lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Tue, 21 Jul 2020 02:26:58 -0700
From:   Kevin Buettner <kevinb@...hat.com>
To:     Florian Weimer <fw@...eb.enyo.de>
Cc:     Al Viro <viro@...iv.linux.org.uk>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] copy_xstate_to_kernel: Fix typo which caused GDB
 regression

On Tue, 21 Jul 2020 10:59:07 +0200
Florian Weimer <fw@...eb.enyo.de> wrote:

> * Kevin Buettner:
> 
> > This commit fixes a regression encountered while running the
> > gdb.base/corefile.exp test in GDB's test suite.
> >
> > In my testing, the typo prevented the sw_reserved field of struct
> > fxregs_state from being output to the kernel XSAVES area.  Thus the
> > correct mask corresponding to XCR0 was not present in the core file
> > for GDB to interrogate, resulting in the following behavior:
> >
> > [kev@...-1 gdb]$ ./gdb -q testsuite/outputs/gdb.base/corefile/corefile testsuite/outputs/gdb.base/corefile/corefile.core
> > Reading symbols from testsuite/outputs/gdb.base/corefile/corefile...
> > [New LWP 232880]
> >
> > warning: Unexpected size of section `.reg-xstate/232880' in core file.
> >
> > With the typo fixed, the test works again as expected.
> >
> > Signed-off-by: Kevin Buettner <kevinb@...hat.com>
> > ---
> >  arch/x86/kernel/fpu/xstate.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
> > index 6a54e83d5589..9cf40a7ff7ae 100644
> > --- a/arch/x86/kernel/fpu/xstate.c
> > +++ b/arch/x86/kernel/fpu/xstate.c
> > @@ -1022,7 +1022,7 @@ int copy_xstate_to_kernel(void *kbuf, struct xregs_state *xsave, unsigned int of
> >  		copy_part(offsetof(struct fxregs_state, st_space), 128,
> >  			  &xsave->i387.st_space, &kbuf, &offset_start, &count);
> >  	if (header.xfeatures & XFEATURE_MASK_SSE)
> > -		copy_part(xstate_offsets[XFEATURE_MASK_SSE], 256,
> > +		copy_part(xstate_offsets[XFEATURE_SSE], 256,
> >  			  &xsave->i387.xmm_space, &kbuf, &offset_start, &count);
> >  	/*
> >  	 * Fill xsave->i387.sw_reserved value for ptrace frame:  
> 
> Does this read out-of-bounds, potentially disclosing kernel memory?
> Not if the system supports AVX, I assume.

An overlarge offset (first parameter) passed to copy_part() will cause
fill_gap() to be called which will copy data out of &init_fpstate.xsave.
Care is taken in both fill_gap and copy_part to not copy more data
than the remaining count.

So, I think the answer is "no".

Kevin

Powered by blists - more mailing lists