| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Apr 2015 07:28:02 -0700
From: Dave Hansen <dave.hansen@...el.com>
To: Fenghua Yu <fenghua.yu@...el.com>,
"H. Peter Anvin" <hpa@...ux.intel.com>,
Ingo Molnar <mingo@...e.hu>,
Thomas Gleixner <tglx@...utronix.de>,
Asit K Mallick <asit.k.mallick@...el.com>,
Glenn Williamson <glenn.p.williamson@...el.com>
CC: linux-kernel <linux-kernel@...r.kernel.org>, x86 <x86@...nel.org>,
Fengguang Wu <fengguang.wu@...el.com>
Subject: Re: [PATCH Bugfix v2 2/4] x86/xsaves: Define and use user_xstate_size
for xstate size in signal context
On 04/21/2015 09:51 PM, Fenghua Yu wrote:
> +static int copy_to_user_xstate(void __user *buf_fx, struct xsave_struct *xsave)
> +{
...
> + if (__copy_to_user(buf_fx + user_offset,
> + xsave + kernel_offset, size))
> + return -1;
> + }
> + }
> +
0day found this, but I'm replying to the original thread.
> [ 13.595511] BUG: KASan: out of bounds access in save_xstate_sig+0x1bf/0x470 at addr ffff880000184208
> [ 13.596280] Read of size 8 by task init/1
copy_to_user_xstate() gets inlined in to save_xstate_sig(). The read
probably means that this was an access to 'xsave' since we are reading a
kernel structure out to userspace.
'xsave' is a 'struct xsave_struct *' and yet it's being incremented like
'buf_fx' which is a 'void *'.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists