* [PATCH] x86, mpx: fix instruction decoder condition
@ 2015-12-01 0:31 Dave Hansen
2015-12-05 17:54 ` [tip:x86/urgent] x86/mpx: Fix " tip-bot for Dave Hansen
0 siblings, 1 reply; 2+ messages in thread
From: Dave Hansen @ 2015-12-01 0:31 UTC (permalink / raw)
To: linux-kernel; +Cc: Dave Hansen, dave.hansen, dan.carpenter, stable, x86
From: Dave Hansen <dave.hansen@linux.intel.com>
MPX decodes instructions in order to tell which bounds register
was violated. Part of this decoding involves looking at the "REX
prefix" which is a special instrucion prefix used to retrofit
support for new registers in to old instructions.
The X86_REX_*() macros are defined to return actual bit values:
#define X86_REX_R(rex) ((rex) & 4)
*not* boolean values. However, the MPX code was checking for
them like they were booleans. This might have led to us
mis-decoding the "REX prefix" and giving false information out to
userspace about bounds violations. X86_REX_B() actually is bit 1,
so this is really only broken for the X86_REX_X() case.
Fix the conditionals up to tolerate the non-boolean values.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable@vger.kernel.org
Cc: x86@kernel.org
---
b/arch/x86/mm/mpx.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff -puN arch/x86/mm/mpx.c~mpx-rex arch/x86/mm/mpx.c
--- a/arch/x86/mm/mpx.c~mpx-rex 2015-11-30 15:33:32.393469377 -0800
+++ b/arch/x86/mm/mpx.c 2015-11-30 16:12:14.805379908 -0800
@@ -101,19 +101,19 @@ static int get_reg_offset(struct insn *i
switch (type) {
case REG_TYPE_RM:
regno = X86_MODRM_RM(insn->modrm.value);
- if (X86_REX_B(insn->rex_prefix.value) == 1)
+ if (X86_REX_B(insn->rex_prefix.value))
regno += 8;
break;
case REG_TYPE_INDEX:
regno = X86_SIB_INDEX(insn->sib.value);
- if (X86_REX_X(insn->rex_prefix.value) == 1)
+ if (X86_REX_X(insn->rex_prefix.value))
regno += 8;
break;
case REG_TYPE_BASE:
regno = X86_SIB_BASE(insn->sib.value);
- if (X86_REX_B(insn->rex_prefix.value) == 1)
+ if (X86_REX_B(insn->rex_prefix.value))
regno += 8;
break;
_
^ permalink raw reply [flat|nested] 2+ messages in thread
* [tip:x86/urgent] x86/mpx: Fix instruction decoder condition
2015-12-01 0:31 [PATCH] x86, mpx: fix instruction decoder condition Dave Hansen
@ 2015-12-05 17:54 ` tip-bot for Dave Hansen
0 siblings, 0 replies; 2+ messages in thread
From: tip-bot for Dave Hansen @ 2015-12-05 17:54 UTC (permalink / raw)
To: linux-tip-commits
Cc: dave, mingo, hpa, dan.carpenter, dave.hansen, linux-kernel, tglx
Commit-ID: 8e8efe0379bd93e8219ca0fc6fa80b5dd85b09cb
Gitweb: http://git.kernel.org/tip/8e8efe0379bd93e8219ca0fc6fa80b5dd85b09cb
Author: Dave Hansen <dave.hansen@linux.intel.com>
AuthorDate: Mon, 30 Nov 2015 16:31:13 -0800
Committer: Thomas Gleixner <tglx@linutronix.de>
CommitDate: Sat, 5 Dec 2015 18:52:14 +0100
x86/mpx: Fix instruction decoder condition
MPX decodes instructions in order to tell which bounds register
was violated. Part of this decoding involves looking at the "REX
prefix" which is a special instrucion prefix used to retrofit
support for new registers in to old instructions.
The X86_REX_*() macros are defined to return actual bit values:
#define X86_REX_R(rex) ((rex) & 4)
*not* boolean values. However, the MPX code was checking for
them like they were booleans. This might have led to us
mis-decoding the "REX prefix" and giving false information out to
userspace about bounds violations. X86_REX_B() actually is bit 1,
so this is really only broken for the X86_REX_X() case.
Fix the conditionals up to tolerate the non-boolean values.
Fixes: fcc7ffd67991 "x86, mpx: Decode MPX instruction to get bound violation information"
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: x86@kernel.org
Cc: Dave Hansen <dave@sr71.net>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/20151201003113.D800C1E0@viggo.jf.intel.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
---
arch/x86/mm/mpx.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c
index 1202d5c..b2fd67d 100644
--- a/arch/x86/mm/mpx.c
+++ b/arch/x86/mm/mpx.c
@@ -101,19 +101,19 @@ static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
switch (type) {
case REG_TYPE_RM:
regno = X86_MODRM_RM(insn->modrm.value);
- if (X86_REX_B(insn->rex_prefix.value) == 1)
+ if (X86_REX_B(insn->rex_prefix.value))
regno += 8;
break;
case REG_TYPE_INDEX:
regno = X86_SIB_INDEX(insn->sib.value);
- if (X86_REX_X(insn->rex_prefix.value) == 1)
+ if (X86_REX_X(insn->rex_prefix.value))
regno += 8;
break;
case REG_TYPE_BASE:
regno = X86_SIB_BASE(insn->sib.value);
- if (X86_REX_B(insn->rex_prefix.value) == 1)
+ if (X86_REX_B(insn->rex_prefix.value))
regno += 8;
break;
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-12-05 17:55 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-12-01 0:31 [PATCH] x86, mpx: fix instruction decoder condition Dave Hansen
2015-12-05 17:54 ` [tip:x86/urgent] x86/mpx: Fix " tip-bot for Dave Hansen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.