From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.0 required=3.0 tests=BAYES_00,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3939BC64E7A for ; Thu, 3 Dec 2020 04:51:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id CE3D520643 for ; Thu, 3 Dec 2020 04:51:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727019AbgLCEvN (ORCPT ); Wed, 2 Dec 2020 23:51:13 -0500 Received: from mail.kernel.org ([198.145.29.99]:47822 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725933AbgLCEvM (ORCPT ); Wed, 2 Dec 2020 23:51:12 -0500 From: Masami Hiramatsu Authentication-Results: mail.kernel.org; dkim=permerror (bad message/signature format) To: x86@kernel.org, Thomas Gleixner , Ingo Molnar , Borislav Petkov Cc: Kees Cook , Masami Hiramatsu , "H . Peter Anvin" , Joerg Roedel , Tom Lendacky , "Gustavo A . R . Silva" , Jann Horn , Srikar Dronamraju , Ricardo Neri , linux-kernel@vger.kernel.org Subject: [PATCH v2 0/3] x86/insn: Fix not using prefixes.nbytes for loop over prefixes.bytes Date: Thu, 3 Dec 2020 13:50:26 +0900 Message-Id: <160697102582.3146288.10127018634865687932.stgit@devnote2> X-Mailer: git-send-email 2.25.1 User-Agent: StGit/0.19 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Here are the 2nd version of patches to fix the wrong loop boundary check on insn.prefixes.bytes[] array. The previous version is here; https://lkml.kernel.org/r/160689905099.3084105.7880450206184269465.stgit@devnote2 In this version, I introduced for_each_insn_prefix() macro to for looping on the prefixes in the given instruction and fixed out-of-bounds-read issue by checking index first. Also, I sorted the patches so that the oldest commit fix becomes the first patch because it will go into the older stable kernel and that introduces the new iteration macro. Kees Cook got a syzbot warning and found this issue and there were similar wrong boundary check patterns in the x86 code. Since the insn.prefixes.nbytes can be bigger than the size of insn.prefixes.bytes[] when a same prefix is repeated, we have to check whether the insn.prefixes.bytes[i] != 0 (*) and i < 4 instead of insn.prefixes.nbytes. (*) Note that insn.prefixes.bytes[] should be zeroed in insn_init() before decoding, and 0x00 is not a legacy prefix. So if you see 0 on insn.prefix.bytes[], it indicates the end of the array. Or, if the prefixes.bytes[] is filled with prefix bytes, we can check the index is less than 4. Thank you, --- Masami Hiramatsu (3): x86/uprobes: Fix not using prefixes.nbytes for loop over prefixes.bytes x86/insn-eval: Fix not using prefixes.nbytes for loop over prefixes.bytes x86/sev-es: Fix not using prefixes.nbytes for loop over prefixes.bytes arch/x86/boot/compressed/sev-es.c | 5 ++--- arch/x86/include/asm/insn.h | 15 +++++++++++++++ arch/x86/kernel/uprobes.c | 10 ++++++---- arch/x86/lib/insn-eval.c | 10 +++++----- 4 files changed, 28 insertions(+), 12 deletions(-) -- Masami Hiramatsu (Linaro)