lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 7 Nov 2016 10:39:28 -0800
From:   Leonid Yegoshin <Leonid.Yegoshin@...tec.com>
To:     <linux-mips@...ux-mips.org>, <paul.burton@...tec.com>,
        <linux-kernel@...r.kernel.org>, <ralf@...ux-mips.org>,
        <yamada.masahiro@...ionext.com>, <macro@...tec.com>
Subject: [PATCH] MIPS: R2-on-R6 emulation bugfix of BLEZL and BGTZL
 instructions

MIPS R2 emulation doesn't take into account that BLEZL and BGTZL instructions
require register RT = 0. If it is not zero it can be some legitimate MIPS R6
instruction.

Problem happens after emulation optimization then emulation routine tries
to pipeline emulation and after emulation of one instruction it picks up
a next candidate. In single pass strategy it does not happen because CPU
doesn't trap on branch-compacts which share opcode space with BLEZL/BGTZL
(but has RT != 0, of course).

Signed-off-by: Leonid Yegoshin <Leonid.Yegoshin@...tec.com>
Reported-by: Douglas Leung <Douglas.Leung@...tec.com>
---
 arch/mips/kernel/mips-r2-to-r6-emul.c |   11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/arch/mips/kernel/mips-r2-to-r6-emul.c b/arch/mips/kernel/mips-r2-to-r6-emul.c
index 22dedd62818a..b0c86b08c0b9 100644
--- a/arch/mips/kernel/mips-r2-to-r6-emul.c
+++ b/arch/mips/kernel/mips-r2-to-r6-emul.c
@@ -919,6 +919,7 @@ int mipsr2_decoder(struct pt_regs *regs, u32 inst, unsigned long *fcr31)
 		BUG();
 		return SIGEMT;
 	}
+	err = 0;
 	pr_debug("Emulating the 0x%08x R2 instruction @ 0x%08lx (pass=%d))\n",
 		 inst, epc, pass);
 
@@ -1096,10 +1097,16 @@ int mipsr2_decoder(struct pt_regs *regs, u32 inst, unsigned long *fcr31)
 		}
 		break;
 
-	case beql_op:
-	case bnel_op:
 	case blezl_op:
 	case bgtzl_op:
+		/* return MIPS R6 instruction to CPU execution */
+		if (MIPSInst_RT(inst)) {
+			err = SIGILL;
+			break;
+		}
+
+	case beql_op:
+	case bnel_op:
 		if (delay_slot(regs)) {
 			err = SIGILL;
 			break;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ