| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z-PawJpGJRcSTMnc@google.com>
Date: Wed, 26 Mar 2025 10:45:20 +0000
From: Keir Fraser <keirf@...gle.com>
To: Mark Rutland <mark.rutland@....com>
Cc: linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
Kristina Martsenko <kristina.martsenko@....com>,
Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will@...nel.org>, Marc Zyngier <maz@...nel.org>,
stable@...r.kernel.org
Subject: Re: [PATCH] arm64: mops: Do not dereference src reg for a set
operation
On Wed, Mar 26, 2025 at 10:26:47AM +0000, Mark Rutland wrote:
> On Wed, Mar 26, 2025 at 07:02:55AM +0000, Keir Fraser wrote:
> > The register is not defined and reading it can result in a UBSAN
> > out-of-bounds array access error, specifically when the srcreg field
> > value is 31.
>
> I'm assuming this is for a MOPS exception taken from a SET* sequence
> with XZR as the source?
Yes.
> It'd be nice to say that explicitly, as this is the only case where any
> of the src/dst/size fields in the ESR can be reported as 31. In all
> other cases where a CPY* or SET* instruction takes register 31 as an
> argument, the behaviour is CONSTRAINED UNPREDICTABLE and cannot generate
> a MOPS exception.
Okay, will do.
> Note that in ARM DDI 0487 L.a there's a bug where:
>
> * The prose says that SET* taking XZR as a src is CONSTRAINED
> UNPREDICTABLE, per K1.2.17.1.1 linked from C6.2.332.
>
> The title for the K1.2.17.1.1 is "Memory Copy and Memory Set CPY*",
> which looks like an editing error.
>
> * The pseudocode is explicit that the CONSTRAINED UNPREDICTABLE
> behaviours differ for CPY* and SET* per J1.1.3.121
> CheckCPYConstrainedUnpredictable() and J1.1.3.125
> CheckSETConstrainedUnpredictable().
>
> ... and I'll go file a ticket about that soon if someone doesn't beat me
> to it.
>
> > Cc: Kristina Martsenko <kristina.martsenko@....com>
> > Cc: Catalin Marinas <catalin.marinas@....com>
> > Cc: Mark Rutland <mark.rutland@....com>
> > Cc: Will Deacon <will@...nel.org>
> > Cc: Marc Zyngier <maz@...nel.org>
> > Cc: stable@...r.kernel.org
>
> Looks like this should have:
>
> Fixes: 2de451a329cf662b ("KVM: arm64: Add handler for MOPS exceptions")
>
> Prior to that, the code in do_el0_mops() was benign as the use of
> pt_regs_read_reg() prevented the out-of-bounds access. It'd also be nice
> to note that in the commit message.
I will add this too. And Marc's reviewed-by. And re-send as v2. Thanks!
Keir
> Mark.
>
> > Signed-off-by: Keir Fraser <keirf@...gle.com>
> > ---
> > arch/arm64/include/asm/traps.h | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/arch/arm64/include/asm/traps.h b/arch/arm64/include/asm/traps.h
> > index d780d1bd2eac..82cf1f879c61 100644
> > --- a/arch/arm64/include/asm/traps.h
> > +++ b/arch/arm64/include/asm/traps.h
> > @@ -109,10 +109,9 @@ static inline void arm64_mops_reset_regs(struct user_pt_regs *regs, unsigned lon
> > int dstreg = ESR_ELx_MOPS_ISS_DESTREG(esr);
> > int srcreg = ESR_ELx_MOPS_ISS_SRCREG(esr);
> > int sizereg = ESR_ELx_MOPS_ISS_SIZEREG(esr);
> > - unsigned long dst, src, size;
> > + unsigned long dst, size;
> >
> > dst = regs->regs[dstreg];
> > - src = regs->regs[srcreg];
> > size = regs->regs[sizereg];
> >
> > /*
> > @@ -129,6 +128,7 @@ static inline void arm64_mops_reset_regs(struct user_pt_regs *regs, unsigned lon
> > }
> > } else {
> > /* CPY* instruction */
> > + unsigned long src = regs->regs[srcreg];
> > if (!(option_a ^ wrong_option)) {
> > /* Format is from Option B */
> > if (regs->pstate & PSR_N_BIT) {
> > --
> > 2.49.0.395.g12beb8f557-goog
> >
Powered by blists - more mailing lists