Re: [PATCH] x86: Prevent uninitialized stack byte read in apply_alternatives()
From: Borislav Petkov
Date: Wed May 24 2017 - 09:05:09 EST
On Wed, May 24, 2017 at 02:51:20PM +0200, Mateusz Jurczyk wrote:
> In the current form of the code, if a->replacementlen is 0, the reference
> to *insnbuf for comparison touches potentially garbage memory. While it
> doesn't affect the execution flow due to the subsequent a->replacementlen
> comparison, it is (rightly) detected as use of uninitialized memory by a
> runtime instrumentation currently under my development, and could be
> detected as such by other tools in the future, too (e.g. KMSAN).
>
> Fix the "false-positive" by reordering the conditions to first check the
> replacement instruction length before referencing specific opcode bytes.
>
> Signed-off-by: Mateusz Jurczyk <mjurczyk@xxxxxxxxxx>
> ---
> arch/x86/kernel/alternative.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
> index c5b8f760473c..d03ba6bc97d8 100644
> --- a/arch/x86/kernel/alternative.c
> +++ b/arch/x86/kernel/alternative.c
> @@ -410,7 +410,7 @@ void __init_or_module noinline apply_alternatives(struct alt_instr *start,
> insnbuf_sz = a->replacementlen;
>
> /* 0xe8 is a relative jump; fix the offset. */
Sure but put in short the reason to look at the instruction length first
in the comment above so that it is clear why we're doing it this way.
> - if (*insnbuf == 0xe8 && a->replacementlen == 5) {
> + if (a->replacementlen == 5 && *insnbuf == 0xe8) {
> *(s32 *)(insnbuf + 1) += replacement - instr;
> DPRINTK("Fix CALL offset: 0x%x, CALL 0x%lx",
> *(s32 *)(insnbuf + 1),
> --
Thanks.
--
Regards/Gruss,
Boris.
SUSE Linux GmbH, GF: Felix ImendÃrffer, Jane Smithard, Graham Norton, HRB 21284 (AG NÃrnberg)
--