lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 6 Jun 2019 15:09:13 +0200
From:   Pavel Machek <pavel@...x.de>
To:     pavel@....cz
Cc:     linux-kernel@...r.kernel.org,
        "Peter Zijlstra (Intel)" <peterz@...radead.org>,
        Borislav Petkov <bp@...en8.de>,
        Josh Poimboeuf <jpoimboe@...hat.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...nel.org>, Sasha Levin <sashal@...nel.org>
Subject: Re: [PATCH 4.19 208/276] x86/ia32: Fix ia32_restore_sigcontext() AC
 leak

Hi!

(stable removed from cc).

> [ Upstream commit 67a0514afdbb8b2fc70b771b8c77661a9cb9d3a9 ]
> 
> Objtool spotted that we call native_load_gs_index() with AC set.
> Re-arrange the code to avoid that.

Does this introduce undefined behaviour?
> 
> @@ -72,6 +71,7 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
>  				   struct sigcontext_32 __user *sc)
>  {
>  	unsigned int tmpflags, err = 0;
> +	u16 gs, fs, es, ds;
>  	void __user *buf;
>  	u32 tmp;
>  
> @@ -79,16 +79,10 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
>  	current->restart_block.fn = do_no_restart_syscall;
>  
>  	get_user_try {
> -		/*
> -		 * Reload fs and gs if they have changed in the signal
> -		 * handler.  This does not handle long fs/gs base changes in
> -		 * the handler, but does not clobber them at least in the
> -		 * normal case.
> -		 */
> -		RELOAD_SEG(gs);
> -		RELOAD_SEG(fs);
> -		RELOAD_SEG(ds);
> -		RELOAD_SEG(es);

> +		gs = GET_SEG(gs);

es is unitialized at this point, and we can trap.

> +		fs = GET_SEG(fs);
> +		ds = GET_SEG(ds);
> +		es = GET_SEG(es);
>  
>  		COPY(di); COPY(si); COPY(bp); COPY(sp); COPY(bx);
>  		COPY(dx); COPY(cx); COPY(ip); COPY(ax);
> @@ -106,6 +100,17 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
>  		buf = compat_ptr(tmp);
>  	} get_user_catch(err);
>  
> +	/*
> +	 * Reload fs and gs if they have changed in the signal
> +	 * handler.  This does not handle long fs/gs base changes in
> +	 * the handler, but does not clobber them at least in the
> +	 * normal case.
> +	 */
> +	RELOAD_SEG(gs);
> +	RELOAD_SEG(fs);
> +	RELOAD_SEG(ds);
> +	RELOAD_SEG(es);
> +

But now we use uninitialized value in es...

>  	err |= fpu__restore_sig(buf, 1);
>  
>  	force_iret();

Best regards,
									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)

Powered by blists - more mailing lists