lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 Jul 2020 02:26:58 -0700 From: Kevin Buettner <kevinb@...hat.com> To: Florian Weimer <fw@...eb.enyo.de> Cc: Al Viro <viro@...iv.linux.org.uk>, linux-kernel@...r.kernel.org Subject: Re: [PATCH] copy_xstate_to_kernel: Fix typo which caused GDB regression On Tue, 21 Jul 2020 10:59:07 +0200 Florian Weimer <fw@...eb.enyo.de> wrote: > * Kevin Buettner: > > > This commit fixes a regression encountered while running the > > gdb.base/corefile.exp test in GDB's test suite. > > > > In my testing, the typo prevented the sw_reserved field of struct > > fxregs_state from being output to the kernel XSAVES area. Thus the > > correct mask corresponding to XCR0 was not present in the core file > > for GDB to interrogate, resulting in the following behavior: > > > > [kev@...-1 gdb]$ ./gdb -q testsuite/outputs/gdb.base/corefile/corefile testsuite/outputs/gdb.base/corefile/corefile.core > > Reading symbols from testsuite/outputs/gdb.base/corefile/corefile... > > [New LWP 232880] > > > > warning: Unexpected size of section `.reg-xstate/232880' in core file. > > > > With the typo fixed, the test works again as expected. > > > > Signed-off-by: Kevin Buettner <kevinb@...hat.com> > > --- > > arch/x86/kernel/fpu/xstate.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c > > index 6a54e83d5589..9cf40a7ff7ae 100644 > > --- a/arch/x86/kernel/fpu/xstate.c > > +++ b/arch/x86/kernel/fpu/xstate.c > > @@ -1022,7 +1022,7 @@ int copy_xstate_to_kernel(void *kbuf, struct xregs_state *xsave, unsigned int of > > copy_part(offsetof(struct fxregs_state, st_space), 128, > > &xsave->i387.st_space, &kbuf, &offset_start, &count); > > if (header.xfeatures & XFEATURE_MASK_SSE) > > - copy_part(xstate_offsets[XFEATURE_MASK_SSE], 256, > > + copy_part(xstate_offsets[XFEATURE_SSE], 256, > > &xsave->i387.xmm_space, &kbuf, &offset_start, &count); > > /* > > * Fill xsave->i387.sw_reserved value for ptrace frame: > > Does this read out-of-bounds, potentially disclosing kernel memory? > Not if the system supports AVX, I assume. An overlarge offset (first parameter) passed to copy_part() will cause fill_gap() to be called which will copy data out of &init_fpstate.xsave. Care is taken in both fill_gap and copy_part to not copy more data than the remaining count. So, I think the answer is "no". Kevin
Powered by blists - more mailing lists