| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 8 May 2015 14:31:05 -0700
From: "Fenghua Yu" <fenghua.yu@...el.com>
To: "H. Peter Anvin" <hpa@...ux.intel.com>,
"Ingo Molnar" <mingo@...e.hu>,
"Thomas Gleixner" <tglx@...utronix.de>,
"Dave Hansen" <dave.hansen@...el.com>,
"Asit K Mallick" <asit.k.mallick@...el.com>,
"Glenn Williamson" <glenn.p.williamson@...el.com>
Cc: "linux-kernel" <linux-kernel@...r.kernel.org>,
"x86" <x86@...nel.org>, "Fenghua Yu" <fenghua.yu@...el.com>
Subject: [PATCH v3 Bugfix 6/6] x86/xsave.c: Introduce a new check that allows correct xstates copy from kernel to user directly
From: Fenghua Yu <fenghua.yu@...el.com>
There are two formats of XSAVE buffers: compact and standard.
We avoid copying the compact format out to userspace since it
might break existing userspace which is not aware of the new
compacted format.
This means that save_xstate_sig() can not simply copy_to_user()
the kernel buffer if it is in compact format, ever. Add a
heavily-commented function explaining this.
Note that all the paths to save_user_xstate() do currently
check for used_math(), but add a WARN_ONCE() in there for any
future possible use.
Dave Hansen proposes this method to simplify copy xstate directly
to user.
Signed-off-by: Dave Hansen <dave.hansen@...el.com>
Signed-off-by: Fenghua Yu <fenghua.yu@...el.com>
---
arch/x86/kernel/xsave.c | 41 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 40 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/xsave.c b/arch/x86/kernel/xsave.c
index 547f293..69a1847 100644
--- a/arch/x86/kernel/xsave.c
+++ b/arch/x86/kernel/xsave.c
@@ -217,6 +217,45 @@ static inline int save_user_xstate(struct xsave_struct __user *buf)
return err;
}
+static int should_save_registers_directly(void)
+{
+ /*
+ * This should only ever be called when we are actually
+ * using the FPU. Otherwise, we run the risk of using
+ * some FPU instructions for saving the registers, and
+ * inflating thread.fpu_counter, making us think that
+ * the _task_ is using the FPU when in fact it was the
+ * kernel.
+ */
+ WARN_ONCE(!used_math(), "direct FPU save with no math use\n");
+
+ /*
+ * In the case that we are using a compacted kernel
+ * xsave area, we can not copy the thread.fpu.state
+ * directly to userspace and *must* save it from the
+ * registers directly.
+ */
+ if (cpu_has_xsaves)
+ return 1;
+
+ /*
+ * user_has_fpu() means "Can I use the FPU hardware
+ * without taking a device-not-available exception?" This
+ * means that saving the registers directly will be
+ * cheaper than copying their contents out of
+ * thread.fpu.state.
+ *
+ * Note that user_has_fpu() is inherently racy and may
+ * become false at any time. If this race happens, we
+ * will take a harmless device-not-available exception
+ * when we attempt the FPU save instruction.
+ */
+ if (user_has_fpu())
+ return 1;
+
+ return 0;
+}
+
/*
* Save the fpu, extended register state to the user signal frame.
*
@@ -254,7 +293,7 @@ int save_xstate_sig(void __user *buf, void __user *buf_fx, int size)
sizeof(struct user_i387_ia32_struct), NULL,
(struct _fpstate_ia32 __user *) buf) ? -1 : 1;
- if (user_has_fpu()) {
+ if (should_save_registers_directly()) {
/* Save the live register state to the user directly. */
if (save_user_xstate(buf_fx))
return -1;
--
1.8.1.2
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists