| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 3 Dec 2020 11:03:02 +0900
From: Masami Hiramatsu <mhiramat@...nel.org>
To: Kees Cook <keescook@...omium.org>
Cc: Tom Lendacky <thomas.lendacky@....com>,
Masami Hiramatsu <mhiramat@...nel.org>, x86@...nel.org,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...nel.org>, Borislav Petkov <bp@...en8.de>,
"H . Peter Anvin" <hpa@...or.com>, Joerg Roedel <jroedel@...e.de>,
"Gustavo A . R . Silva" <gustavoars@...nel.org>,
Jann Horn <jannh@...gle.com>,
Srikar Dronamraju <srikar@...ux.vnet.ibm.com>,
Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/3] x86/sev-es: Fix not using prefixes.nbytes for loop
over prefixes.bytes
On Wed, 2 Dec 2020 11:07:26 -0800
Kees Cook <keescook@...omium.org> wrote:
> On Wed, Dec 02, 2020 at 09:31:57AM -0600, Tom Lendacky wrote:
> > On 12/2/20 2:51 AM, Masami Hiramatsu wrote:
> > > Since the insn.prefixes.nbytes can be bigger than the size of
> > > insn.prefixes.bytes[] when a same prefix is repeated, we have to
> > > check whether the insn.prefixes.bytes[i] != 0 and i < 4 instead
> > > of insn.prefixes.nbytes.
> > >
> > > Fixes: 25189d08e516 ("x86/sev-es: Add support for handling IOIO exceptions")
> > > Reported-by: Kees Cook <keescook@...omium.org>
> > > Signed-off-by: Masami Hiramatsu <mhiramat@...nel.org>
> > > ---
> > > arch/x86/boot/compressed/sev-es.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/arch/x86/boot/compressed/sev-es.c b/arch/x86/boot/compressed/sev-es.c
> > > index 954cb2702e23..6a7a3027c9ac 100644
> > > --- a/arch/x86/boot/compressed/sev-es.c
> > > +++ b/arch/x86/boot/compressed/sev-es.c
> > > @@ -36,7 +36,7 @@ static bool insn_has_rep_prefix(struct insn *insn)
> > > insn_get_prefixes(insn);
> > > - for (i = 0; i < insn->prefixes.nbytes; i++) {
> > > + for (i = 0; insn->prefixes.bytes[i] && i < 4; i++) {
>
> You must test "i" before bytes[i] or you still do the out-of-bounds-read.
Oops, thanks.
>
> >
> > Wouldn't it be better to create a #define for the size rather than hard
> > coding 4 in the various files? That would protect everything should the
> > bytes array size ever change in the future.
>
> Agreed, and perhaps instead of repeating the idiom in the for loop, add
> a helper like:
>
> #define insn_prefix_valid(prefixes, i) (i >=0 && i < 4 && prefixes->bytes[i])
>
> to be used like:
>
> for (i = 0; insn_prefix_valid(&insn->prefixes, i); i++) {
Hm, for all of these usage, they are looping on the prefixes, so
for_each_insn_prefix(insn, idx, prefix) {
...
}
will be simpler.
Thank you,
>
> >
> > Thanks,
> > Tom
> >
> > > insn_byte_t p = insn->prefixes.bytes[i];
> > > if (p == 0xf2 || p == 0xf3)
> > >
>
> --
> Kees Cook
--
Masami Hiramatsu <mhiramat@...nel.org>
Powered by blists - more mailing lists