RE: [PATCH] x86/uaccess: Fix missed zeroing of ia32 u64 get_user() range checking

From: Zhuo, Qiuxu
Date: Tue Jun 11 2024 - 02:57:24 EST

Next message: Krzysztof Kozlowski: "Re: [PATCH] dt-bindings: reset: brcm,bcm63138-pmb: convert to yaml"
Previous message: syzbot: "[syzbot] [hams?] KASAN: slab-use-after-free Read in rose_get_neigh"
In reply to: Greg KH: "Re: [PATCH] x86/uaccess: Fix missed zeroing of ia32 u64 get_user() range checking"
Next in thread: Kirill A. Shutemov: "Re: [PATCH] x86/uaccess: Fix missed zeroing of ia32 u64 get_user() range checking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> From: Kees Cook <kees@xxxxxxxxxx>
> [...]
> Subject: [PATCH] x86/uaccess: Fix missed zeroing of ia32 u64 get_user() range
> checking
>
> When reworking the range checking for get_user(), the get_user_8() case on
> 32-bit wasn't zeroing the high register. (The jump to bad_get_user_8 was
> accidentally dropped.) Restore the correct error handling destination (and
> rename the jump to using the expected ".L" prefix).
>
> While here, switch to using a named argument ("size") for the call template
> ("%c4" to "%c[size]") as already used in the other call templates in this file.
>
> Found after moving the usercopy selftests to KUnit:
>
> # usercopy_test_invalid: EXPECTATION FAILED at
> lib/usercopy_kunit.c:278
> Expected val_u64 == 0, but
> val_u64 == -60129542144 (0xfffffff200000000)
>
> Reported-by: David Gow <davidgow@xxxxxxxxxx>
> Closes: https://lore.kernel.org/all/CABVgOSn=tb=Lj9SxHuT4_9MTjjKVxsq-
> ikdXC4kGHO4CfKVmGQ@xxxxxxxxxxxxxx
> Fixes: b19b74bc99b1 ("x86/mm: Rework address range check in get_user()
> and put_user()")
> Signed-off-by: Kees Cook <kees@xxxxxxxxxx>
> [...]
> arch/x86/include/asm/uaccess.h | 4 ++--
> arch/x86/lib/getuser.S | 6 +++++-
> 2 files changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/arch/x86/include/asm/uaccess.h
> b/arch/x86/include/asm/uaccess.h index 0f9bab92a43d..3a7755c1a441
> 100644
> --- a/arch/x86/include/asm/uaccess.h
> +++ b/arch/x86/include/asm/uaccess.h
> @@ -78,10 +78,10 @@ extern int __get_user_bad(void);
> int __ret_gu; \
> register __inttype(*(ptr)) __val_gu asm("%"_ASM_DX); \
> __chk_user_ptr(ptr); \
> - asm volatile("call __" #fn "_%c4" \
> + asm volatile("call __" #fn "_%c[size]" \
> : "=a" (__ret_gu), "=r" (__val_gu), \
> ASM_CALL_CONSTRAINT
> \
> - : "0" (ptr), "i" (sizeof(*(ptr)))); \
> + : "0" (ptr), [size] "i" (sizeof(*(ptr)))); \
> instrument_get_user(__val_gu);
> \
> (x) = (__force __typeof__(*(ptr))) __val_gu; \
> __builtin_expect(__ret_gu, 0); \
> diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S index
> 10d5ed8b5990..a1cb3a4e6742 100644
> --- a/arch/x86/lib/getuser.S
> +++ b/arch/x86/lib/getuser.S
> @@ -44,7 +44,11 @@
> or %rdx, %rax
> .else
> cmp $TASK_SIZE_MAX-\size+1, %eax
> +.if \size != 8
> jae .Lbad_get_user
> +.else
> + jae .Lbad_get_user_8
> +.endif
> sbb %edx, %edx /* array_index_mask_nospec() */
> and %edx, %eax
> .endif
> @@ -154,7 +158,7 @@ SYM_CODE_END(__get_user_handle_exception)
> #ifdef CONFIG_X86_32
> SYM_CODE_START_LOCAL(__get_user_8_handle_exception)
> ASM_CLAC
> -bad_get_user_8:
> +.Lbad_get_user_8:
> xor %edx,%edx
> xor %ecx,%ecx
> mov $(-EFAULT),%_ASM_AX
> --
> 2.34.1

LGTM. Thanks!

Reviewed-by: Qiuxu Zhuo <qiuxu.zhuo@xxxxxxxxx>

Next message: Krzysztof Kozlowski: "Re: [PATCH] dt-bindings: reset: brcm,bcm63138-pmb: convert to yaml"
Previous message: syzbot: "[syzbot] [hams?] KASAN: slab-use-after-free Read in rose_get_neigh"
In reply to: Greg KH: "Re: [PATCH] x86/uaccess: Fix missed zeroing of ia32 u64 get_user() range checking"
Next in thread: Kirill A. Shutemov: "Re: [PATCH] x86/uaccess: Fix missed zeroing of ia32 u64 get_user() range checking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]