| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <160707930875.3296595.12884856538916078988.stgit@devnote2>
Date: Fri, 4 Dec 2020 19:55:09 +0900
From: Masami Hiramatsu <mhiramat@...nel.org>
To: x86@...nel.org, Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...nel.org>, Borislav Petkov <bp@...en8.de>
Cc: Kees Cook <keescook@...omium.org>,
Masami Hiramatsu <mhiramat@...nel.org>,
"H . Peter Anvin" <hpa@...or.com>, Joerg Roedel <jroedel@...e.de>,
Tom Lendacky <thomas.lendacky@....com>,
"Gustavo A . R . Silva" <gustavoars@...nel.org>,
Jann Horn <jannh@...gle.com>,
Srikar Dronamraju <srikar@...ux.vnet.ibm.com>,
Ricardo Neri <ricardo.neri-calderon@...ux.intel.com>,
linux-kernel@...r.kernel.org
Subject: [PATCH v3 0/3] x86/insn: Fix not using prefixes.nbytes for loop over prefixes.bytes
Hi,
Here are the 3rd version of patches to fix the wrong loop boundary
check on insn.prefixes.bytes[] array.
The previous version is here;
https://lkml.kernel.org/r/160697102582.3146288.10127018634865687932.stgit@devnote2
In this version, I've fixed some comments, added NUM_INSN_FIELD_BYTES
and MAX_LEGACY_PREFIX_GROUPS macros and commented on it.
Kees Cook got a syzbot warning and found this issue and there were
similar wrong boundary check patterns in the x86 code.
Since the insn.prefixes.nbytes can be bigger than the size of
insn.prefixes.bytes[] when a same prefix is repeated, we have to
check whether the insn.prefixes.bytes[i] != 0 (*) and i < 4 instead
of insn.prefixes.nbytes.
(*) Note that insn.prefixes.bytes[] should be zeroed in insn_init()
before decoding, and 0x00 is not a legacy prefix. So if you see 0
on insn.prefix.bytes[], it indicates the end of the array. Or,
if the prefixes.bytes[] is filled with prefix bytes, we can check
the index is less than 4.
Thank you,
---
Masami Hiramatsu (3):
x86/uprobes: Fix not using prefixes.nbytes for loop over prefixes.bytes
x86/insn-eval: Fix not using prefixes.nbytes for loop over prefixes.bytes
x86/sev-es: Fix not using prefixes.nbytes for loop over prefixes.bytes
arch/x86/boot/compressed/sev-es.c | 5 ++--
arch/x86/include/asm/insn.h | 49 ++++++++++++++++++++++++++++++++++++-
arch/x86/kernel/uprobes.c | 10 +++++---
arch/x86/lib/insn-eval.c | 10 ++++----
arch/x86/lib/insn.c | 2 +-
tools/arch/x86/include/asm/insn.h | 49 ++++++++++++++++++++++++++++++++++++-
tools/arch/x86/lib/insn.c | 2 +-
7 files changed, 111 insertions(+), 16 deletions(-)
--
Masami Hiramatsu (Linaro) <mhiramat@...nel.org>
Powered by blists - more mailing lists