From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751266AbdIKTvZ (ORCPT <rfc822;w@1wt.eu>);
        Mon, 11 Sep 2017 15:51:25 -0400
Received: from mga04.intel.com ([192.55.52.120]:35948 "EHLO mga04.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751020AbdIKTvY (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 11 Sep 2017 15:51:24 -0400
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.42,379,1500966000"; 
   d="scan'208";a="1171202059"
Subject: Re: [PATCH] x86/fpu: don't let PTRACE_SETREGSET set xcomp_bv
To: Eric Biggers <ebiggers3@gmail.com>, x86@kernel.org
References: <20170908164955.41784-1-ebiggers3@gmail.com>
Cc: linux-kernel@vger.kernel.org, Andy Lutomirski <luto@kernel.org>,
        Dmitry Vyukov <dvyukov@google.com>, Fenghua Yu <fenghua.yu@intel.com>,
        Ingo Molnar <mingo@kernel.org>, Kevin Hao <haokexin@gmail.com>,
        Oleg Nesterov <oleg@redhat.com>, Wanpeng Li <wanpeng.li@hotmail.com>,
        Yu-cheng Yu <yu-cheng.yu@intel.com>, stable@vger.kernel.org
From: Dave Hansen <dave.hansen@linux.intel.com>
Message-ID: <e23a2ccb-095f-c6eb-4857-d0083454cc29@linux.intel.com>
Date: Mon, 11 Sep 2017 12:51:21 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <20170908164955.41784-1-ebiggers3@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 09/08/2017 09:49 AM, Eric Biggers wrote:
> diff --git a/arch/x86/kernel/fpu/regset.c b/arch/x86/kernel/fpu/regset.c
> index b188b16841e3..718b791bc037 100644
> --- a/arch/x86/kernel/fpu/regset.c
> +++ b/arch/x86/kernel/fpu/regset.c
> @@ -131,11 +131,15 @@ int xstateregs_set(struct task_struct *target, const struct user_regset *regset,
>  
>  	fpu__activate_fpstate_write(fpu);
>  
> -	if (boot_cpu_has(X86_FEATURE_XSAVES))
> +	if (boot_cpu_has(X86_FEATURE_XSAVES)) {
>  		ret = copyin_to_xsaves(kbuf, ubuf, xsave);
> -	else
> +	} else {
>  		ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, xsave, 0, -1);
>  
> +		/* xcomp_bv must be zero when using uncompacted format */
> +		xsave->header.xcomp_bv = 0;
> +	}

Thanks for finding this!

I wonder if just writing over the user arguments is the right thing
here.  It's quite conceivable that userspace has a *real* compacted
(XSAVEC-generated) buffer.  Doing this could still end up corrupting data.

I think we probably (re?) define NT_X86_XSTATE as being for uncompacted
state only.  Then, return an error back to userspace to tell them they
tried to do something we can't support.

We might even want to check all the reserved bits in the uncompacted
XSAVE header and enforce that they come in as zero.