lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 14 Jan 2015 11:43:13 -0800 From: Dave Hansen <dave.hansen@...ux.intel.com> To: Andy Lutomirski <luto@...capital.net> CC: X86 ML <x86@...nel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Masami Hiramatsu <masami.hiramatsu.pt@...achi.com> Subject: Re: [PATCH 3.19 v2 2/3] x86, mpx: Short-circuit the instruction decoder for unexpected opcodes On 01/12/2015 03:57 PM, Andy Lutomirski wrote: >>> >> - /* >>> >> - * We only _really_ need to decode bndcl/bndcn/bndcu >>> >> - * Error out on anything else. >>> >> - */ >>> >> - if (insn->opcode.bytes[0] != 0x0f) >>> >> - goto bad_opcode; >>> >> - if ((insn->opcode.bytes[1] != 0x1a) && >>> >> - (insn->opcode.bytes[1] != 0x1b)) >>> >> - goto bad_opcode; >> > >> > Otherwise, this looks OK to me. Have you tested this at all? I know >> > you don't have any MPX hardware, but you can still hack something in to >> > point the instruction decoder at an MPX binary. > I haven't tested this at all. ISTM it's more likely that any test > hack I write for this will mask any problem than that it will be a > real test. This is completely and totally broken when there is an instruction prefix. Instruction prefixes which occur before the opcodes in the buffer, so buf[0] is not necessarily insn->opcode.bytes[0]. This was immediately obvious when I actually ran this code for the first time, even on hardware without MPX. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists