lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Z-PawJpGJRcSTMnc@google.com>
Date: Wed, 26 Mar 2025 10:45:20 +0000
From: Keir Fraser <keirf@...gle.com>
To: Mark Rutland <mark.rutland@....com>
Cc: linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
	Kristina Martsenko <kristina.martsenko@....com>,
	Catalin Marinas <catalin.marinas@....com>,
	Will Deacon <will@...nel.org>, Marc Zyngier <maz@...nel.org>,
	stable@...r.kernel.org
Subject: Re: [PATCH] arm64: mops: Do not dereference src reg for a set
 operation

On Wed, Mar 26, 2025 at 10:26:47AM +0000, Mark Rutland wrote:
> On Wed, Mar 26, 2025 at 07:02:55AM +0000, Keir Fraser wrote:
> > The register is not defined and reading it can result in a UBSAN
> > out-of-bounds array access error, specifically when the srcreg field
> > value is 31.
> 
> I'm assuming this is for a MOPS exception taken from a SET* sequence
> with XZR as the source?

Yes.

> It'd be nice to say that explicitly, as this is the only case where any
> of the src/dst/size fields in the ESR can be reported as 31. In all
> other cases where a CPY* or SET* instruction takes register 31 as an
> argument, the behaviour is CONSTRAINED UNPREDICTABLE and cannot generate
> a MOPS exception.

Okay, will do.

> Note that in ARM DDI 0487 L.a there's a bug where:
> 
> * The prose says that SET* taking XZR as a src is CONSTRAINED
>   UNPREDICTABLE, per K1.2.17.1.1 linked from C6.2.332.
> 
>   The title for the K1.2.17.1.1 is "Memory Copy and Memory Set CPY*",
>   which looks like an editing error.
> 
> * The pseudocode is explicit that the CONSTRAINED UNPREDICTABLE
>   behaviours differ for CPY* and SET* per J1.1.3.121
>   CheckCPYConstrainedUnpredictable() and J1.1.3.125
>   CheckSETConstrainedUnpredictable().
> 
> ... and I'll go file a ticket about that soon if someone doesn't beat me
> to it.
> 
> > Cc: Kristina Martsenko <kristina.martsenko@....com>
> > Cc: Catalin Marinas <catalin.marinas@....com>
> > Cc: Mark Rutland <mark.rutland@....com>
> > Cc: Will Deacon <will@...nel.org>
> > Cc: Marc Zyngier <maz@...nel.org>
> > Cc: stable@...r.kernel.org
> 
> Looks like this should have:
> 
> Fixes: 2de451a329cf662b ("KVM: arm64: Add handler for MOPS exceptions")
> 
> Prior to that, the code in do_el0_mops() was benign as the use of
> pt_regs_read_reg() prevented the out-of-bounds access. It'd also be nice
> to note that in the commit message.

I will add this too. And Marc's reviewed-by. And re-send as v2. Thanks!

 Keir

> Mark.
> 
> > Signed-off-by: Keir Fraser <keirf@...gle.com>
> > ---
> >  arch/arm64/include/asm/traps.h | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/arch/arm64/include/asm/traps.h b/arch/arm64/include/asm/traps.h
> > index d780d1bd2eac..82cf1f879c61 100644
> > --- a/arch/arm64/include/asm/traps.h
> > +++ b/arch/arm64/include/asm/traps.h
> > @@ -109,10 +109,9 @@ static inline void arm64_mops_reset_regs(struct user_pt_regs *regs, unsigned lon
> >  	int dstreg = ESR_ELx_MOPS_ISS_DESTREG(esr);
> >  	int srcreg = ESR_ELx_MOPS_ISS_SRCREG(esr);
> >  	int sizereg = ESR_ELx_MOPS_ISS_SIZEREG(esr);
> > -	unsigned long dst, src, size;
> > +	unsigned long dst, size;
> >  
> >  	dst = regs->regs[dstreg];
> > -	src = regs->regs[srcreg];
> >  	size = regs->regs[sizereg];
> >  
> >  	/*
> > @@ -129,6 +128,7 @@ static inline void arm64_mops_reset_regs(struct user_pt_regs *regs, unsigned lon
> >  		}
> >  	} else {
> >  		/* CPY* instruction */
> > +		unsigned long src = regs->regs[srcreg];
> >  		if (!(option_a ^ wrong_option)) {
> >  			/* Format is from Option B */
> >  			if (regs->pstate & PSR_N_BIT) {
> > -- 
> > 2.49.0.395.g12beb8f557-goog
> > 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ