lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 17 Jul 2021 08:28:50 -0700 From: "Chang S. Bae" <chang.seok.bae@...el.com> To: bp@...e.de, luto@...nel.org, tglx@...utronix.de, mingo@...nel.org, x86@...nel.org Cc: len.brown@...el.com, dave.hansen@...el.com, thiago.macieira@...el.com, jing2.liu@...el.com, ravi.v.shankar@...el.com, linux-kernel@...r.kernel.org, chang.seok.bae@...el.com Subject: [PATCH v8 13/26] x86/fpu/xstate: Support ptracer-induced XSTATE buffer expansion ptrace() may update XSTATE data before the target task has taken an XFD fault and expanded the XSTATE buffer. Detect this case and allocate a sufficient buffer to support the request. Also, disable the (now unnecessary) associated first-use fault. Signed-off-by: Chang S. Bae <chang.seok.bae@...el.com> Reviewed-by: Len Brown <len.brown@...el.com> Cc: x86@...nel.org Cc: linux-kernel@...r.kernel.org --- Changes from v5: * Adjusted to use 'tmpbuf' for the new base code. Changes from v4: * Improved the condition check for the expansion. * Simplified the XSTATE_BV retrieval. * Updated the code comment. Changes from v3: * Removed 'no functional changes' in the changelog. (Borislav Petkov) Changes from v2: * Updated the changelog with task->fpu removed. (Borislav Petkov) * Updated the code comments. --- arch/x86/kernel/fpu/regset.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/arch/x86/kernel/fpu/regset.c b/arch/x86/kernel/fpu/regset.c index 73d7d7b489fe..244e672c3e3d 100644 --- a/arch/x86/kernel/fpu/regset.c +++ b/arch/x86/kernel/fpu/regset.c @@ -163,6 +163,30 @@ int xstateregs_set(struct task_struct *target, const struct user_regset *regset, } } + /* + * When a ptracer attempts to write any dynamic user state in the + * target buffer but not sufficiently allocated, it dynamically + * expands the buffer. + * + * Check if the expansion is possibly needed. + */ + if (xfeatures_mask_user_dynamic && + ((fpu->state_mask & xfeatures_mask_user_dynamic) != xfeatures_mask_user_dynamic)) { + u64 state_mask; + + /* Retrieve XSTATE_BV. */ + memcpy(&state_mask, (kbuf ?: tmpbuf) + offsetof(struct xregs_state, header), + sizeof(u64)); + + /* Expand the xstate buffer based on the XSTATE_BV. */ + state_mask &= xfeatures_mask_user_dynamic; + if (state_mask) { + ret = alloc_xstate_buffer(fpu, state_mask); + if (ret) + goto out; + } + } + fpu_force_restore(fpu); ret = copy_uabi_from_kernel_to_xstate(fpu, kbuf ?: tmpbuf); -- 2.17.1
Powered by blists - more mailing lists