[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <39b94091-d452-4dac-9012-ae43024462cd@gmail.com>
Date: Tue, 9 Jul 2024 20:20:17 +0200
From: Mirsad Todorovac <mtodorovac69@...il.com>
To: "Gustavo A. R. Silva" <gustavo@...eddedor.com>,
Kees Cook <kees@...nel.org>, Thomas Gleixner <tglx@...utronix.de>
Cc: Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org,
"H. Peter Anvin" <hpa@...or.com>,
Daniel Sneddon <daniel.sneddon@...ux.intel.com>,
Arnd Bergmann <arnd@...db.de>, Brian Gerst <brgerst@...il.com>,
Josh Poimboeuf <jpoimboe@...nel.org>,
Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>,
Peter Collingbourne <pcc@...gle.com>, linux-kernel@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH] x86/syscall: Avoid memcpy() for ia32
syscall_get_arguments()
On 7/9/24 01:44, Gustavo A. R. Silva wrote:
>
>
> On 7/8/24 14:22, Kees Cook wrote:
>> Modern (fortified) memcpy() prefers to avoid writing (or reading) beyond
>> the end of the addressed destination (or source) struct member:
>>
>> In function ‘fortify_memcpy_chk’,
>> inlined from ‘syscall_get_arguments’ at ./arch/x86/include/asm/syscall.h:85:2,
>> inlined from ‘populate_seccomp_data’ at kernel/seccomp.c:258:2,
>> inlined from ‘__seccomp_filter’ at kernel/seccomp.c:1231:3:
>> ./include/linux/fortify-string.h:580:25: error: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning]
>> 580 | __read_overflow2_field(q_size_field, size);
>> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> As already done for x86_64 and compat mode, do not use memcpy() to
>> extract syscall arguments from struct pt_regs but rather just perform
>> direct assignments. Binary output differences are negligible, and actually
>> ends up using less stack space:
>>
>> - sub $0x84,%esp
>> + sub $0x6c,%esp
>>
>> and less text size:
>>
>> text data bss dec hex filename
>> 10794 252 0 11046 2b26 gcc-32b/kernel/seccomp.o.stock
>> 10714 252 0 10966 2ad6 gcc-32b/kernel/seccomp.o.after
>>
>> Reported-by: Mirsad Todorovac <mtodorovac69@...il.com>
>> Closes: https://lore.kernel.org/lkml/9b69fb14-df89-4677-9c82-056ea9e706f5@gmail.com/
>> Signed-off-by: Kees Cook <kees@...nel.org>
>> ---
>> Cc: Thomas Gleixner <tglx@...utronix.de>
>> Cc: Ingo Molnar <mingo@...hat.com>
>> Cc: Borislav Petkov <bp@...en8.de>
>> Cc: Dave Hansen <dave.hansen@...ux.intel.com>
>> Cc: x86@...nel.org
>> Cc: "H. Peter Anvin" <hpa@...or.com>
>> Cc: Daniel Sneddon <daniel.sneddon@...ux.intel.com>
>> Cc: Arnd Bergmann <arnd@...db.de>
>> Cc: Brian Gerst <brgerst@...il.com>
>> Cc: Josh Poimboeuf <jpoimboe@...nel.org>
>> Cc: Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
>> Cc: Peter Collingbourne <pcc@...gle.com>
>
> Reviewed-by: Gustavo A. R. Silva <gustavoars@...nel.org>
>
> Thanks
I can confirm that the error was fixed after applying the patch, in the same build environment.
Tested-by: Mirsad Todorovac <mtodorovac69@...il.com>
However, why memcpy() directly from struct pt_regs doesn't work is beyond my understanding :-/
FWIW, bulk memcpy() might be replaced by a single assembler instruction? Or am I thinking still
in 6502 mode? :-)
Best regards,
Mirsad Todorovac
> --
> Gustavo
>
>> ---
>> arch/x86/include/asm/syscall.h | 7 ++++++-
>> 1 file changed, 6 insertions(+), 1 deletion(-)
>>
>> diff --git a/arch/x86/include/asm/syscall.h b/arch/x86/include/asm/syscall.h
>> index 2fc7bc3863ff..7c488ff0c764 100644
>> --- a/arch/x86/include/asm/syscall.h
>> +++ b/arch/x86/include/asm/syscall.h
>> @@ -82,7 +82,12 @@ static inline void syscall_get_arguments(struct task_struct *task,
>> struct pt_regs *regs,
>> unsigned long *args)
>> {
>> - memcpy(args, ®s->bx, 6 * sizeof(args[0]));
>> + args[0] = regs->bx;
>> + args[1] = regs->cx;
>> + args[2] = regs->dx;
>> + args[3] = regs->si;
>> + args[4] = regs->di;
>> + args[5] = regs->bp;
>> }
>> static inline int syscall_get_arch(struct task_struct *task)
Powered by blists - more mailing lists