lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <e23a2ccb-095f-c6eb-4857-d0083454cc29@linux.intel.com>
Date:   Mon, 11 Sep 2017 12:51:21 -0700
From:   Dave Hansen <dave.hansen@...ux.intel.com>
To:     Eric Biggers <ebiggers3@...il.com>, x86@...nel.org
Cc:     linux-kernel@...r.kernel.org, Andy Lutomirski <luto@...nel.org>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Fenghua Yu <fenghua.yu@...el.com>,
        Ingo Molnar <mingo@...nel.org>, Kevin Hao <haokexin@...il.com>,
        Oleg Nesterov <oleg@...hat.com>,
        Wanpeng Li <wanpeng.li@...mail.com>,
        Yu-cheng Yu <yu-cheng.yu@...el.com>, stable@...r.kernel.org
Subject: Re: [PATCH] x86/fpu: don't let PTRACE_SETREGSET set xcomp_bv

On 09/08/2017 09:49 AM, Eric Biggers wrote:
> diff --git a/arch/x86/kernel/fpu/regset.c b/arch/x86/kernel/fpu/regset.c
> index b188b16841e3..718b791bc037 100644
> --- a/arch/x86/kernel/fpu/regset.c
> +++ b/arch/x86/kernel/fpu/regset.c
> @@ -131,11 +131,15 @@ int xstateregs_set(struct task_struct *target, const struct user_regset *regset,
>  
>  	fpu__activate_fpstate_write(fpu);
>  
> -	if (boot_cpu_has(X86_FEATURE_XSAVES))
> +	if (boot_cpu_has(X86_FEATURE_XSAVES)) {
>  		ret = copyin_to_xsaves(kbuf, ubuf, xsave);
> -	else
> +	} else {
>  		ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, xsave, 0, -1);
>  
> +		/* xcomp_bv must be zero when using uncompacted format */
> +		xsave->header.xcomp_bv = 0;
> +	}

Thanks for finding this!

I wonder if just writing over the user arguments is the right thing
here.  It's quite conceivable that userspace has a *real* compacted
(XSAVEC-generated) buffer.  Doing this could still end up corrupting data.

I think we probably (re?) define NT_X86_XSTATE as being for uncompacted
state only.  Then, return an error back to userspace to tell them they
tried to do something we can't support.

We might even want to check all the reserved bits in the uncompacted
XSAVE header and enforce that they come in as zero.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ