lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <165779691047.15455.17101013839320515682.tip-bot2@tip-bot2>
Date:   Thu, 14 Jul 2022 11:08:30 -0000
From:   "tip-bot2 for Thadeu Lima de Souza Cascardo" <tip-bot2@...utronix.de>
To:     linux-tip-commits@...r.kernel.org
Cc:     Linux Kernel Functional Testing <lkft@...aro.org>,
        Thadeu Lima de Souza Cascardo <cascardo@...onical.com>,
        Borislav Petkov <bp@...e.de>, x86@...nel.org,
        linux-kernel@...r.kernel.org
Subject: [tip: x86/urgent] x86/kvm: Fix FASTOP_SIZE when return thunks are enabled

The following commit has been merged into the x86/urgent branch of tip:

Commit-ID:     3652dee22a2a321d6dabe1ea0aa4b2b3c87da8dc
Gitweb:        https://git.kernel.org/tip/3652dee22a2a321d6dabe1ea0aa4b2b3c87da8dc
Author:        Thadeu Lima de Souza Cascardo <cascardo@...onical.com>
AuthorDate:    Wed, 13 Jul 2022 14:12:41 -03:00
Committer:     Borislav Petkov <bp@...e.de>
CommitterDate: Thu, 14 Jul 2022 09:59:10 +02:00

x86/kvm: Fix FASTOP_SIZE when return thunks are enabled

The return thunk call makes the fastop functions larger, just like IBT
does. Consider a 16-byte FASTOP_SIZE when CONFIG_RETHUNK is enabled.

Otherwise, functions will be incorrectly aligned and when computing
their position for differently sized operators, they will execute in the
middle or end of a function, which may as well be an int3, leading to a
crash like:

  int3: 0000 [#1] SMP NOPTI
  CPU: 3 PID: 1371 Comm: qemu-system-x86 Not tainted 5.15.0-41-generic #44
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
  RIP: 0010:xaddw_ax_dx+0x9/0x10 [kvm]
  Code: 00 0f bb d0 c3 cc cc cc cc 48 0f bb d0 c3 cc cc cc cc 0f 1f 80 00 00 00 00 0f c0 d0 c3 cc cc cc cc 66 0f c1 d0 c3 cc cc cc cc <0f> 1f 80 00 00 00 00 0f c1 d0 c3 cc cc cc cc 48 0f c1 d0 c3 cc cc
  Call Trace:
   <TASK>
   ? fastop
   x86_emulate_insn
   x86_emulate_instruction
   ? kvm_arch_vcpu_load
   ? vmx_prepare_switch_to_host
   complete_emulated_mmio
   kvm_arch_vcpu_ioctl_run
   kvm_vcpu_ioctl
   ? kvm_vcpu_ioctl
   ? __fget_files
   ? __fget_files
   __x64_sys_ioctl
   do_syscall_64
   ? syscall_exit_to_user_mode
   ? do_syscall_64
   ? syscall_exit_to_user_mode
   ? __x64_sys_writev
   ? do_syscall_64
   ? exit_to_user_mode_prepare
   ? syscall_exit_to_user_mode
   ? do_syscall_64
   ? do_syscall_64
   ? do_syscall_64
   ? do_syscall_64
   entry_SYSCALL_64_after_hwframe
  ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

Fixes: aa3d480315ba ("x86: Use return-thunk in asm code")
Reported-by: Linux Kernel Functional Testing <lkft@...aro.org>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@...onical.com>
Signed-off-by: Borislav Petkov <bp@...e.de>
Link: https://lore.kernel.org/r/CA%2BG9fYtntg7=zWSs-dm%2Bn_AUr_u0eBOU0zrwWqMeXZ%2BSF6_bLw@mail.gmail.com
---
 arch/x86/kvm/emulate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index db96bf7..d779eea 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -190,7 +190,7 @@
 #define X16(x...) X8(x), X8(x)
 
 #define NR_FASTOP (ilog2(sizeof(ulong)) + 1)
-#define FASTOP_SIZE (8 * (1 + HAS_KERNEL_IBT))
+#define FASTOP_SIZE (8 * (1 + (HAS_KERNEL_IBT | IS_ENABLED(CONFIG_RETHUNK))))
 
 struct opcode {
 	u64 flags;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ