| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202012021104.0C38FB7FD@keescook>
Date: Wed, 2 Dec 2020 11:07:26 -0800
From: Kees Cook <keescook@...omium.org>
To: Tom Lendacky <thomas.lendacky@....com>
Cc: Masami Hiramatsu <mhiramat@...nel.org>, x86@...nel.org,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...nel.org>, Borislav Petkov <bp@...en8.de>,
"H . Peter Anvin" <hpa@...or.com>, Joerg Roedel <jroedel@...e.de>,
"Gustavo A . R . Silva" <gustavoars@...nel.org>,
Jann Horn <jannh@...gle.com>,
Srikar Dronamraju <srikar@...ux.vnet.ibm.com>,
Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/3] x86/sev-es: Fix not using prefixes.nbytes for loop
over prefixes.bytes
On Wed, Dec 02, 2020 at 09:31:57AM -0600, Tom Lendacky wrote:
> On 12/2/20 2:51 AM, Masami Hiramatsu wrote:
> > Since the insn.prefixes.nbytes can be bigger than the size of
> > insn.prefixes.bytes[] when a same prefix is repeated, we have to
> > check whether the insn.prefixes.bytes[i] != 0 and i < 4 instead
> > of insn.prefixes.nbytes.
> >
> > Fixes: 25189d08e516 ("x86/sev-es: Add support for handling IOIO exceptions")
> > Reported-by: Kees Cook <keescook@...omium.org>
> > Signed-off-by: Masami Hiramatsu <mhiramat@...nel.org>
> > ---
> > arch/x86/boot/compressed/sev-es.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/arch/x86/boot/compressed/sev-es.c b/arch/x86/boot/compressed/sev-es.c
> > index 954cb2702e23..6a7a3027c9ac 100644
> > --- a/arch/x86/boot/compressed/sev-es.c
> > +++ b/arch/x86/boot/compressed/sev-es.c
> > @@ -36,7 +36,7 @@ static bool insn_has_rep_prefix(struct insn *insn)
> > insn_get_prefixes(insn);
> > - for (i = 0; i < insn->prefixes.nbytes; i++) {
> > + for (i = 0; insn->prefixes.bytes[i] && i < 4; i++) {
You must test "i" before bytes[i] or you still do the out-of-bounds-read.
>
> Wouldn't it be better to create a #define for the size rather than hard
> coding 4 in the various files? That would protect everything should the
> bytes array size ever change in the future.
Agreed, and perhaps instead of repeating the idiom in the for loop, add
a helper like:
#define insn_prefix_valid(prefixes, i) (i >=0 && i < 4 && prefixes->bytes[i])
to be used like:
for (i = 0; insn_prefix_valid(&insn->prefixes, i); i++) {
>
> Thanks,
> Tom
>
> > insn_byte_t p = insn->prefixes.bytes[i];
> > if (p == 0xf2 || p == 0xf3)
> >
--
Kees Cook
Powered by blists - more mailing lists