   66 90                   xchg   %ax,%ax
  35:   48 8b 40 f0             mov    -0x10(%rax),%rax
  39:*  48 39 48 08             cmp    %rcx,0x8(%rax)     <-- trapping instruction
  3d:   74 1e                   je     0x5d
  3f:   48                      rex.W

Signed-off-by: Borislav Petkov <bp@...e.de>
---
 scripts/decodecode | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/scripts/decodecode b/scripts/decodecode
index 4f8248d5a11f..d8824f37acce 100755
--- a/scripts/decodecode
+++ b/scripts/decodecode
@@ -89,10 +89,16 @@ echo $code >> $T.s
 disas $T
 cat $T.dis >> $T.aa
 
+# (lines of whole $T.oo) - (lines of $T.aa, i.e. "Code starting") + 3,
+# i.e. the title + the "===..=" line (sed is counting from 1, 0 address is
+# special)
+faultlinenum=$(( $(wc -l $T.oo  | cut -d" " -f1) - \
+		 $(wc -l $T.aa  | cut -d" " -f1) + 3))
+
 faultline=`cat $T.dis | head -1 | cut -d":" -f2-`
 faultline=`echo "$faultline" | sed -e 's/\[/\\\[/g; s/\]/\\\]/g'`
 
-cat $T.oo | sed -e "s/\($faultline\)/\*\1     <-- trapping instruction/g"
+cat $T.oo | sed -e "${faultlinenum}s/^\(.*:\)\(.*\)/\1\*\2\t\t<-- trapping instruction/"
 echo
 cat $T.aa
 cleanup
-- 
1.8.1.3.535.ga923c31

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ