lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20150825201206.93136028@viggo.jf.intel.com>
Date:	Tue, 25 Aug 2015 13:12:06 -0700
From:	Dave Hansen <dave@...1.net>
To:	dave@...1.net
Cc:	dave.hansen@...ux.intel.com, mingo@...hat.com, x86@...nel.org,
	bp@...en8.de, fenghua.yu@...el.com, tim.c.chen@...ux.intel.com,
	linux-kernel@...r.kernel.org
Subject: [PATCH 11/11] x86, fpu: check CPU-provided sizes against struct declarations


From: Dave Hansen <dave.hansen@...ux.intel.com>

We now have C structures defined for each of the XSAVE state
components that we support.  This patch adds checks during our
verification pass to ensure that the CPU-provided data
enumerated in CPUID leaves matches our C structures.

If not, we warn and dump all the XSAVE CPUID leaves.

Note: this *actually* found an inconsistency with the MPX
'bndcsr' state.  The hardware pads it out differently from
our C structures.  This patch caught it and warned.

Signed-off-by: Dave Hansen <dave.hansen@...ux.intel.com>
Cc: Ingo Molnar <mingo@...hat.com>
Cc: x86@...nel.org
Cc: Borislav Petkov <bp@...en8.de>
Cc: Fenghua Yu <fenghua.yu@...el.com>
Cc: Tim Chen <tim.c.chen@...ux.intel.com>
Cc: linux-kernel@...r.kernel.org
---

 b/appendme                         |    6 +++
 b/arch/x86/include/asm/fpu/types.h |    1 
 b/arch/x86/kernel/fpu/xstate.c     |   62 +++++++++++++++++++++++++++++++++++--
 3 files changed, 67 insertions(+), 2 deletions(-)

diff -puN /dev/null appendme
--- /dev/null	2015-07-13 14:24:11.435656502 -0700
+++ b/appendme	2015-08-25 12:50:01.857661314 -0700
@@ -0,0 +1,6 @@
+Cc: Ingo Molnar <mingo@...hat.com>
+Cc: x86@...nel.org
+Cc: Borislav Petkov <bp@...en8.de>
+Cc: Fenghua Yu <fenghua.yu@...el.com>
+Cc: Tim Chen <tim.c.chen@...ux.intel.com>
+Cc: linux-kernel@...r.kernel.org
diff -puN arch/x86/include/asm/fpu/types.h~x86-fpu-check-against-struct-declarations arch/x86/include/asm/fpu/types.h
--- a/arch/x86/include/asm/fpu/types.h~x86-fpu-check-against-struct-declarations	2015-08-25 12:50:01.853661133 -0700
+++ b/arch/x86/include/asm/fpu/types.h	2015-08-25 12:50:01.858661359 -0700
@@ -108,6 +108,7 @@ enum xfeature_nr {
 	XFEATURE_NR_OPMASK,
 	XFEATURE_NR_ZMM_Hi256,
 	XFEATURE_NR_Hi16_ZMM,
+	XFEATURE_NR_PT_UNIMPLEMENTED_SO_FAR,
 
 	XFEATURES_NR_MAX,
 };
diff -puN arch/x86/kernel/fpu/xstate.c~x86-fpu-check-against-struct-declarations arch/x86/kernel/fpu/xstate.c
--- a/arch/x86/kernel/fpu/xstate.c~x86-fpu-check-against-struct-declarations	2015-08-25 12:50:01.854661178 -0700
+++ b/arch/x86/kernel/fpu/xstate.c	2015-08-25 12:50:01.858661359 -0700
@@ -182,7 +182,8 @@ static int xfeature_nr_enabled(enum xfea
 static void __init setup_xstate_features(void)
 {
 	u32 eax, ebx, ecx, edx, i;
-	unsigned int last_good_offset = -1;
+	/* start at the beginnning of the "extended state" */
+	unsigned int last_good_offset = offsetof(struct xregs_state, __reserved);
 
 	for (i = FIRST_EXTENDED_XFEATURE_NR; i < XFEATURES_NR_MAX; i++) {
 		if (!xfeature_nr_enabled(i))
@@ -196,7 +197,8 @@ static void __init setup_xstate_features
 		 * highest-numbered xstate feature has the
 		 * highest offset in the buffer.  Ensure it does.
 		 */
-		WARN_ON(last_good_offset > xstate_offsets[i]);
+		WARN_ONCE(last_good_offset > xstate_offsets[i],
+			"x86/fpu: misordered xstate at %d\n", last_good_offset);
 		last_good_offset = xstate_offsets[i];
 
 		printk(KERN_INFO "x86/fpu: xstate_offset[%d]: %04x, xstate_sizes[%d]: %04x\n", i, ebx, i, eax);
@@ -407,6 +409,52 @@ static void __xstate_dump_leaves(void)
 	}									\
 } while (0)
 
+
+#define XCHECK_SZ(sz, nr, nr_macro, __struct) do {			\
+	if ((nr == nr_macro) &&						\
+	    WARN_ONCE(sz != sizeof(__struct),				\
+		"%s: struct is %ld bytes, cpu state %d bytes\n",	\
+		__stringify(nr_macro), sizeof(__struct), sz)) {		\
+		__xstate_dump_leaves();					\
+	}								\
+} while (0)
+
+
+/*
+ * We have a C struct for each 'xstate'.  We need to ensure
+ * that our software representation matches what the CPU
+ * tells us about the state's size.
+ */
+static void check_xstate_against_struct(int nr)
+{
+	/*
+	 * Ask the CPU for the size of the state.
+	 */
+	int sz = xfeature_size(nr);
+	/*
+	 * Match each CPU state with the corresponding software
+	 * structure.
+	 */
+	XCHECK_SZ(sz, nr, XFEATURE_NR_YMM,       struct ymmh_struct);
+	XCHECK_SZ(sz, nr, XFEATURE_NR_BNDREGS,   struct mpx_bndreg_state);
+	XCHECK_SZ(sz, nr, XFEATURE_NR_BNDCSR,    struct mpx_bndcsr_state);
+	XCHECK_SZ(sz, nr, XFEATURE_NR_OPMASK,    struct avx_512_opmask_state);
+	XCHECK_SZ(sz, nr, XFEATURE_NR_ZMM_Hi256, struct avx_512_zmm_uppers_state);
+	XCHECK_SZ(sz, nr, XFEATURE_NR_Hi16_ZMM,  struct avx_512_hi16_state);
+
+	/*
+	 * Make *SURE* to add any feature numbers in below if
+	 * there are "holes" in the xsave state component
+	 * numbers.
+	 */
+	if ((nr < XFEATURE_NR_YMM) ||
+	    (nr >= XFEATURES_NR_MAX) ||
+	    (nr == XFEATURE_NR_PT_UNIMPLEMENTED_SO_FAR)) {
+		WARN_ONCE(1, "no structure for xstate: %d\n", nr);
+		XSTATE_WARN_ON(1);
+	}
+}
+
 /*
  * This essentially double-checks what the cpu told us about
  * how large the XSAVE buffer needs to be.  We are recalculating
@@ -420,6 +468,8 @@ static void do_extra_xstate_size_checks(
 	for (i = FIRST_EXTENDED_XFEATURE_NR; i < XFEATURES_NR_MAX; i++) {
 		if (!xfeature_nr_enabled(i))
 			continue;
+
+		check_xstate_against_struct(i);
 		/*
 		 * Supervisor state components can be managed only by
 		 * XSAVES, which is compacted-format only.
@@ -445,6 +495,14 @@ static void do_extra_xstate_size_checks(
 		paranoid_xstate_size += xfeature_size(i);
 	}
 	XSTATE_WARN_ON(paranoid_xstate_size != xstate_size);
+	/*
+	 * Basically, make sure that XSTATE_RESERVE has forced
+	 * xregs_state to be large enough.  This is not fatal
+	 * because we reserve a *lot* of extra room in the init
+	 * task struct, but we should at least know we got it
+	 * wrong.
+	 */
+	XSTATE_WARN_ON(xstate_size > sizeof(struct xregs_state));
 }
 
 /*
_
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ