lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170524140254.GE7275@nazgul.tnic>
Date:   Wed, 24 May 2017 16:02:55 +0200
From:   Borislav Petkov <bp@...e.de>
To:     Mateusz Jurczyk <mjurczyk@...gle.com>
Cc:     Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        Andy Lutomirski <luto@...nel.org>, x86@...nel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] x86: Prevent uninitialized stack byte read in
 apply_alternatives()

On Wed, May 24, 2017 at 03:55:00PM +0200, Mateusz Jurczyk wrote:
> In the current form of the code, if a->replacementlen is 0, the reference
> to *insnbuf for comparison touches potentially garbage memory. While it
> doesn't affect the execution flow due to the subsequent a->replacementlen
> comparison, it is (rightly) detected as use of uninitialized memory by a
> runtime instrumentation currently under my development, and could be
> detected as such by other tools in the future, too (e.g. KMSAN).
> 
> Fix the "false-positive" by reordering the conditions to first check the
> replacement instruction length before referencing specific opcode bytes.
> 
> Signed-off-by: Mateusz Jurczyk <mjurczyk@...gle.com>
> ---
> Changes in v2:
>   - Add an explaining comment, as per Borislav Petkov's request.
> 
>  arch/x86/kernel/alternative.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
> index c5b8f760473c..32e14d137416 100644
> --- a/arch/x86/kernel/alternative.c
> +++ b/arch/x86/kernel/alternative.c
> @@ -409,8 +409,13 @@ void __init_or_module noinline apply_alternatives(struct alt_instr *start,
>  		memcpy(insnbuf, replacement, a->replacementlen);
>  		insnbuf_sz = a->replacementlen;
>  
> -		/* 0xe8 is a relative jump; fix the offset. */
> -		if (*insnbuf == 0xe8 && a->replacementlen == 5) {
> +		/*
> +		 * 0xe8 is a relative jump; fix the offset.
> +		 *
> +		 * Instruction length is checked before the opcode to avoid
> +		 * accessing uninitialized bytes for zero-length replacements.
> +		 */
> +		if (a->replacementlen == 5 && *insnbuf == 0xe8) {
>  			*(s32 *)(insnbuf + 1) += replacement - instr;
>  			DPRINTK("Fix CALL offset: 0x%x, CALL 0x%lx",
>  				*(s32 *)(insnbuf + 1),
> -- 

Reviewed-by: Borislav Petkov <bp@...e.de>

-- 
Regards/Gruss,
    Boris.

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
-- 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ