lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 May 2015 19:57:59 +0200 From: Ingo Molnar <mingo@...nel.org> To: linux-kernel@...r.kernel.org Cc: Andy Lutomirski <luto@...capital.net>, Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, Fenghua Yu <fenghua.yu@...el.com>, "H. Peter Anvin" <hpa@...or.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Oleg Nesterov <oleg@...hat.com>, Thomas Gleixner <tglx@...utronix.de> Subject: [PATCH 175/208] x86/fpu: Clean up fpu__clear() state handling We currently leak FPU state across execve() boundaries on eagerfpu systems: $ /host/home/mingo/dump-xmm-regs-exec # XMM state before execve(): XMM0 : 000000000000dede XMM1 : 000000000000dedf XMM2 : 000000000000dee0 XMM3 : 000000000000dee1 XMM4 : 000000000000dee2 XMM5 : 000000000000dee3 XMM6 : 000000000000dee4 XMM7 : 000000000000dee5 XMM8 : 000000000000dee6 XMM9 : 000000000000dee7 XMM10: 000000000000dee8 XMM11: 000000000000dee9 XMM12: 000000000000deea XMM13: 000000000000deeb XMM14: 000000000000deec XMM15: 000000000000deed # XMM state after execve(), in the new task context: XMM0 : 0000000000000000 XMM1 : 2f2f2f2f2f2f2f2f XMM2 : 0000000000000000 XMM3 : 0000000000000000 XMM4 : 00000000000000ff XMM5 : 00000000ff000000 XMM6 : 000000000000dee4 XMM7 : 000000000000dee5 XMM8 : 0000000000000000 XMM9 : 0000000000000000 XMM10: 0000000000000000 XMM11: 0000000000000000 XMM12: 0000000000000000 XMM13: 000000000000deeb XMM14: 000000000000deec XMM15: 000000000000deed The reason is that fpu__clear() does not clear out the state properly. Fix it. Cc: Andy Lutomirski <luto@...capital.net> Cc: Borislav Petkov <bp@...en8.de> Cc: Dave Hansen <dave.hansen@...ux.intel.com> Cc: Fenghua Yu <fenghua.yu@...el.com> Cc: H. Peter Anvin <hpa@...or.com> Cc: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Oleg Nesterov <oleg@...hat.com> Cc: Thomas Gleixner <tglx@...utronix.de> Signed-off-by: Ingo Molnar <mingo@...nel.org> --- arch/x86/kernel/fpu/core.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c index 45ef4e51928b..33c9a43b000e 100644 --- a/arch/x86/kernel/fpu/core.c +++ b/arch/x86/kernel/fpu/core.c @@ -348,6 +348,10 @@ void fpu__restore(void) } EXPORT_SYMBOL_GPL(fpu__restore); +/* + * Called by sys_execve() to clear the FPU fpregs, so that FPU state + * of the previous binary does not leak over into the exec()ed binary: + */ void fpu__clear(struct task_struct *tsk) { struct fpu *fpu = &tsk->thread.fpu; @@ -361,8 +365,8 @@ void fpu__clear(struct task_struct *tsk) if (!fpu->fpstate_active) { fpu__activate_curr(fpu); user_fpu_begin(); - restore_init_xstate(); } + restore_init_xstate(); } } -- 2.1.0 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists