From: Jeremy Kerr <jk@ozlabs.org>
To: cbe-oss-dev@ozlabs.org
Cc: Geert Uytterhoeven <Geert.Uytterhoeven@sonycom.com>,
linuxppc-dev@ozlabs.org
Subject: Re: [Cbe-oss-dev] [PATCH] powerpc/spufs: Fix incorrect buffer offset in regs write
Date: Thu, 5 Mar 2009 10:32:35 +1100 [thread overview]
Message-ID: <200903051032.36358.jk@ozlabs.org> (raw)
In-Reply-To: <alpine.LRH.2.00.0903040935560.2416@vixen.sonytel.be>
Hi Geert,
> Could this be abused by an attacker to write registers or local store
> he's not allowed to do?
It looks like the user can only overwrite fields that it already has
access to. There's struct spu_lscsa:
struct spu_lscsa {
struct spu_reg128 gprs[128];
struct spu_reg128 fpcr;
struct spu_reg128 decr;
struct spu_reg128 decr_status;
struct spu_reg128 ppu_mb;
struct spu_reg128 ppuint_mb;
struct spu_reg128 tag_mask;
struct spu_reg128 event_mask;
struct spu_reg128 srr0;
struct spu_reg128 stopped_status;
unsigned char ls[LS_SIZE] __attribute__((aligned(65536)));
};
where spu_reg128 is a u32[4].
The maximum 'allowed' write offset to the regs file is 2047. The
(incorrect) maximum offset calculated by the old code would be 8188
(2047 * 4) bytes into struct spu_lscsa.
So, 8188 bytes covers all of the registers, but ends somewhere before
the start of the ls area (within the ls alignment padding). Let's look
at the registers:
gprs: user-writable
fpcr: user-writable
decr: user-writable
decr_status: only affects user-settable SPE state
ppu_mb: only affects user-settable SPE state
ppuint_mb: only affects user-settable SPE state
tag_mask: only affects user-settable SPE state
event_mask: only affects user-settable SPE state
srr0: only affects user-settable SPE state
stopped_status: only affects user-settable SPE state
So, I think we're fine. All a user can do with this bug is mess up their
own SPE state.
> Should it be backported to stable?
Yes, I'll submit to the stable tree too.
Cheers,
Jeremy
prev parent reply other threads:[~2009-03-04 23:32 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-04 5:39 [PATCH] powerpc/spufs: Fix incorrect buffer offset in regs write Jeremy Kerr
2009-03-04 8:36 ` [Cbe-oss-dev] " Geert Uytterhoeven
2009-03-04 23:32 ` Jeremy Kerr [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200903051032.36358.jk@ozlabs.org \
--to=jk@ozlabs.org \
--cc=Geert.Uytterhoeven@sonycom.com \
--cc=cbe-oss-dev@ozlabs.org \
--cc=linuxppc-dev@ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).