From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933391AbdKAVDu (ORCPT ); Wed, 1 Nov 2017 17:03:50 -0400 Received: from terminus.zytor.com ([65.50.211.136]:60101 "EHLO terminus.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933267AbdKAVDs (ORCPT ); Wed, 1 Nov 2017 17:03:48 -0400 Date: Wed, 1 Nov 2017 13:57:51 -0700 From: tip-bot for Ricardo Neri Message-ID: Cc: colin.king@canonical.com, vbabka@suse.cz, adanhawthorn@gmail.com, dave.hansen@linux.intel.com, shuah@kernel.org, cmetcalf@mellanox.com, slaoub@gmail.com, tglx@linutronix.de, ravi.v.shankar@intel.com, liverlint@gmail.com, akpm@linux-foundation.org, ricardo.neri-calderon@linux.intel.com, adam.buchbinder@gmail.com, joe@perches.com, ray.huang@amd.com, mst@redhat.com, bp@suse.de, pbonzini@redhat.com, luto@kernel.org, mingo@kernel.org, hpa@zytor.com, brgerst@gmail.com, jslaby@suse.cz, lstoakes@gmail.com, qiaowei.ren@intel.com, paul.gortmaker@windriver.com, mhiramat@kernel.org, linux-kernel@vger.kernel.org, corbet@lwn.net, peterz@infradead.org Reply-To: lstoakes@gmail.com, brgerst@gmail.com, jslaby@suse.cz, mst@redhat.com, pbonzini@redhat.com, hpa@zytor.com, mingo@kernel.org, luto@kernel.org, bp@suse.de, corbet@lwn.net, linux-kernel@vger.kernel.org, peterz@infradead.org, mhiramat@kernel.org, paul.gortmaker@windriver.com, qiaowei.ren@intel.com, tglx@linutronix.de, slaoub@gmail.com, cmetcalf@mellanox.com, adanhawthorn@gmail.com, vbabka@suse.cz, dave.hansen@linux.intel.com, colin.king@canonical.com, shuah@kernel.org, ray.huang@amd.com, joe@perches.com, akpm@linux-foundation.org, ricardo.neri-calderon@linux.intel.com, liverlint@gmail.com, adam.buchbinder@gmail.com, ravi.v.shankar@intel.com In-Reply-To: <1509135945-13762-9-git-send-email-ricardo.neri-calderon@linux.intel.com> References: <1509135945-13762-9-git-send-email-ricardo.neri-calderon@linux.intel.com> To: linux-tip-commits@vger.kernel.org Subject: [tip:x86/mpx] x86/mpx: Do not use SIB.base if its value is 101b and ModRM.mod = 0 Git-Commit-ID: 4578f06fc93fb73c9c644ed838f4cdabbfdc4df1 X-Mailer: tip-git-log-daemon Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit-ID: 4578f06fc93fb73c9c644ed838f4cdabbfdc4df1 Gitweb: https://git.kernel.org/tip/4578f06fc93fb73c9c644ed838f4cdabbfdc4df1 Author: Ricardo Neri AuthorDate: Fri, 27 Oct 2017 13:25:35 -0700 Committer: Thomas Gleixner CommitDate: Wed, 1 Nov 2017 21:50:10 +0100 x86/mpx: Do not use SIB.base if its value is 101b and ModRM.mod = 0 Section 2.2.1.2 of the Intel 64 and IA-32 Architectures Software Developer's Manual volume 2A states that if a SIB byte is used and SIB.base is 101b and ModRM.mod is zero, then the base part of the base part of the effective address computation is null. To signal this situation, a -EDOM error is returned to indicate callers to ignore the base value present in the register operand. In this scenario, a 32-bit displacement follows the SIB byte. Displacement is obtained when the instruction decoder parses the operands. Signed-off-by: Ricardo Neri Signed-off-by: Thomas Gleixner Reviewed-by: Borislav Petkov Cc: Adan Hawthorn Cc: "Michael S. Tsirkin" Cc: Peter Zijlstra Cc: Dave Hansen Cc: ricardo.neri@intel.com Cc: Paul Gortmaker Cc: Huang Rui Cc: Qiaowei Ren Cc: Shuah Khan Cc: Jonathan Corbet Cc: Jiri Slaby Cc: Nathan Howard Cc: "Ravi V. Shankar" Cc: Chris Metcalf Cc: Brian Gerst Cc: Andy Lutomirski Cc: Colin Ian King Cc: Chen Yucong Cc: Adam Buchbinder Cc: Vlastimil Babka Cc: Lorenzo Stoakes Cc: Masami Hiramatsu Cc: Joe Perches Cc: Paolo Bonzini Cc: Andrew Morton Link: https://lkml.kernel.org/r/1509135945-13762-9-git-send-email-ricardo.neri-calderon@linux.intel.com --- arch/x86/mm/mpx.c | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c index 2ad1d4a..581a960 100644 --- a/arch/x86/mm/mpx.c +++ b/arch/x86/mm/mpx.c @@ -123,6 +123,14 @@ static int get_reg_offset(struct insn *insn, struct pt_regs *regs, case REG_TYPE_BASE: regno = X86_SIB_BASE(insn->sib.value); + /* + * If ModRM.mod is 0 and SIB.base == 5, the base of the + * register-indirect addressing is 0. In this case, a + * 32-bit displacement follows the SIB byte. + */ + if (!X86_MODRM_MOD(insn->modrm.value) && regno == 5) + return -EDOM; + if (X86_REX_B(insn->rex_prefix.value)) regno += 8; break; @@ -164,16 +172,22 @@ static void __user *mpx_get_addr_ref(struct insn *insn, struct pt_regs *regs) eff_addr = regs_get_register(regs, addr_offset); } else { if (insn->sib.nbytes) { + /* + * Negative values in the base and index offset means + * an error when decoding the SIB byte. Except -EDOM, + * which means that the registers should not be used + * in the address computation. + */ base_offset = get_reg_offset(insn, regs, REG_TYPE_BASE); - if (base_offset < 0) + if (base_offset == -EDOM) + base = 0; + else if (base_offset < 0) goto out; + else + base = regs_get_register(regs, base_offset); indx_offset = get_reg_offset(insn, regs, REG_TYPE_INDEX); - /* - * A negative offset generally means a error, except - * -EDOM, which means that the contents of the register - * should not be used as index. - */ + if (indx_offset == -EDOM) indx = 0; else if (indx_offset < 0) @@ -181,8 +195,6 @@ static void __user *mpx_get_addr_ref(struct insn *insn, struct pt_regs *regs) else indx = regs_get_register(regs, indx_offset); - base = regs_get_register(regs, base_offset); - eff_addr = base + indx * (1 << X86_SIB_SCALE(sib)); } else { addr_offset = get_reg_offset(insn, regs, REG_TYPE_RM);