[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Y2TtXAW1LhOwlE64@kroah.com>
Date: Fri, 4 Nov 2022 11:45:48 +0100
From: Greg KH <gregkh@...uxfoundation.org>
To: Kunbo Zhang <absoler@...il.nju.edu.cn>
Cc: dmitry.torokhov@...il.com, tiwai@...e.de,
wsa+renesas@...g-engineering.com, linux-kernel@...r.kernel.org,
linux-input@...r.kernel.org, security@...nel.org
Subject: Re: [PATCH] input: i8042 - fix a double-fetch vulnerability
introduced by GCC
On Fri, Nov 04, 2022 at 03:23:47PM +0800, Kunbo Zhang wrote:
> We found GCC (at least 9.4.0 and 12.1) introduces a double-fetch of `i8042_ports[I8042_AUX_PORT_NO].serio` at drivers/input/serio/i8042.c:408.
>
> One comparison of the global variable `i8042_ports[I8042_AUX_PORT_NO].serio` has been compiled to three ones,
> and thus two extra fetches are introduced.
And what problem does this cause?
> As in the source code, the global variable is tested (at line 408) before three assignments of irq_bit, disable_bit and port_name.
> However, as shown in the following disassembly of i8042_port_close(),
> the variable (0x0(%rip)) is fetched and tested three times for each
> assignment of irq_bit, disable_bit and port_name.
There should not be any problem with this as that value does not ever
change except in rare cases (shutdown or init).
>
> 0000000000000e50 <i8042_port_close>:
> i8042_port_close():
> ./drivers/input/serio/i8042.c:408
> e50: 48 39 3d 00 00 00 00 cmp %rdi,0x0(%rip) # first load
> ./drivers/input/serio/i8042.c:403
> e57: 41 54 push %r12
> ./drivers/input/serio/i8042.c:408
> e59: b8 ef ff ff ff mov $0xffffffef,%eax
> e5e: 49 c7 c4 00 00 00 00 mov $0x0,%r12
> ./drivers/input/serio/i8042.c:403
> e65: 55 push %rbp
> ./drivers/input/serio/i8042.c:408
> e66: 48 c7 c2 00 00 00 00 mov $0x0,%rdx
> ./drivers/input/serio/i8042.c:419
> e6d: be 60 10 00 00 mov $0x1060,%esi
> ./drivers/input/serio/i8042.c:403
> e72: 53 push %rbx
> ./drivers/input/serio/i8042.c:408
> e73: bb df ff ff ff mov $0xffffffdf,%ebx
> e78: 0f 45 d8 cmovne %eax,%ebx
> e7b: 0f 95 c0 setne %al
> e7e: 83 e8 03 sub $0x3,%eax
> e81: 48 39 3d 00 00 00 00 cmp %rdi,0x0(%rip) # second load
> e88: 40 0f 94 c5 sete %bpl
> e8c: 83 c5 01 add $0x1,%ebp
> e8f: 48 39 3d 00 00 00 00 cmp %rdi,0x0(%rip) # third load
> ./drivers/input/serio/i8042.c:419
> e96: 48 c7 c7 00 00 00 00 mov $0x0,%rdi
> ./drivers/input/serio/i8042.c:408
> e9d: 4c 0f 45 e2 cmovne %rdx,%r12
>
> We have not found any lock protection for the three fetches of `i8042_ports[I8042_AUX_PORT_NO].serio` yet.
> If the value of this global variable is modified concurrently among the three fetches, the corresponding assignment of
> disable_bit or port_name will possibly be incorrect.
When can that modification happen?
And if you really want to protect it, use the existing lock in the
structure, don't manually attempt to place calls to barrier(), that will
not work, sorry.
thanks,
greg k-h
Powered by blists - more mailing lists