From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751795AbdIUUlg (ORCPT ); Thu, 21 Sep 2017 16:41:36 -0400 Received: from mx1.redhat.com ([209.132.183.28]:44678 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751707AbdIUUlf (ORCPT ); Thu, 21 Sep 2017 16:41:35 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 88A7020276 Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=riel@redhat.com Message-ID: <1506026489.5486.25.camel@redhat.com> Subject: Re: [kernel-hardening] [PATCH v3 3/3] x86/fpu: reinitialize FPU registers if restoring FPU state fails From: Rik van Riel To: Eric Biggers , x86@kernel.org Cc: linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, Andy Lutomirski , Dave Hansen , Dmitry Vyukov , Fenghua Yu , Ingo Molnar , Kevin Hao , Oleg Nesterov , Wanpeng Li , Yu-cheng Yu , Michael Halcrow , Eric Biggers Date: Thu, 21 Sep 2017 16:41:29 -0400 In-Reply-To: <20170921185239.88398-4-ebiggers3@gmail.com> References: <20170921185239.88398-1-ebiggers3@gmail.com> <20170921185239.88398-4-ebiggers3@gmail.com> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-kXFdnAkjQf5T/VuiUR8S" Mime-Version: 1.0 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Thu, 21 Sep 2017 20:41:35 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --=-kXFdnAkjQf5T/VuiUR8S Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, 2017-09-21 at 11:52 -0700, Eric Biggers wrote: > From: Eric Biggers >=20 > Userspace can change the FPU state of a task using the ptrace() or > rt_sigreturn() system calls.=C2=A0=C2=A0Because reserved bits in the FPU = state > can > cause the XRSTOR instruction to fail, the kernel has to carefully > validate that no reserved bits or other invalid values are being set. >=20 > Unfortunately, there have been bugs in this validation code.=C2=A0=C2=A0F= or > example, we were not checking that the 'xcomp_bv' field in the > xstate_header was 0.=C2=A0=C2=A0As-is, such bugs are exploitable to read = the > FPU > registers of other processes on the system.=C2=A0=C2=A0To do so, an attac= ker > can > create a task, assign to it an invalid FPU state, then spin in a loop > and monitor the values of the FPU registers.=C2=A0=C2=A0Because the task'= s FPU > registers are not being restored, sometimes the FPU registers will > have > the values from another process. >=20 Reviewed-by: Rik van Riel --=20 All rights reversed --=-kXFdnAkjQf5T/VuiUR8S Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAABCAAGBQJZxCP5AAoJEM553pKExN6DjccIAKO9BT4h/MENjBlAzekFjzDY nviNItE1sp4lNuiX7cbxAChuv+opGXUpy+Y8fYuPs/N8Iuwd6HLcX1O/bAQXiF6f 2B4UfVYRM7tswdg/wSpg4AkOKOb4gaJKeANrdfErDCLCmvlVT7pDnvVOoOWcnden gLv/Uivl3Y4x9jwyaY/M3/piEu+AOiOQD2LKu8LJ/4hKb1T6EKPNkN5W+5TCb6gm eR47jpvxIdib9199pdZuJMgNMoCzKEoxY5C9KPRP+EJh6+nSo0Dimob8zA00Ueiu WFbEU3I8nkwxW/BfMt3PY8B48Ry/PE/WMgBbMp92vjkf+mQmJJXxOpTvz5PeI9U= =VmsX -----END PGP SIGNATURE----- --=-kXFdnAkjQf5T/VuiUR8S--