lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <FF4E5F98-A2C5-405D-B538-1AD789E4F989@gmail.com>
Date:   Mon, 6 Feb 2023 19:06:50 +0100
From:   Jakob Koschel <jkl820.git@...il.com>
To:     Dave Hansen <dave.hansen@...el.com>
Cc:     Jarkko Sakkinen <jarkko@...nel.org>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>,
        linux-sgx@...r.kernel.org,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Pietro Borrello <borrello@...g.uniroma1.it>,
        Cristiano Giuffrida <c.giuffrida@...nl>,
        "Bos, H.J." <h.j.bos@...nl>
Subject: Re: [PATCH] x86/sgx: Avoid using iterator after loop in
 sgx_mmu_notifier_release()



> On 6. Feb 2023, at 18:10, Dave Hansen <dave.hansen@...el.com> wrote:
> 
> On 2/6/23 02:39, Jakob Koschel wrote:
>> If &encl_mm->encl->mm_list does not contain the searched 'encl_mm',
>> 'tmp' will not point to a valid sgx_encl_mm struct.
>> 
>> Since the code within the guarded block is just called when the element
>> is found, it can simply be moved into the list iterator.
>> Within the list iterator 'tmp' is guaranteed to point to a valid
>> element.
>> 
>> Signed-off-by: Jakob Koschel <jkl820.git@...il.com>
>> ---
>> Linus proposed to avoid any use of the list iterator variable after the
>> loop, in the attempt to move the list iterator variable declaration into
>> the marcro to avoid any potential misuse after the loop.
>> Using it in a pointer comparision after the loop is undefined behavior
>> and should be omitted if possible [1].
> 
> I think there's a big difference between "undefined behavior" and
> "someone wants to flip a switch to *make* this undefined behavior".  My
> understanding is that this patch avoids behavior which _is_ defined today.
> 
> Is there some effort to change this behavior across the tree that I missed?

Some background information if interested: 

If 'encl_mm' was not found, 'tmp' always points somewhere into 'sgx_encl'.
In that case it is not possible to match 'encl_mm' (if 'encl_mm' always
points to a valid struct).

It's still used as a 'struct sgx_encl_mm' pointer even though the memory
it is pointing to is something completely different, which I would argue
is undefined behavior. 
(I would argue not all undefined behavior is automatically exploitable or
causing a bug)

[1] shows some effort on removing any use of the list iterator variable
after the loop, so ideally it can be declared within the macro itself.
I've showcased a similar case to this becoming an issue after reordering
certain struct members in [2].

Some more information here [3], [4].

> 
> In any case, this patch also kinda breaks the rule that you're supposed
> to make the common path through the code at the lowest nesting level.
> It makes the common case look like some kind of error handling.  Would
> something like the attached patch work?<sgxmm.patch>

of course! Actually the way I would have preferred.

I've posted several patches fixing those cases all across the tree and
always got mixed feedback. 
(I proposed your way to others and was asked to change it into the
way I posted it and vice versa).

I'm happy to change it to the way you proposed way in v2 ;) Thanks!

- Jakob

Link: https://lore.kernel.org/all/CAHk-=wgRr_D8CB-D9Kg-c=EHreAsk5SqXPwr9Y7k9sA6cWXJ6w@mail.gmail.com/ [1]
Link: https://lore.kernel.org/all/86C4CE7D-6D93-456B-AA82-F8ADEACA40B7@gmail.com/ [2]
Link: https://lwn.net/Articles/885941/ [3]
Link: https://lwn.net/Articles/887097/ [4]


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ