| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Dec 2018 21:07:22 +0100
From: Borislav Petkov <bp@...en8.de>
To: Sebastian Andrzej Siewior <bigeasy@...utronix.de>
Cc: linux-kernel@...r.kernel.org, x86@...nel.org,
Andy Lutomirski <luto@...nel.org>,
Paolo Bonzini <pbonzini@...hat.com>,
Radim Krčmář <rkrcmar@...hat.com>,
kvm@...r.kernel.org, "Jason A. Donenfeld" <Jason@...c4.com>,
Rik van Riel <riel@...riel.com>,
Dave Hansen <dave.hansen@...ux.intel.com>
Subject: Re: [PATCH 08/29] x86/fpu: Remove fpu->initialized usage in
__fpu__restore_sig()
On Wed, Nov 28, 2018 at 11:20:14PM +0100, Sebastian Andrzej Siewior wrote:
> This is a preparation for the removal of the ->initialized member in the
> fpu struct.
> __fpu__restore_sig() is deactivating the FPU via fpu__drop() and then
> setting manually ->initialized followed by fpu__restore(). The result is
> that it is possible to manipulate fpu->state and the state of registers
> won't be saved/restored on a context switch which would overwrite
> fpu->state.
>
> Don't access the fpu->state while the content is read from user space
> and examined / sanitized. Use a temporary kmalloc() buffer for the
> preparation of the FPU registers and once the state is considered okay,
> load it. Should something go wrong, return with an error and without
> altering the original FPU registers.
>
> The removal of "fpu__initialize()" is a nop because fpu->initialized is
> already set for the user task.
>
> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@...utronix.de>
> ---
> arch/x86/include/asm/fpu/signal.h | 2 +-
> arch/x86/kernel/fpu/regset.c | 5 ++--
> arch/x86/kernel/fpu/signal.c | 41 ++++++++++++-------------------
> 3 files changed, 19 insertions(+), 29 deletions(-)
...
> diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
> index d99a8ee9e185e..9c35598697b94 100644
> --- a/arch/x86/kernel/fpu/signal.c
> +++ b/arch/x86/kernel/fpu/signal.c
> @@ -207,11 +207,11 @@ int copy_fpstate_to_sigframe(void __user *buf, void __user *buf_fx, int size)
> }
>
> static inline void
> -sanitize_restored_xstate(struct task_struct *tsk,
> +sanitize_restored_xstate(union fpregs_state *state,
> struct user_i387_ia32_struct *ia32_env,
> u64 xfeatures, int fx_only)
> {
> - struct xregs_state *xsave = &tsk->thread.fpu.state.xsave;
> + struct xregs_state *xsave = &state->xsave;
> struct xstate_header *header = &xsave->header;
>
> if (use_xsave()) {
> @@ -238,7 +238,7 @@ sanitize_restored_xstate(struct task_struct *tsk,
> */
> xsave->i387.mxcsr &= mxcsr_feature_mask;
>
> - convert_to_fxsr(tsk, ia32_env);
> + convert_to_fxsr(&state->fxsave, ia32_env);
> }
> }
>
> @@ -284,8 +284,6 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size)
> if (!access_ok(VERIFY_READ, buf, size))
> return -EACCES;
>
> - fpu__initialize(fpu);
> -
> if (!static_cpu_has(X86_FEATURE_FPU))
> return fpregs_soft_set(current, NULL,
> 0, sizeof(struct user_i387_ia32_struct),
> @@ -314,41 +312,34 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size)
> * thread's fpu state, reconstruct fxstate from the fsave
> * header. Validate and sanitize the copied state.
> */
> + union fpregs_state *state;
> + void *tmp;
> struct user_i387_ia32_struct env;
> int err = 0;
Sort those in reverse xmas order pls.
Otherwise looks ok.
--
Regards/Gruss,
Boris.
Good mailing practices for 400: avoid top-posting and trim the reply.
Powered by blists - more mailing lists