Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 20 Sep 2017 08:41:00 -0700
From: Andy Lutomirski <luto@...nel.org>
To: Eric Biggers <ebiggers3@...il.com>
Cc: X86 ML <x86@...nel.org>, 
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, Andy Lutomirski <luto@...nel.org>, 
	Dave Hansen <dave.hansen@...ux.intel.com>, Dmitry Vyukov <dvyukov@...gle.com>, 
	Fenghua Yu <fenghua.yu@...el.com>, Ingo Molnar <mingo@...nel.org>, Kevin Hao <haokexin@...il.com>, 
	Oleg Nesterov <oleg@...hat.com>, Wanpeng Li <wanpeng.li@...mail.com>, 
	Yu-cheng Yu <yu-cheng.yu@...el.com>, Michael Halcrow <mhalcrow@...gle.com>, 
	Eric Biggers <ebiggers@...gle.com>
Subject: Re: [PATCH v2 3/3] x86/fpu: reinitialize FPU registers if restoring
 FPU state fails

> On Sep 19, 2017, at 5:44 PM, Eric Biggers <ebiggers3@...il.com> wrote:
>
> From: Eric Biggers <ebiggers@...gle.com>
>
> Userspace can change the FPU state of a task using the ptrace() or
> rt_sigreturn() system calls.  Because reserved bits in the FPU state can
> cause the XRSTOR instruction to fail, the kernel has to carefully
> validate that no reserved bits or other invalid values are being set.
>
> Unfortunately, there have been bugs in this validation code.  For
> example, we were not checking that the 'xcomp_bv' field in the
> xstate_header was 0.  As-is, such bugs are exploitable to read the FPU
> registers of other processes on the system.  To do so, an attacker can
> create a task, assign to it an invalid FPU state, then spin in a loop
> and monitor the values of the FPU registers.  Because the task's FPU
> registers are not being restored, sometimes the FPU registers will have
> the values from another process.
>
> This is likely to continue to be a problem in the future because the
> validation done by the CPU instructions like XRSTOR is not immediately
> visible to kernel developers.  Nor will invalid FPU states ever be
> encountered during ordinary use --- they will only be seen during
> fuzzing or exploits.  There can even be reserved bits outside the
> xstate_header which are easy to forget about.  For example, the MXCSR
> register contains reserved bits, which were not validated by the
> KVM_SET_XSAVE ioctl until commit a575813bfe4b ("KVM: x86: Fix load
> damaged SSEx MXCSR register").
>
> Therefore, mitigate this class of vulnerability by restoring the FPU
> registers from init_fpstate if restoring from the task's state fails.
>
> We actually used to do this, but it was (perhaps unwisely) removed by
> commit 9ccc27a5d297 ("x86/fpu: Remove error return values from
> copy_kernel_to_*regs() functions").  This new patch is also a bit
> different in that it only clears the registers, not also the bad
> in-memory state.  This is simpler and makes it easier to make the
> mitigation cover all callers of __copy_kernel_to_fpregs().
>

I think this code could be cleaned up a lot in the process rather than
adding even more complexity.  What if you added an
ex_handler_fprestore() in arch/x86/mm/extable.c and changed all the
xrstor, etc users to invoke it via _ASM_HANDLE_EXTABLE?  I don't even
thing you'd need to have the C wrappers return a value --
ex_handler_fprestore() could do a WARN_ON_ONCE().

This would get rid of a few layers of wrappers and would get rid of
branches and code size in the success path.

--Andy

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.