From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Numfor Mbiziwo-Tiapo <nums@google.com>,
Ian Rogers <irogers@google.com>, Borislav Petkov <bp@suse.de>,
Masami Hiramatsu <mhiramat@kernel.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.14 35/48] x86/insn, tools/x86: Fix undefined behavior due to potential unaligned accesses
Date: Fri, 8 Oct 2021 13:28:11 +0200 [thread overview]
Message-ID: <20211008112721.194413986@linuxfoundation.org> (raw)
In-Reply-To: <20211008112720.008415452@linuxfoundation.org>
From: Numfor Mbiziwo-Tiapo <nums@google.com>
[ Upstream commit 5ba1071f7554c4027bdbd712a146111de57918de ]
Don't perform unaligned loads in __get_next() and __peek_nbyte_next() as
these are forms of undefined behavior:
"A pointer to an object or incomplete type may be converted to a pointer
to a different object or incomplete type. If the resulting pointer
is not correctly aligned for the pointed-to type, the behavior is
undefined."
(from http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1256.pdf)
These problems were identified using the undefined behavior sanitizer
(ubsan) with the tools version of the code and perf test.
[ bp: Massage commit message. ]
Signed-off-by: Numfor Mbiziwo-Tiapo <nums@google.com>
Signed-off-by: Ian Rogers <irogers@google.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Link: https://lkml.kernel.org/r/20210923161843.751834-1-irogers@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/lib/insn.c | 4 ++--
tools/arch/x86/lib/insn.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/x86/lib/insn.c b/arch/x86/lib/insn.c
index 058f19b20465..c565def611e2 100644
--- a/arch/x86/lib/insn.c
+++ b/arch/x86/lib/insn.c
@@ -37,10 +37,10 @@
((insn)->next_byte + sizeof(t) + n <= (insn)->end_kaddr)
#define __get_next(t, insn) \
- ({ t r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); leXX_to_cpu(t, r); })
+ ({ t r; memcpy(&r, insn->next_byte, sizeof(t)); insn->next_byte += sizeof(t); leXX_to_cpu(t, r); })
#define __peek_nbyte_next(t, insn, n) \
- ({ t r = *(t*)((insn)->next_byte + n); leXX_to_cpu(t, r); })
+ ({ t r; memcpy(&r, (insn)->next_byte + n, sizeof(t)); leXX_to_cpu(t, r); })
#define get_next(t, insn) \
({ if (unlikely(!validate_next(t, insn, 0))) goto err_out; __get_next(t, insn); })
diff --git a/tools/arch/x86/lib/insn.c b/tools/arch/x86/lib/insn.c
index c41f95815480..797699462cd8 100644
--- a/tools/arch/x86/lib/insn.c
+++ b/tools/arch/x86/lib/insn.c
@@ -37,10 +37,10 @@
((insn)->next_byte + sizeof(t) + n <= (insn)->end_kaddr)
#define __get_next(t, insn) \
- ({ t r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); leXX_to_cpu(t, r); })
+ ({ t r; memcpy(&r, insn->next_byte, sizeof(t)); insn->next_byte += sizeof(t); leXX_to_cpu(t, r); })
#define __peek_nbyte_next(t, insn, n) \
- ({ t r = *(t*)((insn)->next_byte + n); leXX_to_cpu(t, r); })
+ ({ t r; memcpy(&r, (insn)->next_byte + n, sizeof(t)); leXX_to_cpu(t, r); })
#define get_next(t, insn) \
({ if (unlikely(!validate_next(t, insn, 0))) goto err_out; __get_next(t, insn); })
--
2.33.0
next prev parent reply other threads:[~2021-10-08 11:40 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-08 11:27 [PATCH 5.14 00/48] 5.14.11-rc1 review Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 01/48] spi: rockchip: handle zero length transfers without timing out Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 02/48] afs: Add missing vnode validation checks Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 03/48] platform/x86: touchscreen_dmi: Add info for the Chuwi HiBook (CWI514) tablet Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 04/48] platform/x86: touchscreen_dmi: Update info for the Chuwi Hi10 Plus (CWI527) tablet Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 05/48] nfsd: back channel stuck in SEQ4_STATUS_CB_PATH_DOWN Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 06/48] btrfs: replace BUG_ON() in btrfs_csum_one_bio() with proper error handling Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 07/48] btrfs: fix mount failure due to past and transient device flush error Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 08/48] net: mdio: introduce a shutdown method to mdio device drivers Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 09/48] xen-netback: correct success/error reporting for the SKB-with-fraglist case Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 10/48] sparc64: fix pci_iounmap() when CONFIG_PCI is not set Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 11/48] platform/x86: gigabyte-wmi: add support for B550I Aorus Pro AX Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 12/48] ext2: fix sleeping in atomic bugs on error Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 13/48] drm/amdkfd: handle svm migrate init error Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 14/48] drm/amdkfd: fix svm_migrate_fini warning Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 15/48] scsi: sd: Free scsi_disk device via put_device() Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 16/48] scsi: elx: efct: Do not hold lock while calling fc_vport_terminate() Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 17/48] usb: testusb: Fix for showing the connection speed Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 18/48] usb: dwc2: check return value after calling platform_get_resource() Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 19/48] habanalabs/gaudi: use direct MSI in single mode Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 20/48] habanalabs: fail collective wait when not supported Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 21/48] habanalabs/gaudi: fix LBW RR configuration Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 22/48] selftests: be sure to make khdr before other targets Greg Kroah-Hartman
2021-10-08 11:27 ` [PATCH 5.14 23/48] selftests:kvm: fix get_warnings_count() ignoring fscanf() return warn Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 24/48] selftests:kvm: fix get_trans_hugepagesz() " Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 25/48] selftests: kvm: move get_run_delay() into lib/test_util Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 26/48] selftests: kvm: fix get_run_delay() ignoring fscanf() return warn Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 27/48] Xen/gntdev: dont ignore kernel unmapping error Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 28/48] swiotlb-xen: ensure to issue well-formed XENMEM_exchange requests Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 29/48] nvme-fc: update hardware queues before using them Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 30/48] nvme-fc: avoid race between time out and tear down Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 31/48] thermal/drivers/tsens: Fix wrong check for tzd in irq handlers Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 32/48] scsi: ses: Retry failed Send/Receive Diagnostic commands Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 33/48] irqchip/gic: Work around broken Renesas integration Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 34/48] smb3: correct smb3 ACL security descriptor Greg Kroah-Hartman
2021-10-08 11:28 ` Greg Kroah-Hartman [this message]
2021-10-08 11:28 ` [PATCH 5.14 36/48] io_uring: allow conditional reschedule for intensive iterators Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 37/48] block: dont call rq_qos_ops->done_bio if the bio isnt tracked Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 38/48] tools/vm/page-types: remove dependency on opt_file for idle page tracking Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 39/48] kasan: always respect CONFIG_KASAN_STACK Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 40/48] selftests: KVM: Align SMCCC call with the spec in steal_time Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 41/48] KVM: do not shrink halt_poll_ns below grow_start Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 42/48] KVM: x86: reset pdptrs_from_userspace when exiting smm Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 43/48] kvm: x86: Add AMD PMU MSRs to msrs_to_save_all[] Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 44/48] KVM: x86: nSVM: restore int_vector in svm_clear_vintr Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 45/48] perf/x86: Reset destroy callback on event init failure Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 46/48] libata: Add ATA_HORKAGE_NO_NCQ_ON_ATI for Samsung 860 and 870 SSD Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 47/48] Revert "brcmfmac: use ISO3166 country code and 0 rev as fallback" Greg Kroah-Hartman
2021-10-08 11:28 ` [PATCH 5.14 48/48] Revert "ARM: imx6q: drop of_platform_default_populate() from init_machine" Greg Kroah-Hartman
2021-10-08 15:43 ` [PATCH 5.14 00/48] 5.14.11-rc1 review Jon Hunter
2021-10-08 16:35 ` Fox Chen
2021-10-08 19:49 ` Florian Fainelli
2021-10-08 20:45 ` Shuah Khan
2021-10-08 21:05 ` Guenter Roeck
2021-10-09 4:10 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211008112721.194413986@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bp@suse.de \
--cc=irogers@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=nums@google.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.