lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 3 Dec 2020 10:45:48 -0600
From:   Tom Lendacky <thomas.lendacky@....com>
To:     Borislav Petkov <bp@...en8.de>,
        Masami Hiramatsu <mhiramat@...nel.org>
Cc:     x86@...nel.org, Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...nel.org>,
        Kees Cook <keescook@...omium.org>,
        "H . Peter Anvin" <hpa@...or.com>, Joerg Roedel <jroedel@...e.de>,
        "Gustavo A . R . Silva" <gustavoars@...nel.org>,
        Jann Horn <jannh@...gle.com>,
        Srikar Dronamraju <srikar@...ux.vnet.ibm.com>,
        Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 1/3] x86/uprobes: Fix not using prefixes.nbytes for
 loop over prefixes.bytes

On 12/3/20 6:48 AM, Borislav Petkov wrote:
> So it ended up like this:
> 
> ---
>  From 5014e4e902778d63ce392f864b3654baa4b72384 Mon Sep 17 00:00:00 2001
> From: Masami Hiramatsu <mhiramat@...nel.org>
> Date: Thu, 3 Dec 2020 13:50:37 +0900
> Subject: [PATCH] x86/uprobes: Do not use prefixes.nbytes when looping over
>   prefixes.bytes
> 
> Since insn.prefixes.nbytes can be bigger than the size of
> insn.prefixes.bytes[] when a prefix is repeated, the proper check must
> be
> 
>    insn.prefixes.bytes[i] != 0 and i < 4
> 
> instead of using insn.prefixes.nbytes.
> 
> Introduce a for_each_insn_prefix() macro for this purpose. Debugged by
> Kees Cook <keescook@...omium.org>.
> 
>   [ bp: Massage commit message, add NUM_LEGACY_PREFIXES, sync with the
>     respective header in tools/ and drop "we". ]
> 
> Fixes: 2b1444983508 ("uprobes, mm, x86: Add the ability to install and remove uprobes breakpoints")
> Reported-by: syzbot+9b64b619f10f19d19a7c@...kaller.appspotmail.com
> Signed-off-by: Masami Hiramatsu <mhiramat@...nel.org>
> Signed-off-by: Borislav Petkov <bp@...e.de>
> Reviewed-by: Srikar Dronamraju <srikar@...ux.vnet.ibm.com>
> Cc: stable@...r.kernel.org
> Link: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flkml.kernel.org%2Fr%2F160697103739.3146288.7437620795200799020.stgit%40devnote2&amp;data=04%7C01%7Cthomas.lendacky%40amd.com%7Ce8ec706c564245542b4408d89789b727%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637425965056484231%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=csaC0C2cszr45mKES42CHeZjC4TnEJtKrMa0gSmHjn8%3D&amp;reserved=0
> ---
>   arch/x86/include/asm/insn.h       | 16 ++++++++++++++++
>   arch/x86/kernel/uprobes.c         | 10 ++++++----
>   tools/arch/x86/include/asm/insn.h | 18 +++++++++++++++++-
>   3 files changed, 39 insertions(+), 5 deletions(-)
> 
> diff --git a/arch/x86/include/asm/insn.h b/arch/x86/include/asm/insn.h
> index 5c1ae3eff9d4..fe8e862004d3 100644
> --- a/arch/x86/include/asm/insn.h
> +++ b/arch/x86/include/asm/insn.h
> @@ -58,6 +58,7 @@ struct insn {
>   };
>   
>   #define MAX_INSN_SIZE	15
> +#define NUM_LEGACY_PREFIXES 4
>   
>   #define X86_MODRM_MOD(modrm) (((modrm) & 0xc0) >> 6)
>   #define X86_MODRM_REG(modrm) (((modrm) & 0x38) >> 3)
> @@ -201,6 +202,21 @@ static inline int insn_offset_immediate(struct insn *insn)
>   	return insn_offset_displacement(insn) + insn->displacement.nbytes;
>   }
>   
> +/**
> + * for_each_insn_prefix() -- Iterate prefixes in the instruction
> + * @insn: Pointer to struct insn.
> + * @idx:  Index storage.
> + * @prefix: Prefix byte.
> + *
> + * Iterate prefix bytes of given @insn. Each prefix byte is stored in @prefix
> + * and the index is stored in @idx (note that this @idx is just for a cursor,
> + * do not change it.)
> + * Since prefixes.nbytes can be bigger than NUM_LEGACY_PREFIXES if some prefixes
> + * are repeated, it cannot be used for looping over the prefixes.
> + */
> +#define for_each_insn_prefix(insn, idx, prefix)	\
> +	for (idx = 0; idx < NUM_LEGACY_PREFIXES && (prefix = insn->prefixes.bytes[idx]) != 0; idx++)

Since this is based on the array size, can

	idx < NUM_LEGACY_PREFIXES

be replaced with:

	idx < ARRAY_SIZE(insn->prefixes.bytes)

?

Thanks,
Tom

> +
>   #define POP_SS_OPCODE 0x1f
>   #define MOV_SREG_OPCODE 0x8e
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ