lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170411220816.2u3o72qnwcwq7jzc@pd.tnic>
Date:   Wed, 12 Apr 2017 00:08:16 +0200
From:   Borislav Petkov <bp@...e.de>
To:     Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>
Cc:     Ingo Molnar <mingo@...hat.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        "H. Peter Anvin" <hpa@...or.com>,
        Andy Lutomirski <luto@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Brian Gerst <brgerst@...il.com>,
        Chris Metcalf <cmetcalf@...lanox.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Masami Hiramatsu <mhiramat@...nel.org>,
        Huang Rui <ray.huang@....com>, Jiri Slaby <jslaby@...e.cz>,
        Jonathan Corbet <corbet@....net>,
        "Michael S. Tsirkin" <mst@...hat.com>,
        Paul Gortmaker <paul.gortmaker@...driver.com>,
        Vlastimil Babka <vbabka@...e.cz>,
        Chen Yucong <slaoub@...il.com>,
        Alexandre Julliard <julliard@...ehq.org>,
        Stas Sergeev <stsp@...t.ru>, Fenghua Yu <fenghua.yu@...el.com>,
        "Ravi V. Shankar" <ravi.v.shankar@...el.com>,
        Shuah Khan <shuah@...nel.org>, linux-kernel@...r.kernel.org,
        x86@...nel.org, linux-msdos@...r.kernel.org, wine-devel@...ehq.org,
        Adam Buchbinder <adam.buchbinder@...il.com>,
        Colin Ian King <colin.king@...onical.com>,
        Lorenzo Stoakes <lstoakes@...il.com>,
        Qiaowei Ren <qiaowei.ren@...el.com>,
        Nathan Howard <liverlint@...il.com>,
        Adan Hawthorn <adanhawthorn@...il.com>,
        Joe Perches <joe@...ches.com>
Subject: Re: [v6 PATCH 03/21] x86/mpx: Do not use R/EBP as base in the SIB
 byte with Mod = 0

On Tue, Mar 07, 2017 at 04:32:36PM -0800, Ricardo Neri wrote:
> Section 2.2.1.2 of the Intel 64 and IA-32 Architectures Software
> Developer's Manual volume 2A states that when a SIB byte is used and the
> base of the SIB byte points to R/EBP (i.e., base = 5) and the mod part
> of the ModRM byte is zero, the value of such register will not be used
> as part of the address computation. To signal this, a -EDOM error is
> returned to indicate callers that they should ignore the value.
> 
> Also, for this particular case, a displacement of 32-bits should follow
> the SIB byte if the mod part of ModRM is equal to zero. The instruction
> decoder ensures that this is the case.
> 
> Cc: Dave Hansen <dave.hansen@...ux.intel.com>
> Cc: Adam Buchbinder <adam.buchbinder@...il.com>
> Cc: Colin Ian King <colin.king@...onical.com>
> Cc: Lorenzo Stoakes <lstoakes@...il.com>
> Cc: Qiaowei Ren <qiaowei.ren@...el.com>
> Cc: Peter Zijlstra <peterz@...radead.org>
> Cc: Nathan Howard <liverlint@...il.com>
> Cc: Adan Hawthorn <adanhawthorn@...il.com>
> Cc: Joe Perches <joe@...ches.com>
> Cc: Ravi V. Shankar <ravi.v.shankar@...el.com>
> Cc: x86@...nel.org
> Signed-off-by: Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>
> ---
>  arch/x86/mm/mpx.c | 29 ++++++++++++++++++++++-------
>  1 file changed, 22 insertions(+), 7 deletions(-)
> 
> diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c
> index d9e92d6..ef7eb67 100644
> --- a/arch/x86/mm/mpx.c
> +++ b/arch/x86/mm/mpx.c
> @@ -121,6 +121,17 @@ static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
>  
>  	case REG_TYPE_BASE:
>  		regno = X86_SIB_BASE(insn->sib.value);
> +		/*
> +		 * If mod is 0 and register R/EBP (regno=5) is indicated in the
> +		 * base part of the SIB byte,

you can simply say here: "if SIB.base == 5, the base of the
register-indirect addressing is 0."

> the value of such register should
> +		 * not be used in the address computation. Also, a 32-bit

Not "Also" but "In this case, a 32-bit displacement..."

> +		 * displacement is expected in this case; the instruction
> +		 * decoder takes care of it. This is true for both R13 and
> +		 * R/EBP as REX.B will not be decoded.

You don't need that sentence as the only thing that matters is ModRM.mod
being 0.

> +		 */
> +		if (regno == 5 && X86_MODRM_MOD(insn->modrm.value) == 0)

The 0 test we normally do with the ! (also flip parts of if-condition):

		if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5)

> +			return -EDOM;
> +
>  		if (X86_REX_B(insn->rex_prefix.value))
>  			regno += 8;
>  		break;
> @@ -161,16 +172,21 @@ static void __user *mpx_get_addr_ref(struct insn *insn, struct pt_regs *regs)
>  		eff_addr = regs_get_register(regs, addr_offset);
>  	} else {
>  		if (insn->sib.nbytes) {
> +			/*
> +			 * Negative values in the base and index offset means
> +			 * an error when decoding the SIB byte. Except -EDOM,
> +			 * which means that the registers should not be used
> +			 * in the address computation.
> +			 */
>  			base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE);
> -			if (base_offset < 0)
> +			if (unlikely(base_offset == -EDOM))
> +				base = 0;
> +			else if (unlikely(base_offset < 0))

Bah, unlikely's in something which is not really a hot path. They only
encumber readability, no need for them.

-- 
Regards/Gruss,
    Boris.

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
-- 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ