mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-10 10:39:26 +00:00
Code Issues Releases Wiki Activity
linux-stable/arch/x86
History
Eric Biggers d5c8028b47 x86/fpu: Reinitialize FPU registers if restoring FPU state fails 
Userspace can change the FPU state of a task using the ptrace() or
rt_sigreturn() system calls.  Because reserved bits in the FPU state can
cause the XRSTOR instruction to fail, the kernel has to carefully
validate that no reserved bits or other invalid values are being set.

Unfortunately, there have been bugs in this validation code.  For
example, we were not checking that the 'xcomp_bv' field in the
xstate_header was 0.  As-is, such bugs are exploitable to read the FPU
registers of other processes on the system.  To do so, an attacker can
create a task, assign to it an invalid FPU state, then spin in a loop
and monitor the values of the FPU registers.  Because the task's FPU
registers are not being restored, sometimes the FPU registers will have
the values from another process.

This is likely to continue to be a problem in the future because the
validation done by the CPU instructions like XRSTOR is not immediately
visible to kernel developers.  Nor will invalid FPU states ever be
encountered during ordinary use --- they will only be seen during
fuzzing or exploits.  There can even be reserved bits outside the
xstate_header which are easy to forget about.  For example, the MXCSR
register contains reserved bits, which were not validated by the
KVM_SET_XSAVE ioctl until commit a575813bfe ("KVM: x86: Fix load
damaged SSEx MXCSR register").

Therefore, mitigate this class of vulnerability by restoring the FPU
registers from init_fpstate if restoring from the task's state fails.

We actually used to do this, but it was (perhaps unwisely) removed by
commit 9ccc27a5d2 ("x86/fpu: Remove error return values from
copy_kernel_to_*regs() functions").  This new patch is also a bit
different.  First, it only clears the registers, not also the bad
in-memory state; this is simpler and makes it easier to make the
mitigation cover all callers of __copy_kernel_to_fpregs().  Second, it
does the register clearing in an exception handler so that no extra
instructions are added to context switches.  In fact, we *remove*
instructions, since previously we were always zeroing the register
containing 'err' even if CONFIG_X86_DEBUG_FPU was disabled.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Rik van Riel <riel@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Eric Biggers <ebiggers3@gmail.com>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: Kevin Hao <haokexin@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Michael Halcrow <mhalcrow@google.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Wanpeng Li <wanpeng.li@hotmail.com>
Cc: Yu-cheng Yu <yu-cheng.yu@intel.com>
Cc: kernel-hardening@lists.openwall.com
Link: http://lkml.kernel.org/r/20170922174156.16780-4-ebiggers3@gmail.com
Link: http://lkml.kernel.org/r/20170923130016.21448-27-mingo@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-09-25 09:26:38 +02:00
..
boot Merge branch 'efi-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-09-07 09:42:35 -07:00
configs Merge branch 'x86/urgent' into x86/asm, to pick up fixes 2017-08-10 13:14:15 +02:00
crypto crypto: x86/twofish - Fix RBP usage 2017-09-20 17:42:38 +08:00
entry Merge branch 'x86-apic-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-09-04 17:43:56 -07:00
events Merge branch 'x86-cache-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-09-04 13:56:37 -07:00
hyperv tracing/hyper-v: Trace hyperv_mmu_flush_tlb_others() 2017-08-31 14:20:37 +02:00
ia32 Merge branch 'work.set_fs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-09-14 18:13:32 -07:00
include x86/fpu: Reinitialize FPU registers if restoring FPU state fails 2017-09-25 09:26:38 +02:00
kernel x86/fpu: Don't let userspace set bogus xcomp_bv 2017-09-25 09:26:32 +02:00
kvm KVM: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt 2017-09-19 15:09:16 +02:00
lib x86/boot: Add early cmdline parsing for options with arguments 2017-07-18 11:38:06 +02:00
math-emu Merge branch 'x86-apic-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-09-04 17:43:56 -07:00
mm x86/fpu: Reinitialize FPU registers if restoring FPU state fails 2017-09-25 09:26:38 +02:00
net x86: bpf_jit: small optimization in emit_bpf_tail_call() 2017-08-31 11:57:37 -07:00
oprofile
pci dmi: Mark all struct dmi_system_id instances const 2017-09-14 11:59:30 +02:00
platform Merge branch 'i2c/for-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2017-09-09 14:18:40 -07:00
power dmi: Mark all struct dmi_system_id instances const 2017-09-14 11:59:30 +02:00
purgatory kasan: do not sanitize kexec purgatory 2017-03-31 17:13:30 -07:00
ras x86/mce: Merge mce_amd_inj into mce-inject 2017-06-14 07:32:07 +02:00
realmode x86/boot/realmode: Check for memory encryption on the APs 2017-07-18 11:38:04 +02:00
tools
um um: remove a stray tab 2017-09-13 22:36:27 +02:00
video
xen xen: Fixes for rc2 2017-09-22 06:40:47 -10:00
.gitignore
Kbuild Merge branch 'x86-platform-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-09-07 09:25:15 -07:00
Kconfig libnvdimm for 4.14 2017-09-11 13:10:57 -07:00
Kconfig.cpu
Kconfig.debug Merge branch 'x86/asm' into locking/core 2017-08-18 10:29:54 +02:00
Makefile x86/build: Use cc-option to validate stack alignment parameter 2017-08-21 09:53:15 +02:00
Makefile.um
Makefile_32.cpu kbuild: remove cc-option-align 2017-06-25 12:43:00 +09:00