lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sat, 23 Oct 2021 19:32:34 +0300
From:   "Kirill A. Shutemov" <kirill@...temov.name>
To:     Peter Zijlstra <peterz@...radead.org>
Cc:     Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        Tom Lendacky <thomas.lendacky@....com>,
        Joerg Roedel <jroedel@...e.de>,
        Kuppuswamy Sathyanarayanan 
        <sathyanarayanan.kuppuswamy@...ux.intel.com>,
        Andi Kleen <ak@...ux.intel.com>,
        Dave Hansen <dave.hansen@...el.com>,
        Sean Christopherson <seanjc@...gle.com>, x86@...nel.org,
        linux-kernel@...r.kernel.org,
        "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
        Tony Luck <tony.luck@...el.com>
Subject: Re: [PATCH 2/3] x86/insn-eval: Introduce insn_decode_mmio()

On Tue, Oct 19, 2021 at 10:34:45AM +0200, Peter Zijlstra wrote:
> On Mon, Oct 18, 2021 at 07:49:41PM +0300, Kirill A. Shutemov wrote:
> > On Mon, Oct 18, 2021 at 05:53:49PM +0200, Peter Zijlstra wrote:
> > > On Mon, Oct 18, 2021 at 06:33:32PM +0300, Kirill A. Shutemov wrote:
> > > 
> > > > diff --git a/arch/x86/lib/insn-eval.c b/arch/x86/lib/insn-eval.c
> > > > index fbaa3fa24bde..2ab29d8d6731 100644
> > > > --- a/arch/x86/lib/insn-eval.c
> > > > +++ b/arch/x86/lib/insn-eval.c
> > > > @@ -1559,3 +1559,85 @@ bool insn_decode_from_regs(struct insn *insn, struct pt_regs *regs,
> > > >  
> > > >  	return true;
> > > >  }
> > > > +
> > > > +/**
> > > > + * insn_decode_mmio() - Decode a MMIO instruction
> > > > + * @insn:	Structure to store decoded instruction
> > > > + * @bytes:	Returns size of memory operand
> > > > + *
> > > > + * Decodes instruction that used for Memory-mapped I/O.
> > > > + *
> > > > + * Returns:
> > > > + *
> > > > + * Type of the instruction. Size of the memory operand is stored in
> > > > + * @bytes. If decode failed, MMIO_DECODE_FAILED returned.
> > > > + */
> > > > +enum mmio_type insn_decode_mmio(struct insn *insn, int *bytes)
> > > > +{
> > > > +	int type = MMIO_DECODE_FAILED;
> > > > +
> > > > +	*bytes = 0;
> > > > +
> > > > +	insn_get_opcode(insn);
> > > 
> > > insn_get_opcode() can fail. Either you assume it's already called and
> > > don't call it, or you can't assume anything and get to do error
> > > handling.
> > 
> > Fair enough. I will return MMIO_DECODE_FAILED if insn_get_opcode() fails.
> > 
> > BTW, looks like is_string_insn() suffers from the same issue. Not sure how
> > to fix it though.
> 
> AFAICT all callers of insn_get_addr_ref() (which is what
> is_string_insn() seems to be part of) do a insn_decode_*() call with
> error checking before.
> 
> So it looks like that insn_get_opcode() in there is superfluous.
> probably same for insn_has_rep_prefix() / get_seg_reg_override_idx() /
> get_eff_addr_modrm_*(). That all wants cleaning up.
> 
> The esaiest way is probably to push those things up the callchains into
> the !static function and have it fail early there.

Looks like insn_get_addr_ref() is the only non-static callsite:

	is_string_insn
	  check_seg_overrides
	    resolve_seg_reg
	      get_seg_base_limit
		get_addr_ref_XX
		  insn_get_addr_ref
	  resolve_default_seg
	    resolve_seg_reg (as above)

What about this:

>From 576a390de4759f591709c9961b5d7add02c814f0 Mon Sep 17 00:00:00 2001
From: "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>
Date: Sat, 23 Oct 2021 19:26:07 +0300
Subject: [PATCH] x86/insn-eval: Handle insn_get_opcode() failure

is_string_insn() calls insn_get_opcode() that can fail, but does not
handle the failure.

is_string_insn() interface does not allow to communicate an error to the
caller.

Push insn_get_opcode() to the only non-static user of is_string_insn()
and fail it early if insn_get_opcode() fails.

Signed-off-by: Kirill A. Shutemov <kirill.shutemov@...ux.intel.com>
---
 arch/x86/lib/insn-eval.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/arch/x86/lib/insn-eval.c b/arch/x86/lib/insn-eval.c
index 1714359f48bd..ccbc7b253d98 100644
--- a/arch/x86/lib/insn-eval.c
+++ b/arch/x86/lib/insn-eval.c
@@ -37,8 +37,6 @@ enum reg_type {
  */
 static bool is_string_insn(struct insn *insn)
 {
-	insn_get_opcode(insn);
-
 	/* All string instructions have a 1-byte opcode. */
 	if (insn->opcode.nbytes != 1)
 		return false;
@@ -1425,6 +1423,9 @@ void __user *insn_get_addr_ref(struct insn *insn, struct pt_regs *regs)
 	if (!insn || !regs)
 		return (void __user *)-1L;
 
+	if (insn_get_opcode(insn))
+		return (void __user *)-1L;
+
 	switch (insn->addr_bytes) {
 	case 2:
 		return get_addr_ref_16(insn, regs);
-- 
 Kirill A. Shutemov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ