Re: [PATCH] copy_xstate_to_kernel: Fix typo which caused GDB regression

From: Kevin Buettner
Date: Tue Jul 21 2020 - 05:27:12 EST

Next message: Grzegorz Jaszczyk: "Re: [PATCHv3 2/6] irqchip/irq-pruss-intc: Add a PRUSS irqchip driver for PRUSS interrupts"
Previous message: Alexandre Torgue: "Re: [PATCH 3/3] ARM: dts: stm32: add initial support for stm32mp157-odyssey board"
In reply to: Florian Weimer: "Re: [PATCH] copy_xstate_to_kernel: Fix typo which caused GDB regression"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 21 Jul 2020 10:59:07 +0200
Florian Weimer <fw@xxxxxxxxxxxxx> wrote:

> * Kevin Buettner:
>
> > This commit fixes a regression encountered while running the
> > gdb.base/corefile.exp test in GDB's test suite.
> >
> > In my testing, the typo prevented the sw_reserved field of struct
> > fxregs_state from being output to the kernel XSAVES area. Thus the
> > correct mask corresponding to XCR0 was not present in the core file
> > for GDB to interrogate, resulting in the following behavior:
> >
> > [kev@f32-1 gdb]$ ./gdb -q testsuite/outputs/gdb.base/corefile/corefile testsuite/outputs/gdb.base/corefile/corefile.core
> > Reading symbols from testsuite/outputs/gdb.base/corefile/corefile...
> > [New LWP 232880]
> >
> > warning: Unexpected size of section `.reg-xstate/232880' in core file.
> >
> > With the typo fixed, the test works again as expected.
> >
> > Signed-off-by: Kevin Buettner <kevinb@xxxxxxxxxx>
> > ---
> > arch/x86/kernel/fpu/xstate.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
> > index 6a54e83d5589..9cf40a7ff7ae 100644
> > --- a/arch/x86/kernel/fpu/xstate.c
> > +++ b/arch/x86/kernel/fpu/xstate.c
> > @@ -1022,7 +1022,7 @@ int copy_xstate_to_kernel(void *kbuf, struct xregs_state *xsave, unsigned int of
> > copy_part(offsetof(struct fxregs_state, st_space), 128,
> > &xsave->i387.st_space, &kbuf, &offset_start, &count);
> > if (header.xfeatures & XFEATURE_MASK_SSE)
> > - copy_part(xstate_offsets[XFEATURE_MASK_SSE], 256,
> > + copy_part(xstate_offsets[XFEATURE_SSE], 256,
> > &xsave->i387.xmm_space, &kbuf, &offset_start, &count);
> > /*
> > * Fill xsave->i387.sw_reserved value for ptrace frame:
>
> Does this read out-of-bounds, potentially disclosing kernel memory?
> Not if the system supports AVX, I assume.

An overlarge offset (first parameter) passed to copy_part() will cause
fill_gap() to be called which will copy data out of &init_fpstate.xsave.
Care is taken in both fill_gap and copy_part to not copy more data
than the remaining count.

So, I think the answer is "no".

Kevin

Next message: Grzegorz Jaszczyk: "Re: [PATCHv3 2/6] irqchip/irq-pruss-intc: Add a PRUSS irqchip driver for PRUSS interrupts"
Previous message: Alexandre Torgue: "Re: [PATCH 3/3] ARM: dts: stm32: add initial support for stm32mp157-odyssey board"
In reply to: Florian Weimer: "Re: [PATCH] copy_xstate_to_kernel: Fix typo which caused GDB regression"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]