[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20200721022658.299445d8@f32-m1.lan>
Date: Tue, 21 Jul 2020 02:26:58 -0700
From: Kevin Buettner <kevinb@...hat.com>
To: Florian Weimer <fw@...eb.enyo.de>
Cc: Al Viro <viro@...iv.linux.org.uk>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] copy_xstate_to_kernel: Fix typo which caused GDB
regression
On Tue, 21 Jul 2020 10:59:07 +0200
Florian Weimer <fw@...eb.enyo.de> wrote:
> * Kevin Buettner:
>
> > This commit fixes a regression encountered while running the
> > gdb.base/corefile.exp test in GDB's test suite.
> >
> > In my testing, the typo prevented the sw_reserved field of struct
> > fxregs_state from being output to the kernel XSAVES area. Thus the
> > correct mask corresponding to XCR0 was not present in the core file
> > for GDB to interrogate, resulting in the following behavior:
> >
> > [kev@...-1 gdb]$ ./gdb -q testsuite/outputs/gdb.base/corefile/corefile testsuite/outputs/gdb.base/corefile/corefile.core
> > Reading symbols from testsuite/outputs/gdb.base/corefile/corefile...
> > [New LWP 232880]
> >
> > warning: Unexpected size of section `.reg-xstate/232880' in core file.
> >
> > With the typo fixed, the test works again as expected.
> >
> > Signed-off-by: Kevin Buettner <kevinb@...hat.com>
> > ---
> > arch/x86/kernel/fpu/xstate.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
> > index 6a54e83d5589..9cf40a7ff7ae 100644
> > --- a/arch/x86/kernel/fpu/xstate.c
> > +++ b/arch/x86/kernel/fpu/xstate.c
> > @@ -1022,7 +1022,7 @@ int copy_xstate_to_kernel(void *kbuf, struct xregs_state *xsave, unsigned int of
> > copy_part(offsetof(struct fxregs_state, st_space), 128,
> > &xsave->i387.st_space, &kbuf, &offset_start, &count);
> > if (header.xfeatures & XFEATURE_MASK_SSE)
> > - copy_part(xstate_offsets[XFEATURE_MASK_SSE], 256,
> > + copy_part(xstate_offsets[XFEATURE_SSE], 256,
> > &xsave->i387.xmm_space, &kbuf, &offset_start, &count);
> > /*
> > * Fill xsave->i387.sw_reserved value for ptrace frame:
>
> Does this read out-of-bounds, potentially disclosing kernel memory?
> Not if the system supports AVX, I assume.
An overlarge offset (first parameter) passed to copy_part() will cause
fill_gap() to be called which will copy data out of &init_fpstate.xsave.
Care is taken in both fill_gap and copy_part to not copy more data
than the remaining count.
So, I think the answer is "no".
Kevin
Powered by blists - more mailing lists