lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <39b94091-d452-4dac-9012-ae43024462cd@gmail.com>
Date: Tue, 9 Jul 2024 20:20:17 +0200
From: Mirsad Todorovac <mtodorovac69@...il.com>
To: "Gustavo A. R. Silva" <gustavo@...eddedor.com>,
 Kees Cook <kees@...nel.org>, Thomas Gleixner <tglx@...utronix.de>
Cc: Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
 Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org,
 "H. Peter Anvin" <hpa@...or.com>,
 Daniel Sneddon <daniel.sneddon@...ux.intel.com>,
 Arnd Bergmann <arnd@...db.de>, Brian Gerst <brgerst@...il.com>,
 Josh Poimboeuf <jpoimboe@...nel.org>,
 Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>,
 Peter Collingbourne <pcc@...gle.com>, linux-kernel@...r.kernel.org,
 linux-hardening@...r.kernel.org
Subject: Re: [PATCH] x86/syscall: Avoid memcpy() for ia32
 syscall_get_arguments()



On 7/9/24 01:44, Gustavo A. R. Silva wrote:
> 
> 
> On 7/8/24 14:22, Kees Cook wrote:
>> Modern (fortified) memcpy() prefers to avoid writing (or reading) beyond
>> the end of the addressed destination (or source) struct member:
>>
>> In function ‘fortify_memcpy_chk’,
>>      inlined from ‘syscall_get_arguments’ at ./arch/x86/include/asm/syscall.h:85:2,
>>      inlined from ‘populate_seccomp_data’ at kernel/seccomp.c:258:2,
>>      inlined from ‘__seccomp_filter’ at kernel/seccomp.c:1231:3:
>> ./include/linux/fortify-string.h:580:25: error: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning]
>>    580 |                         __read_overflow2_field(q_size_field, size);
>>        |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> As already done for x86_64 and compat mode, do not use memcpy() to
>> extract syscall arguments from struct pt_regs but rather just perform
>> direct assignments. Binary output differences are negligible, and actually
>> ends up using less stack space:
>>
>> -       sub    $0x84,%esp
>> +       sub    $0x6c,%esp
>>
>> and less text size:
>>
>>     text    data     bss     dec     hex filename
>>    10794     252       0   11046    2b26 gcc-32b/kernel/seccomp.o.stock
>>    10714     252       0   10966    2ad6 gcc-32b/kernel/seccomp.o.after
>>
>> Reported-by: Mirsad Todorovac <mtodorovac69@...il.com>
>> Closes: https://lore.kernel.org/lkml/9b69fb14-df89-4677-9c82-056ea9e706f5@gmail.com/
>> Signed-off-by: Kees Cook <kees@...nel.org>
>> ---
>> Cc: Thomas Gleixner <tglx@...utronix.de>
>> Cc: Ingo Molnar <mingo@...hat.com>
>> Cc: Borislav Petkov <bp@...en8.de>
>> Cc: Dave Hansen <dave.hansen@...ux.intel.com>
>> Cc: x86@...nel.org
>> Cc: "H. Peter Anvin" <hpa@...or.com>
>> Cc: Daniel Sneddon <daniel.sneddon@...ux.intel.com>
>> Cc: Arnd Bergmann <arnd@...db.de>
>> Cc: Brian Gerst <brgerst@...il.com>
>> Cc: Josh Poimboeuf <jpoimboe@...nel.org>
>> Cc: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
>> Cc: Peter Collingbourne <pcc@...gle.com>
> 
> Reviewed-by: Gustavo A. R. Silva <gustavoars@...nel.org>
> 
> Thanks

I can confirm that the error was fixed after applying the patch, in the same build environment.

Tested-by: Mirsad Todorovac <mtodorovac69@...il.com>

However, why memcpy() directly from struct pt_regs doesn't work is beyond my understanding :-/

FWIW, bulk memcpy() might be replaced by a single assembler instruction? Or am I thinking still
in 6502 mode? :-)

Best regards,
Mirsad Todorovac

> -- 
> Gustavo
> 
>> ---
>>   arch/x86/include/asm/syscall.h | 7 ++++++-
>>   1 file changed, 6 insertions(+), 1 deletion(-)
>>
>> diff --git a/arch/x86/include/asm/syscall.h b/arch/x86/include/asm/syscall.h
>> index 2fc7bc3863ff..7c488ff0c764 100644
>> --- a/arch/x86/include/asm/syscall.h
>> +++ b/arch/x86/include/asm/syscall.h
>> @@ -82,7 +82,12 @@ static inline void syscall_get_arguments(struct task_struct *task,
>>                        struct pt_regs *regs,
>>                        unsigned long *args)
>>   {
>> -    memcpy(args, &regs->bx, 6 * sizeof(args[0]));
>> +    args[0] = regs->bx;
>> +    args[1] = regs->cx;
>> +    args[2] = regs->dx;
>> +    args[3] = regs->si;
>> +    args[4] = regs->di;
>> +    args[5] = regs->bp;
>>   }
>>     static inline int syscall_get_arch(struct task_struct *task)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ