From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ot1-f73.google.com (mail-ot1-f73.google.com [209.85.210.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A65B5494A0B for ; Thu, 4 Jun 2026 16:56:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.73 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780592174; cv=none; b=NDHJLJ3bhIqq25XGzrMJgGYCdSB6scES/gYAYivovmAGnK79X5YUr93q2QThfXU8utjekv8/eS4d11sEgDSuzA6gPyukeZjTMqF8o6bZjsizvLVXgBKvLoDLn7+Gkr163ZiihvoTd2BzbzV68BTFHcMz3FDdPqReXRqURKEaiT0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780592174; c=relaxed/simple; bh=MmaRtMh4aAZDZABUEveV0hMpZAGs5+4JaHSHcIufLYc=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=KuH1ocADnuC8ppdpTiCnghE8UOYfjQgTKVwSrlT7hkE0E42GTqhKMzNYHkOnx4EUAg43X5sxImZUWh2JfwtB7rihrVV5tRrT052ciGb+pA5u4dSTv0plfiAwIgRzt/q5gO/YNsoFgGkFIxol0+EkZjWPZEymmmDsG2PKIdKyBUQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--avagin.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=m7/xRnqK; arc=none smtp.client-ip=209.85.210.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--avagin.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="m7/xRnqK" Received: by mail-ot1-f73.google.com with SMTP id 46e09a7af769-7e6fd5f007eso1904301a34.1 for ; Thu, 04 Jun 2026 09:56:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1780592170; x=1781196970; darn=lists.linux.dev; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=IN2xvXf7IGO5GKcsJztFH/iiFPbGNA4GZJ2tZsr3Zhw=; b=m7/xRnqKDO9ofs/3kkykVrQCKrA1If/S/b0PYkCg8XfxieNapfA7QDY6xzbrAIn8cf HguwXQx6VPUCcLSt0iuhqmTzWmdphqxTA9fdd8tdhbsk5wOZM3ESWC4vGseXuVu+M1gP KgJLoWwZroDP6kg0zVdYd17/V8VXbAGfVsMPzlZwPHvrjocrAUeU7rUGpe/0d0MWVn1r Q4XW4NGQYvjJJSpMfyMo1E4h+mS7t+NUN9clfNlcf2cXwPkTGWCJ/ca6xz3EnXo/iJmZ VXtJenadSlpT3bHBUQSXXPSOo4mr/9yu112Y9DFowEQM3T3v99ft/GZayIqN+vDrctt9 j7mA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780592170; x=1781196970; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=IN2xvXf7IGO5GKcsJztFH/iiFPbGNA4GZJ2tZsr3Zhw=; b=Bb6ZXU25srTPERps0eIGAR8IB4WXj/a1f/aZVVN9l0XSpIdAjaOMcl6cvl6/0eUHHF HS2+npRb9fSbgnjjTab01822XSJnQFrRRUBnvC347S9SS2SA+Gv9Oa5W0vzBb1tzPa7P 5cFYJ4hQ1sS/rDBGLkTcLRlKl024HINLtnAbvAqlJiywlS18hUi2xqfzdclFyydxsROW mjzb2OlLSyE61WT8COyI/dZyDQ5BQTTyoG0+fn3It0tKI9qVrga6mH0lSN845M1thsdd sVQuGGHsuPO8C7UHXestQ+0KWs7m8nv4N5fPf4/Bzv0tFKqLFYjVENKxUVXLSB+vGgom mKcQ== X-Forwarded-Encrypted: i=1; AFNElJ/uK+heYkBlrBN8go2ugtCjasFnvnNofJZjWfEfb3wsoxuJDusLEGVaNzEUwslw670KSxho@lists.linux.dev X-Gm-Message-State: AOJu0YyuEh+izGZmS7ez4V3wpJiozXH9EnPDH9pEhPby0ejWSjPqqtPR 0Dd8aqXz07xLel/Nb6FqFf5itgvcBFdSay2qKr4UUNrPIAVcLKba3Ey/HBTUFxd1T9f/AiZksRq nHV0LWA== X-Received: from ilbep8-n2.prod.google.com ([2002:a05:6e02:2a08:20b0:500:b03a:fa93]) (user=avagin job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6820:20a:b0:69e:3868:a737 with SMTP id 006d021491bc7-69e58f81a68mr2176761eaf.4.1780592170266; Thu, 04 Jun 2026 09:56:10 -0700 (PDT) Date: Thu, 4 Jun 2026 16:56:03 +0000 In-Reply-To: <20260604165604.1195243-1-avagin@google.com> Precedence: bulk X-Mailing-List: criu@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260604165604.1195243-1-avagin@google.com> X-Mailer: git-send-email 2.54.0.1032.g2f8565e1d1-goog Message-ID: <20260604165604.1195243-4-avagin@google.com> Subject: [PATCH 3/4] x86/fpu: Add consistency check between xstate_size and xfeatures From: Andrei Vagin To: Thomas Gleixner , Ingo Molnar , Borislav Petkov , "Chang S. Bae" Cc: linux-kernel@vger.kernel.org, criu@lists.linux.dev, Dave Hansen , x86@kernel.org, Andrei Vagin , "H. Peter Anvin" Content-Type: text/plain; charset="UTF-8" The signal frame is designed to be self-describing, where xstate_size indicates the actual size of the xstate context. The kernel previously lacked a check to ensure that the provided xstate_size was sufficient for the features enabled in the xfeatures mask. Additionally, restore_fpregs_from_user() always used the default xstate_size to fault in the xstate user buffer. These consistency checks have been added: * Validate that xfeatures is a subset of the features enabled for the task. * Calculate the required size for the validated xfeatures mask. * Ensure the provided xstate_size is sufficient. These checks prevent the kernel from attempting to fault in memory past the end of a frame. Signed-off-by: Andrei Vagin --- arch/x86/kernel/fpu/signal.c | 29 +++++++++++++++++++++++------ arch/x86/kernel/fpu/xstate.c | 2 +- arch/x86/kernel/fpu/xstate.h | 2 ++ 3 files changed, 26 insertions(+), 7 deletions(-) diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c index 20b638c507ca..4ddfa59a2851 100644 --- a/arch/x86/kernel/fpu/signal.c +++ b/arch/x86/kernel/fpu/signal.c @@ -29,16 +29,21 @@ static inline bool check_xstate_in_sigframe(struct fxregs_state __user *fxbuf, { int min_xstate_size = sizeof(struct fxregs_state) + sizeof(struct xstate_header); - void __user *fpstate = fxbuf; + struct fpstate *fpstate = x86_task_fpu(current)->fpstate; + void __user *sig_fpstate = fxbuf; unsigned int magic2; if (__copy_from_user(fx_sw, &fxbuf->sw_reserved[0], sizeof(*fx_sw))) return false; + /* Enforce XFEATURE_MASK_FPSSE when XSAVE is enabled */ + fx_sw->xfeatures |= XFEATURE_MASK_FPSSE; + /* Check for the first magic field and other error scenarios. */ if (fx_sw->magic1 != FP_XSTATE_MAGIC1 || + (fx_sw->xfeatures & ~fpstate->user_xfeatures) || fx_sw->xstate_size < min_xstate_size || - fx_sw->xstate_size > x86_task_fpu(current)->fpstate->user_size || + fx_sw->xstate_size > fpstate->user_size || fx_sw->xstate_size > fx_sw->extended_size) goto setfx; @@ -48,9 +53,17 @@ static inline bool check_xstate_in_sigframe(struct fxregs_state __user *fxbuf, * fpstate layout with out copying the extended state information * in the memory layout. */ - if (__get_user(magic2, (__u32 __user *)(fpstate + fx_sw->xstate_size))) + if (__get_user(magic2, (__u32 __user *)(sig_fpstate + fx_sw->xstate_size))) return false; + if (fx_sw->xstate_size != fpstate->user_size) { + unsigned int calculated_size; + + calculated_size = xstate_calculate_size(fx_sw->xfeatures, false); + if (fx_sw->xstate_size < calculated_size) + goto setfx; + } + if (likely(magic2 == FP_XSTATE_MAGIC2)) return true; setfx: @@ -266,7 +279,8 @@ static int __restore_fpregs_from_user(void __user *buf, u64 ufeatures, * Attempt to restore the FPU registers directly from user memory. * Pagefaults are handled and any errors returned are fatal. */ -static bool restore_fpregs_from_user(void __user *buf, u64 xrestore, bool fx_only) +static bool restore_fpregs_from_user(void __user *buf, u64 xrestore, + bool fx_only, size_t xstate_size) { struct fpu *fpu = x86_task_fpu(current); int ret; @@ -302,7 +316,7 @@ static bool restore_fpregs_from_user(void __user *buf, u64 xrestore, bool fx_onl if (ret != X86_TRAP_PF) return false; - if (!fault_in_readable(buf, fpu->fpstate->user_size)) + if (!fault_in_readable(buf, xstate_size)) goto retry; return false; } @@ -333,6 +347,7 @@ static bool __fpu_restore_sig(void __user *buf, void __user *buf_fx, bool success, fx_only = false; union fpregs_state *fpregs; u64 user_xfeatures = 0; + size_t xstate_size; if (use_xsave()) { struct _fpx_sw_bytes fx_sw_user; @@ -342,13 +357,15 @@ static bool __fpu_restore_sig(void __user *buf, void __user *buf_fx, fx_only = !fx_sw_user.magic1; user_xfeatures = fx_sw_user.xfeatures; + xstate_size = fx_sw_user.xstate_size; } else { user_xfeatures = XFEATURE_MASK_FPSSE; + xstate_size = sizeof(struct fxregs_state); } if (likely(!ia32_fxstate)) { /* Restore the FPU registers directly from user memory. */ - return restore_fpregs_from_user(buf_fx, user_xfeatures, fx_only); + return restore_fpregs_from_user(buf_fx, user_xfeatures, fx_only, xstate_size); } /* diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c index a7b6524a9dea..371a3a4a4b4e 100644 --- a/arch/x86/kernel/fpu/xstate.c +++ b/arch/x86/kernel/fpu/xstate.c @@ -587,7 +587,7 @@ static bool __init check_xstate_against_struct(int nr) return true; } -static unsigned int xstate_calculate_size(u64 xfeatures, bool compacted) +unsigned int xstate_calculate_size(u64 xfeatures, bool compacted) { unsigned int topmost = fls64(xfeatures) - 1; unsigned int offset, i; diff --git a/arch/x86/kernel/fpu/xstate.h b/arch/x86/kernel/fpu/xstate.h index 38a2862f09d3..c73cf2444de6 100644 --- a/arch/x86/kernel/fpu/xstate.h +++ b/arch/x86/kernel/fpu/xstate.h @@ -55,6 +55,8 @@ extern int copy_sigframe_from_user_to_xstate(struct task_struct *tsk, const void extern void fpu__init_cpu_xstate(void); extern void fpu__init_system_xstate(unsigned int legacy_size); +extern unsigned int xstate_calculate_size(u64 xfeatures, bool compacted); + extern void __user *get_xsave_addr_user(struct xregs_state __user *xsave, int xfeature_nr); static inline u64 xfeatures_mask_supervisor(void) -- 2.54.0.1032.g2f8565e1d1-goog