From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sasha Levin <sashal@kernel.org>, Naveen N Rao <naveen@kernel.org>,
"Gustavo A . R . Silva" <gustavoars@kernel.org>,
linuxppc-dev@lists.ozlabs.org
Subject: [PATCH AUTOSEL 6.1 11/14] powerpc/lib: Validate size for vector operations
Date: Mon, 15 Jan 2024 18:25:45 -0500 [thread overview]
Message-ID: <20240115232611.209265-11-sashal@kernel.org> (raw)
In-Reply-To: <20240115232611.209265-1-sashal@kernel.org>
From: Naveen N Rao <naveen@kernel.org>
[ Upstream commit 8f9abaa6d7de0a70fc68acaedce290c1f96e2e59 ]
Some of the fp/vmx code in sstep.c assume a certain maximum size for the
instructions being emulated. The size of those operations however is
determined separately in analyse_instr().
Add a check to validate the assumption on the maximum size of the
operations, so as to prevent any unintended kernel stack corruption.
Signed-off-by: Naveen N Rao <naveen@kernel.org>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Build-tested-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20231123071705.397625-1-naveen@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/lib/sstep.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/arch/powerpc/lib/sstep.c b/arch/powerpc/lib/sstep.c
index 398b5694aeb7..ec30af8eadb7 100644
--- a/arch/powerpc/lib/sstep.c
+++ b/arch/powerpc/lib/sstep.c
@@ -586,6 +586,8 @@ static int do_fp_load(struct instruction_op *op, unsigned long ea,
} u;
nb = GETSIZE(op->type);
+ if (nb > sizeof(u))
+ return -EINVAL;
if (!address_ok(regs, ea, nb))
return -EFAULT;
rn = op->reg;
@@ -636,6 +638,8 @@ static int do_fp_store(struct instruction_op *op, unsigned long ea,
} u;
nb = GETSIZE(op->type);
+ if (nb > sizeof(u))
+ return -EINVAL;
if (!address_ok(regs, ea, nb))
return -EFAULT;
rn = op->reg;
@@ -680,6 +684,9 @@ static nokprobe_inline int do_vec_load(int rn, unsigned long ea,
u8 b[sizeof(__vector128)];
} u = {};
+ if (size > sizeof(u))
+ return -EINVAL;
+
if (!address_ok(regs, ea & ~0xfUL, 16))
return -EFAULT;
/* align to multiple of size */
@@ -707,6 +714,9 @@ static nokprobe_inline int do_vec_store(int rn, unsigned long ea,
u8 b[sizeof(__vector128)];
} u;
+ if (size > sizeof(u))
+ return -EINVAL;
+
if (!address_ok(regs, ea & ~0xfUL, 16))
return -EFAULT;
/* align to multiple of size */
--
2.43.0
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Naveen N Rao <naveen@kernel.org>,
"Gustavo A . R . Silva" <gustavoars@kernel.org>,
Michael Ellerman <mpe@ellerman.id.au>,
Sasha Levin <sashal@kernel.org>,
christophe.leroy@csgroup.eu, linuxppc-dev@lists.ozlabs.org
Subject: [PATCH AUTOSEL 6.1 11/14] powerpc/lib: Validate size for vector operations
Date: Mon, 15 Jan 2024 18:25:45 -0500 [thread overview]
Message-ID: <20240115232611.209265-11-sashal@kernel.org> (raw)
In-Reply-To: <20240115232611.209265-1-sashal@kernel.org>
From: Naveen N Rao <naveen@kernel.org>
[ Upstream commit 8f9abaa6d7de0a70fc68acaedce290c1f96e2e59 ]
Some of the fp/vmx code in sstep.c assume a certain maximum size for the
instructions being emulated. The size of those operations however is
determined separately in analyse_instr().
Add a check to validate the assumption on the maximum size of the
operations, so as to prevent any unintended kernel stack corruption.
Signed-off-by: Naveen N Rao <naveen@kernel.org>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Build-tested-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20231123071705.397625-1-naveen@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/lib/sstep.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/arch/powerpc/lib/sstep.c b/arch/powerpc/lib/sstep.c
index 398b5694aeb7..ec30af8eadb7 100644
--- a/arch/powerpc/lib/sstep.c
+++ b/arch/powerpc/lib/sstep.c
@@ -586,6 +586,8 @@ static int do_fp_load(struct instruction_op *op, unsigned long ea,
} u;
nb = GETSIZE(op->type);
+ if (nb > sizeof(u))
+ return -EINVAL;
if (!address_ok(regs, ea, nb))
return -EFAULT;
rn = op->reg;
@@ -636,6 +638,8 @@ static int do_fp_store(struct instruction_op *op, unsigned long ea,
} u;
nb = GETSIZE(op->type);
+ if (nb > sizeof(u))
+ return -EINVAL;
if (!address_ok(regs, ea, nb))
return -EFAULT;
rn = op->reg;
@@ -680,6 +684,9 @@ static nokprobe_inline int do_vec_load(int rn, unsigned long ea,
u8 b[sizeof(__vector128)];
} u = {};
+ if (size > sizeof(u))
+ return -EINVAL;
+
if (!address_ok(regs, ea & ~0xfUL, 16))
return -EFAULT;
/* align to multiple of size */
@@ -707,6 +714,9 @@ static nokprobe_inline int do_vec_store(int rn, unsigned long ea,
u8 b[sizeof(__vector128)];
} u;
+ if (size > sizeof(u))
+ return -EINVAL;
+
if (!address_ok(regs, ea & ~0xfUL, 16))
return -EFAULT;
/* align to multiple of size */
--
2.43.0
next prev parent reply other threads:[~2024-01-15 23:39 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-15 23:25 [PATCH AUTOSEL 6.1 01/14] asm-generic: make sparse happy with odd-sized put_unaligned_*() Sasha Levin
2024-01-15 23:25 ` [PATCH AUTOSEL 6.1 02/14] watch_queue: fix kcalloc() arguments order Sasha Levin
2024-01-15 23:25 ` [PATCH AUTOSEL 6.1 03/14] powerpc/mm: Fix null-pointer dereference in pgtable_cache_add Sasha Levin
2024-01-15 23:25 ` Sasha Levin
2024-01-15 23:25 ` [PATCH AUTOSEL 6.1 04/14] arm64: irq: set the correct node for VMAP stack Sasha Levin
2024-01-15 23:25 ` Sasha Levin
2024-01-15 23:25 ` [PATCH AUTOSEL 6.1 05/14] drivers/perf: pmuv3: don't expose SW_INCR event in sysfs Sasha Levin
2024-01-15 23:25 ` Sasha Levin
2024-01-15 23:25 ` [PATCH AUTOSEL 6.1 06/14] powerpc: Fix build error due to is_valid_bugaddr() Sasha Levin
2024-01-15 23:25 ` Sasha Levin
2024-01-15 23:25 ` [PATCH AUTOSEL 6.1 07/14] powerpc/mm: Fix build failures due to arch_reserved_kernel_pages() Sasha Levin
2024-01-15 23:25 ` Sasha Levin
2024-01-15 23:25 ` [PATCH AUTOSEL 6.1 08/14] powerpc/64s: Fix CONFIG_NUMA=n build due to create_section_mapping() Sasha Levin
2024-01-15 23:25 ` Sasha Levin
2024-01-15 23:25 ` [PATCH AUTOSEL 6.1 09/14] x86/boot: Ignore NMIs during very early boot Sasha Levin
2024-01-15 23:25 ` [PATCH AUTOSEL 6.1 10/14] powerpc: pmd_move_must_withdraw() is only needed for CONFIG_TRANSPARENT_HUGEPAGE Sasha Levin
2024-01-15 23:25 ` Sasha Levin
2024-01-15 23:25 ` Sasha Levin [this message]
2024-01-15 23:25 ` [PATCH AUTOSEL 6.1 11/14] powerpc/lib: Validate size for vector operations Sasha Levin
2024-01-15 23:25 ` [PATCH AUTOSEL 6.1 12/14] add unique mount ID Sasha Levin
2024-01-16 9:04 ` Amir Goldstein
2024-01-16 11:31 ` Sasha Levin
2024-01-15 23:25 ` [PATCH AUTOSEL 6.1 13/14] x86/barrier: Do not serialize MSR accesses on AMD Sasha Levin
2024-01-15 23:25 ` [PATCH AUTOSEL 6.1 14/14] x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump kernel Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240115232611.209265-11-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=gustavoars@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=naveen@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.