lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri,  5 May 2017 11:17:14 -0700
From:   Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>
To:     Ingo Molnar <mingo@...hat.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        "H. Peter Anvin" <hpa@...or.com>,
        Andy Lutomirski <luto@...nel.org>, Borislav Petkov <bp@...e.de>
Cc:     Peter Zijlstra <peterz@...radead.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Brian Gerst <brgerst@...il.com>,
        Chris Metcalf <cmetcalf@...lanox.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Liang Z Li <liang.z.li@...el.com>,
        Masami Hiramatsu <mhiramat@...nel.org>,
        Huang Rui <ray.huang@....com>, Jiri Slaby <jslaby@...e.cz>,
        Jonathan Corbet <corbet@....net>,
        "Michael S. Tsirkin" <mst@...hat.com>,
        Paul Gortmaker <paul.gortmaker@...driver.com>,
        Vlastimil Babka <vbabka@...e.cz>,
        Chen Yucong <slaoub@...il.com>,
        Alexandre Julliard <julliard@...ehq.org>,
        Stas Sergeev <stsp@...t.ru>, Fenghua Yu <fenghua.yu@...el.com>,
        "Ravi V. Shankar" <ravi.v.shankar@...el.com>,
        Shuah Khan <shuah@...nel.org>, linux-kernel@...r.kernel.org,
        x86@...nel.org, linux-msdos@...r.kernel.org, wine-devel@...ehq.org,
        Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>,
        Adam Buchbinder <adam.buchbinder@...il.com>,
        Colin Ian King <colin.king@...onical.com>,
        Lorenzo Stoakes <lstoakes@...il.com>,
        Qiaowei Ren <qiaowei.ren@...el.com>,
        Arnaldo Carvalho de Melo <acme@...hat.com>,
        Adrian Hunter <adrian.hunter@...el.com>,
        Kees Cook <keescook@...omium.org>,
        Thomas Garnier <thgarnie@...gle.com>,
        Dmitry Vyukov <dvyukov@...gle.com>
Subject: [PATCH v7 16/26] x86/insn-eval: Support both signed 32-bit and 64-bit effective addresses

The 32-bit and 64-bit address encodings are identical. This means that we
can use the same function in both cases. In order to reuse the function
for 32-bit address encodings, we must sign-extend our 32-bit signed
operands to 64-bit signed variables (only for 64-bit builds). To decide on
whether sign extension is needed, we rely on the address size as given by
the instruction structure.

Once the effective address has been computed, a special verification is
needed for 32-bit processes. If running on a 64-bit kernel, such processes
can address up to 4GB of memory. Hence, for instance, an effective
address of 0xffff1234 would be misinterpreted as 0xffffffffffff1234 due to
the sign extension mentioned above. For this reason, the 4 must be
truncated to obtain the true effective address.

Lastly, before computing the linear address, we verify that the effective
address is within the limits of the segment. The check is kept for long
mode because in such a case the limit is set to -1L. This is the largest
unsigned number possible. This is equivalent to a limit-less segment.

Cc: Dave Hansen <dave.hansen@...ux.intel.com>
Cc: Adam Buchbinder <adam.buchbinder@...il.com>
Cc: Colin Ian King <colin.king@...onical.com>
Cc: Lorenzo Stoakes <lstoakes@...il.com>
Cc: Qiaowei Ren <qiaowei.ren@...el.com>
Cc: Arnaldo Carvalho de Melo <acme@...hat.com>
Cc: Masami Hiramatsu <mhiramat@...nel.org>
Cc: Adrian Hunter <adrian.hunter@...el.com>
Cc: Kees Cook <keescook@...omium.org>
Cc: Thomas Garnier <thgarnie@...gle.com>
Cc: Peter Zijlstra <peterz@...radead.org>
Cc: Borislav Petkov <bp@...e.de>
Cc: Dmitry Vyukov <dvyukov@...gle.com>
Cc: Ravi V. Shankar <ravi.v.shankar@...el.com>
Cc: x86@...nel.org
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>
---
 arch/x86/lib/insn-eval.c | 99 ++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 88 insertions(+), 11 deletions(-)

diff --git a/arch/x86/lib/insn-eval.c b/arch/x86/lib/insn-eval.c
index 1a5f5a6..c7c1239 100644
--- a/arch/x86/lib/insn-eval.c
+++ b/arch/x86/lib/insn-eval.c
@@ -688,6 +688,62 @@ int insn_get_modrm_rm_off(struct insn *insn, struct pt_regs *regs)
 	return get_reg_offset(insn, regs, REG_TYPE_RM);
 }
 
+/**
+ * _to_signed_long() - Cast an unsigned long into signed long
+ * @val		A 32-bit or 64-bit unsigned long
+ * @long_bytes	The number of bytes used to represent a long number
+ * @out		The casted signed long
+ *
+ * Return: A signed long of either 32 or 64 bits, as per the build configuration
+ * of the kernel.
+ */
+static int _to_signed_long(unsigned long val, int long_bytes, long *out)
+{
+	if (!out)
+		return -EINVAL;
+
+#ifdef CONFIG_X86_64
+	if (long_bytes == 4) {
+		/* higher bytes should all be zero */
+		if (val & ~0xffffffff)
+			return -EINVAL;
+
+		/* sign-extend to a 64-bit long */
+		*out = (long)((int)(val));
+		return 0;
+	} else if (long_bytes == 8) {
+		*out = (long)val;
+		return 0;
+	} else {
+		return -EINVAL;
+	}
+#else
+	*out = (long)val;
+	return 0;
+#endif
+}
+
+/** get_mem_offset() - Obtain the memory offset indicated in operand register
+ * @regs	Structure with register values as seen when entering kernel mode
+ * @reg_offset	Offset from the base of pt_regs of the operand register
+ * @addr_size	Address size of the code segment in use
+ *
+ * Obtain the offset (a signed number with size as specified in addr_size)
+ * indicated in the register used for register-indirect memory adressing.
+ *
+ * Return: A memory offset to be used in the computation of effective address.
+ */
+long get_mem_offset(struct pt_regs *regs, int reg_offset, int addr_size)
+{
+	int ret;
+	long offset = -1L;
+	unsigned long uoffset = regs_get_register(regs, reg_offset);
+
+	ret = _to_signed_long(uoffset, addr_size, &offset);
+	if (ret)
+		return -1L;
+	return offset;
+}
 /*
  * return the address being referenced be instruction
  * for rm=3 returning the content of the rm reg
@@ -697,18 +753,21 @@ void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs)
 {
 	unsigned long linear_addr, seg_base_addr, seg_limit;
 	long eff_addr, base, indx;
-	int addr_offset, base_offset, indx_offset;
+	int addr_offset, base_offset, indx_offset, addr_bytes;
 	insn_byte_t sib;
 
 	insn_get_modrm(insn);
 	insn_get_sib(insn);
 	sib = insn->sib.value;
+	addr_bytes = insn->addr_bytes;
 
 	if (X86_MODRM_MOD(insn->modrm.value) == 3) {
 		addr_offset = get_reg_offset(insn, regs, REG_TYPE_RM);
 		if (addr_offset < 0)
 			goto out_err;
-		eff_addr = regs_get_register(regs, addr_offset);
+		eff_addr = get_mem_offset(regs, addr_offset, addr_bytes);
+		if (eff_addr == -1L)
+			goto out_err;
 		seg_base_addr = insn_get_seg_base(regs, insn, addr_offset);
 		if (seg_base_addr == -1L)
 			goto out_err;
@@ -722,20 +781,28 @@ void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs)
 			 * in the address computation.
 			 */
 			base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE);
-			if (base_offset == -EDOM)
+			if (base_offset == -EDOM) {
 				base = 0;
-			else if (base_offset < 0)
+			} else if (base_offset < 0) {
 				goto out_err;
-			else
-				base = regs_get_register(regs, base_offset);
+			} else {
+				base = get_mem_offset(regs, base_offset,
+						      addr_bytes);
+				if (base == -1L)
+					goto out_err;
+			}
 
 			indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX);
-			if (indx_offset == -EDOM)
+			if (indx_offset == -EDOM) {
 				indx = 0;
-			else if (indx_offset < 0)
+			} else if (indx_offset < 0) {
 				goto out_err;
-			else
-				indx = regs_get_register(regs, indx_offset);
+			} else {
+				indx = get_mem_offset(regs, indx_offset,
+						      addr_bytes);
+				if (indx == -1L)
+					goto out_err;
+			}
 
 			eff_addr = base + indx * (1 << X86_SIB_SCALE(sib));
 			seg_base_addr = insn_get_seg_base(regs, insn,
@@ -758,7 +825,10 @@ void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs)
 			} else if (addr_offset < 0) {
 				goto out_err;
 			} else {
-				eff_addr = regs_get_register(regs, addr_offset);
+				eff_addr = get_mem_offset(regs, addr_offset,
+							  addr_bytes);
+				if (eff_addr == -1L)
+					goto out_err;
 			}
 			seg_base_addr = insn_get_seg_base(regs, insn,
 							  addr_offset);
@@ -771,6 +841,13 @@ void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs)
 
 	linear_addr = (unsigned long)eff_addr;
 	/*
+	 * If address size is 32-bit, truncate the 4 most significant bytes.
+	 * This is to avoid phony negative offsets.
+	 */
+	if (addr_bytes == 4)
+		linear_addr &= 0xffffffff;
+
+	/*
 	 * Make sure the effective address is within the limits of the
 	 * segment. In long mode, the limit is -1L. Thus, the second part
 	 * of the check always succeeds.
-- 
2.9.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ