From: "tip-bot2 for Thomas Gleixner" <tip-bot2@linutronix.de>
To: linux-tip-commits@vger.kernel.org
Cc: Andy Lutomirski <luto@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Borislav Petkov <bp@suse.de>,
x86@kernel.org, linux-kernel@vger.kernel.org
Subject: [tip: x86/fpu] x86/fpu: Reject invalid MXCSR values in copy_kernel_to_xstate()
Date: Wed, 23 Jun 2021 22:09:38 -0000 [thread overview]
Message-ID: <162448617894.395.180251854478791721.tip-bot2@tip-bot2> (raw)
In-Reply-To: <20210623121452.308388343@linutronix.de>
The following commit has been merged into the x86/fpu branch of tip:
Commit-ID: 947f4947cf00ea1e6d319eb182c64ea51ba4de8d
Gitweb: https://git.kernel.org/tip/947f4947cf00ea1e6d319eb182c64ea51ba4de8d
Author: Thomas Gleixner <tglx@linutronix.de>
AuthorDate: Wed, 23 Jun 2021 14:01:37 +02:00
Committer: Borislav Petkov <bp@suse.de>
CommitterDate: Wed, 23 Jun 2021 17:49:46 +02:00
x86/fpu: Reject invalid MXCSR values in copy_kernel_to_xstate()
Instead of masking out reserved bits, check them and reject the provided
state as invalid if not zero.
Suggested-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Borislav Petkov <bp@suse.de>
Link: https://lkml.kernel.org/r/20210623121452.308388343@linutronix.de
---
arch/x86/kernel/fpu/xstate.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
index 2b7b579..9cf84c5 100644
--- a/arch/x86/kernel/fpu/xstate.c
+++ b/arch/x86/kernel/fpu/xstate.c
@@ -1154,6 +1154,19 @@ void copy_xstate_to_kernel(struct membuf to, struct xregs_state *xsave)
membuf_zero(&to, to.left);
}
+static inline bool mxcsr_valid(struct xstate_header *hdr, const u32 *mxcsr)
+{
+ u64 mask = XFEATURE_MASK_FP | XFEATURE_MASK_SSE | XFEATURE_MASK_YMM;
+
+ /* Only check if it is in use */
+ if (hdr->xfeatures & mask) {
+ /* Reserved bits in MXCSR must be zero. */
+ if (*mxcsr & ~mxcsr_feature_mask)
+ return false;
+ }
+ return true;
+}
+
/*
* Convert from a ptrace standard-format kernel buffer to kernel XSAVE[S] format
* and copy to the target thread. This is called from xstateregs_set().
@@ -1172,6 +1185,9 @@ int copy_kernel_to_xstate(struct xregs_state *xsave, const void *kbuf)
if (validate_user_xstate_header(&hdr))
return -EINVAL;
+ if (!mxcsr_valid(&hdr, kbuf + offsetof(struct fxregs_state, mxcsr)))
+ return -EINVAL;
+
for (i = 0; i < XFEATURE_MAX; i++) {
u64 mask = ((u64)1 << i);
@@ -1202,9 +1218,6 @@ int copy_kernel_to_xstate(struct xregs_state *xsave, const void *kbuf)
*/
xsave->header.xfeatures |= hdr.xfeatures;
- /* mxcsr reserved bits must be masked to zero for historical reasons. */
- xsave->i387.mxcsr &= mxcsr_feature_mask;
-
return 0;
}
next prev parent reply other threads:[~2021-06-23 22:10 UTC|newest]
Thread overview: 142+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-23 12:01 [patch V4 00/65] x86/fpu: Spring cleaning and PKRU sanitizing Thomas Gleixner
2021-06-23 12:01 ` [patch V4 01/65] x86/fpu: Fix copy_xstate_to_kernel() gap handling Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 02/65] x86/pkeys: Revert a5eff7259790 ("x86/pkeys: Add PKRU value to init_fpstate") Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 03/65] x86/fpu: Mark various FPU states __ro_after_init Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] x86/fpu: Mark various FPU state variables __ro_after_init tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 04/65] x86/fpu: Make xfeatures_mask_all __ro_after_init Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 05/65] x86/fpu: Get rid of fpu__get_supported_xfeatures_mask() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 06/65] x86/fpu: Remove unused get_xsave_field_ptr() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 07/65] x86/fpu: Move inlines where they belong Thomas Gleixner
2021-06-23 18:43 ` Bae, Chang Seok
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 08/65] x86/fpu: Limit xstate copy size in xstateregs_set() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 09/65] x86/fpu: Sanitize xstateregs_set() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2022-07-14 4:04 ` [patch V4 09/65] " Andrei Vagin
2022-07-25 17:47 ` Dave Hansen
2022-07-25 17:57 ` Andrei Vagin
2022-07-25 21:26 ` Dave Hansen
2022-07-28 23:32 ` Chang S. Bae
2022-08-05 12:12 ` Andrei Vagin
2022-08-05 18:24 ` Chang S. Bae
2022-08-05 18:35 ` Dave Hansen
2021-06-23 12:01 ` [patch V4 10/65] x86/fpu: Reject invalid MXCSR values in copy_kernel_to_xstate() Thomas Gleixner
2021-06-23 22:09 ` tip-bot2 for Thomas Gleixner [this message]
2021-06-23 12:01 ` [patch V4 11/65] x86/fpu: Simplify PTRACE_GETREGS code Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Dave Hansen
2021-06-23 12:01 ` [patch V4 12/65] x86/fpu: Rewrite xfpregs_set() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Andy Lutomirski
2021-06-23 12:01 ` [patch V4 13/65] x86/fpu: Fail ptrace() requests that try to set invalid MXCSR values Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Andy Lutomirski
2021-06-23 12:01 ` [patch V4 14/65] x86/fpu: Clean up fpregs_set() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Andy Lutomirski
2021-06-23 12:01 ` [patch V4 15/65] x86/fpu: Make copy_xstate_to_kernel() usable for [x]fpregs_get() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-24 15:09 ` [PATCH] x86/fpu/xstate: Clear xstate header in copy_xstate_to_uabi_buf() again Thomas Gleixner
2021-06-24 15:41 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 16/65] x86/fpu: Use copy_xstate_to_uabi_buf() in xfpregs_get() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 17/65] x86/fpu: Use copy_xstate_to_uabi_buf() in fpregs_get() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 18/65] x86/fpu: Remove fpstate_sanitize_xstate() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 19/65] x86/fpu/regset: Move fpu__read_begin() into regset Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 20/65] x86/fpu: Move fpu__write_begin() to regset Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 21/65] x86/fpu: Get rid of using_compacted_format() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 22/65] x86/kvm: Avoid looking up PKRU in XSAVE buffer Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Dave Hansen
2021-06-23 12:01 ` [patch V4 23/65] x86/fpu: Cleanup arch_set_user_pkey_access() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 24/65] x86/fpu: Get rid of copy_supervisor_to_kernel() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 25/65] x86/fpu: Rename copy_xregs_to_kernel() and copy_kernel_to_xregs() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 26/65] x86/fpu: Rename copy_user_to_xregs() and copy_xregs_to_user() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 27/65] x86/fpu: Rename fxregs related copy functions Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] x86/fpu: Rename fxregs-related " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 28/65] x86/math-emu: Rename frstor() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 29/65] x86/fpu: Rename fregs related copy functions Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] x86/fpu: Rename fregs-related " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 30/65] x86/fpu: Rename xstate copy functions which are related to UABI Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 31/65] x86/fpu: Deduplicate copy_uabi_from_user/kernel_to_xstate() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:01 ` [patch V4 32/65] x86/fpu: Rename copy_fpregs_to_fpstate() to save_fpregs_to_fpstate() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 33/65] x86/fpu: Get rid of the FNSAVE optimization Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 34/65] x86/fpu: Rename copy_kernel_to_fpregs() to restore_fpregs_from_fpstate() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 35/65] x86/fpu: Rename initstate copy functions Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 36/65] x86/fpu: Rename "dynamic" XSTATEs to "independent" Thomas Gleixner
2021-06-23 12:02 ` [patch V4 37/65] x86/fpu/xstate: Sanitize handling of independent features Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 38/65] x86/pkeys: Move read_pkru() and write_pkru() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Dave Hansen
2021-06-23 12:02 ` [patch V4 39/65] x86/fpu: Rename and sanitize fpu__save/copy() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 40/65] x86/cpu: Sanitize X86_FEATURE_OSPKE Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 41/65] x86/pkru: Provide pkru_get_init_value() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 42/65] x86/pkru: Provide pkru_write_default() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 43/65] x86/cpu: Write the default PKRU value when enabling PKE Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 44/65] x86/fpu: Use pkru_write_default() in copy_init_fpstate_to_fpregs() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 45/65] x86/fpu: Rename fpu__clear_all() to fpu_flush_thread() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 46/65] x86/fpu: Clean up the fpu__clear() variants Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Andy Lutomirski
2021-06-23 12:02 ` [patch V4 47/65] x86/fpu: Rename __fpregs_load_activate() to fpregs_restore_userregs() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 48/65] x86/fpu: Move FXSAVE_LEAK quirk info __copy_kernel_to_fpregs() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 49/65] x86/fpu: Rename xfeatures_mask_user() to xfeatures_mask_uabi() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 50/65] x86/fpu: Dont restore PKRU in fpregs_restore_userspace() Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 51/65] x86/fpu: Add PKRU storage outside of task XSAVE buffer Thomas Gleixner
2021-06-23 22:09 ` [tip: x86/fpu] " tip-bot2 for Dave Hansen
2021-06-23 12:02 ` [patch V4 52/65] x86/fpu: Hook up PKRU into ptrace() Thomas Gleixner
2021-06-23 22:08 ` [tip: x86/fpu] " tip-bot2 for Dave Hansen
2021-06-23 12:02 ` [patch V4 53/65] x86/fpu: Mask PKRU from kernel XRSTOR[S] operations Thomas Gleixner
2021-06-23 22:08 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 54/65] x86/fpu: Remove PKRU handling from switch_fpu_finish() Thomas Gleixner
2021-06-23 22:08 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 55/65] x86/fpu: Dont store PKRU in xstate in fpu_reset_fpstate() Thomas Gleixner
2021-06-23 22:08 ` [tip: x86/fpu] x86/fpu: Don't " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 56/65] x86/pkru: Remove xstate fiddling from write_pkru() Thomas Gleixner
2021-06-23 22:08 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 57/65] x86/fpu: Mark init_fpstate __ro_after_init Thomas Gleixner
2021-06-23 22:08 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 58/65] x86/fpu/signal: Move initial checks into fpu__sig_restore() Thomas Gleixner
2021-06-23 22:08 ` [tip: x86/fpu] x86/fpu/signal: Move initial checks into fpu__restore_sig() tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 59/65] x86/fpu/signal: Remove the legacy alignment check Thomas Gleixner
2021-06-23 22:08 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 60/65] x86/fpu/signal: Sanitize the xstate check on sigframe Thomas Gleixner
2021-06-23 22:08 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 61/65] x86/fpu/signal: Sanitize copy_user_to_fpregs_zeroing() Thomas Gleixner
2021-06-23 22:08 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 62/65] x86/fpu/signal: Split out the direct restore code Thomas Gleixner
2021-06-23 22:08 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 63/65] x86/fpu: Return proper error codes from user access functions Thomas Gleixner
2021-06-23 22:08 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 64/65] x86/fpu/signal: Handle #PF in the direct restore path Thomas Gleixner
2021-06-23 22:08 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-23 12:02 ` [patch V4 65/65] x86/fpu/signal: Let xrstor handle the features to init Thomas Gleixner
2021-06-23 22:08 ` [tip: x86/fpu] " tip-bot2 for Thomas Gleixner
2021-06-25 14:50 ` [patch V4 00/65] x86/fpu: Spring cleaning and PKRU sanitizing Oliver Sang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=162448617894.395.180251854478791721.tip-bot2@tip-bot2 \
--to=tip-bot2@linutronix.de \
--cc=bp@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-tip-commits@vger.kernel.org \
--cc=luto@kernel.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).