| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 May 2017 16:02:55 +0200
From: Borislav Petkov <bp@...e.de>
To: Mateusz Jurczyk <mjurczyk@...gle.com>
Cc: Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"H. Peter Anvin" <hpa@...or.com>,
Andy Lutomirski <luto@...nel.org>, x86@...nel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] x86: Prevent uninitialized stack byte read in
apply_alternatives()
On Wed, May 24, 2017 at 03:55:00PM +0200, Mateusz Jurczyk wrote:
> In the current form of the code, if a->replacementlen is 0, the reference
> to *insnbuf for comparison touches potentially garbage memory. While it
> doesn't affect the execution flow due to the subsequent a->replacementlen
> comparison, it is (rightly) detected as use of uninitialized memory by a
> runtime instrumentation currently under my development, and could be
> detected as such by other tools in the future, too (e.g. KMSAN).
>
> Fix the "false-positive" by reordering the conditions to first check the
> replacement instruction length before referencing specific opcode bytes.
>
> Signed-off-by: Mateusz Jurczyk <mjurczyk@...gle.com>
> ---
> Changes in v2:
> - Add an explaining comment, as per Borislav Petkov's request.
>
> arch/x86/kernel/alternative.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
> index c5b8f760473c..32e14d137416 100644
> --- a/arch/x86/kernel/alternative.c
> +++ b/arch/x86/kernel/alternative.c
> @@ -409,8 +409,13 @@ void __init_or_module noinline apply_alternatives(struct alt_instr *start,
> memcpy(insnbuf, replacement, a->replacementlen);
> insnbuf_sz = a->replacementlen;
>
> - /* 0xe8 is a relative jump; fix the offset. */
> - if (*insnbuf == 0xe8 && a->replacementlen == 5) {
> + /*
> + * 0xe8 is a relative jump; fix the offset.
> + *
> + * Instruction length is checked before the opcode to avoid
> + * accessing uninitialized bytes for zero-length replacements.
> + */
> + if (a->replacementlen == 5 && *insnbuf == 0xe8) {
> *(s32 *)(insnbuf + 1) += replacement - instr;
> DPRINTK("Fix CALL offset: 0x%x, CALL 0x%lx",
> *(s32 *)(insnbuf + 1),
> --
Reviewed-by: Borislav Petkov <bp@...e.de>
--
Regards/Gruss,
Boris.
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
--
Powered by blists - more mailing lists