lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 3 Dec 2020 11:03:02 +0900
From:   Masami Hiramatsu <mhiramat@...nel.org>
To:     Kees Cook <keescook@...omium.org>
Cc:     Tom Lendacky <thomas.lendacky@....com>,
        Masami Hiramatsu <mhiramat@...nel.org>, x86@...nel.org,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...nel.org>, Borislav Petkov <bp@...en8.de>,
        "H . Peter Anvin" <hpa@...or.com>, Joerg Roedel <jroedel@...e.de>,
        "Gustavo A . R . Silva" <gustavoars@...nel.org>,
        Jann Horn <jannh@...gle.com>,
        Srikar Dronamraju <srikar@...ux.vnet.ibm.com>,
        Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/3] x86/sev-es: Fix not using prefixes.nbytes for loop
 over prefixes.bytes

On Wed, 2 Dec 2020 11:07:26 -0800
Kees Cook <keescook@...omium.org> wrote:

> On Wed, Dec 02, 2020 at 09:31:57AM -0600, Tom Lendacky wrote:
> > On 12/2/20 2:51 AM, Masami Hiramatsu wrote:
> > > Since the insn.prefixes.nbytes can be bigger than the size of
> > > insn.prefixes.bytes[] when a same prefix is repeated, we have to
> > > check whether the insn.prefixes.bytes[i] != 0 and i < 4 instead
> > > of insn.prefixes.nbytes.
> > > 
> > > Fixes: 25189d08e516 ("x86/sev-es: Add support for handling IOIO exceptions")
> > > Reported-by: Kees Cook <keescook@...omium.org>
> > > Signed-off-by: Masami Hiramatsu <mhiramat@...nel.org>
> > > ---
> > >   arch/x86/boot/compressed/sev-es.c |    2 +-
> > >   1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/arch/x86/boot/compressed/sev-es.c b/arch/x86/boot/compressed/sev-es.c
> > > index 954cb2702e23..6a7a3027c9ac 100644
> > > --- a/arch/x86/boot/compressed/sev-es.c
> > > +++ b/arch/x86/boot/compressed/sev-es.c
> > > @@ -36,7 +36,7 @@ static bool insn_has_rep_prefix(struct insn *insn)
> > >   	insn_get_prefixes(insn);
> > > -	for (i = 0; i < insn->prefixes.nbytes; i++) {
> > > +	for (i = 0; insn->prefixes.bytes[i] && i < 4; i++) {
> 
> You must test "i" before bytes[i] or you still do the out-of-bounds-read.

Oops, thanks.

> 
> > 
> > Wouldn't it be better to create a #define for the size rather than hard
> > coding 4 in the various files? That would protect everything should the
> > bytes array size ever change in the future.
> 
> Agreed, and perhaps instead of repeating the idiom in the for loop, add
> a helper like:
> 
> #define insn_prefix_valid(prefixes, i) (i >=0 && i < 4 && prefixes->bytes[i])
> 
> to be used like:
> 
> 	for (i = 0; insn_prefix_valid(&insn->prefixes, i); i++) {

Hm, for all of these usage, they are looping on the prefixes, so

for_each_insn_prefix(insn, idx, prefix) {
...
}

will be simpler.

Thank you,

> 
> > 
> > Thanks,
> > Tom
> > 
> > >   		insn_byte_t p = insn->prefixes.bytes[i];
> > >   		if (p == 0xf2 || p == 0xf3)
> > > 
> 
> -- 
> Kees Cook


-- 
Masami Hiramatsu <mhiramat@...nel.org>

Powered by blists - more mailing lists