lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 27 Mar 2015 18:29:14 +0100
From:	Borislav Petkov <bp@...en8.de>
To:	Dave Hansen <dave@...1.net>
Cc:	linux-kernel@...r.kernel.org, x86@...nel.org, tglx@...utronix.de,
	dave.hansen@...ux.intel.com
Subject: Re: [PATCH 15/17] x86, mpx: do 32-bit-only cmpxchg for 32-bit apps

On Thu, Mar 26, 2015 at 11:33:53AM -0700, Dave Hansen wrote:
> 
> From: Dave Hansen <dave.hansen@...ux.intel.com>
> 
> user_atomic_cmpxchg_inatomic() actually looks at sizeof(*ptr) to
> figure out how many bytes to copy.  If we run it on a 64-bit
> kernel with a 64-bit pointer, it will copy a 64-bit bounds
> directory entry.  That's fine, except when we have 32-bit
> programs with 32-bit bounds directory entries and we only *want*
> 32-bits.
> 
> This patch breaks the cmpxchg operation out in to its own
> function and performs the 32-bit type swizzling in there.
> 
> Note, the "64-bit" version of this code _would_ work on a
> 32-bit-only kernel.  The issue this patch addresses is only for
> when the kernel's 'long' is mismatched from the size of the
> bounds directory entry of the process we are working on.
> 
> The new helper modifies 'actual_old_val' or returns an error.
> But gcc doesn't know this, so it warns about 'actual_old_val'
> being unused.  Shut it up with an uninitialized_var().
> 
> Signed-off-by: Dave Hansen <dave.hansen@...ux.intel.com>
> ---
> 
>  b/arch/x86/mm/mpx.c |   41 ++++++++++++++++++++++++++++++++++++-----
>  1 file changed, 36 insertions(+), 5 deletions(-)
> 
> diff -puN arch/x86/mm/mpx.c~mpx-variable-sized-userspace-pokes arch/x86/mm/mpx.c
> --- a/arch/x86/mm/mpx.c~mpx-variable-sized-userspace-pokes	2015-03-26 11:27:33.927520821 -0700
> +++ b/arch/x86/mm/mpx.c	2015-03-26 11:27:33.931521001 -0700
> @@ -421,6 +421,35 @@ int mpx_disable_management(struct task_s
>  	return 0;
>  }
>  
> +static int mpx_cmpxchg_bd_entry(struct mm_struct *mm,
> +		unsigned long *actual_old_val_ptr, long __user *bd_entry_addr,
> +		unsigned long expected_old_val, unsigned long new_bd_entry)
> +{
> +	int ret;
> +	/*
> +	 * user_atomic_cmpxchg_inatomic() actually uses sizeof()
> +	 * the pointer thatt we pass to it to figure out how much
> +	 * data to cmpxchg.  We have to be careful here not to
> +	 * pass a pointer to a 64-bit data type when we only want
> +	 * a 32-bit copy.
> +	 */
> +	if (is_64bit_mm(mm)) {
> +		ret = user_atomic_cmpxchg_inatomic(actual_old_val_ptr,
> +				bd_entry_addr, expected_old_val, new_bd_entry);
> +	} else {
> +		u32 uninitialized_var(actual_old_val_32);
> +		u32 expected_old_val_32 = expected_old_val;
> +		u32 new_bd_entry_32 = new_bd_entry;
> +		u32 __user *bd_entry_32 = (u32 __user *)bd_entry_addr;
> +		ret = user_atomic_cmpxchg_inatomic(&actual_old_val_32,
> +				bd_entry_32, expected_old_val_32,
> +				new_bd_entry_32);

Hmm, I would've added a user_atomic_cmpxchg_inatomic_size() macro which
calls __user_atomic_cmpxchg_inatomic().

-- 
Regards/Gruss,
    Boris.

ECO tip #101: Trim your mails when you reply.
--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ