Date: Wed, 20 Sep 2017 08:41:00 -0700 From: Andy Lutomirski <luto@...nel.org> To: Eric Biggers <ebiggers3@...il.com> Cc: X86 ML <x86@...nel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, Andy Lutomirski <luto@...nel.org>, Dave Hansen <dave.hansen@...ux.intel.com>, Dmitry Vyukov <dvyukov@...gle.com>, Fenghua Yu <fenghua.yu@...el.com>, Ingo Molnar <mingo@...nel.org>, Kevin Hao <haokexin@...il.com>, Oleg Nesterov <oleg@...hat.com>, Wanpeng Li <wanpeng.li@...mail.com>, Yu-cheng Yu <yu-cheng.yu@...el.com>, Michael Halcrow <mhalcrow@...gle.com>, Eric Biggers <ebiggers@...gle.com> Subject: Re: [PATCH v2 3/3] x86/fpu: reinitialize FPU registers if restoring FPU state fails > On Sep 19, 2017, at 5:44 PM, Eric Biggers <ebiggers3@...il.com> wrote: > > From: Eric Biggers <ebiggers@...gle.com> > > Userspace can change the FPU state of a task using the ptrace() or > rt_sigreturn() system calls. Because reserved bits in the FPU state can > cause the XRSTOR instruction to fail, the kernel has to carefully > validate that no reserved bits or other invalid values are being set. > > Unfortunately, there have been bugs in this validation code. For > example, we were not checking that the 'xcomp_bv' field in the > xstate_header was 0. As-is, such bugs are exploitable to read the FPU > registers of other processes on the system. To do so, an attacker can > create a task, assign to it an invalid FPU state, then spin in a loop > and monitor the values of the FPU registers. Because the task's FPU > registers are not being restored, sometimes the FPU registers will have > the values from another process. > > This is likely to continue to be a problem in the future because the > validation done by the CPU instructions like XRSTOR is not immediately > visible to kernel developers. Nor will invalid FPU states ever be > encountered during ordinary use --- they will only be seen during > fuzzing or exploits. There can even be reserved bits outside the > xstate_header which are easy to forget about. For example, the MXCSR > register contains reserved bits, which were not validated by the > KVM_SET_XSAVE ioctl until commit a575813bfe4b ("KVM: x86: Fix load > damaged SSEx MXCSR register"). > > Therefore, mitigate this class of vulnerability by restoring the FPU > registers from init_fpstate if restoring from the task's state fails. > > We actually used to do this, but it was (perhaps unwisely) removed by > commit 9ccc27a5d297 ("x86/fpu: Remove error return values from > copy_kernel_to_*regs() functions"). This new patch is also a bit > different in that it only clears the registers, not also the bad > in-memory state. This is simpler and makes it easier to make the > mitigation cover all callers of __copy_kernel_to_fpregs(). > I think this code could be cleaned up a lot in the process rather than adding even more complexity. What if you added an ex_handler_fprestore() in arch/x86/mm/extable.c and changed all the xrstor, etc users to invoke it via _ASM_HANDLE_EXTABLE? I don't even thing you'd need to have the C wrappers return a value -- ex_handler_fprestore() could do a WARN_ON_ONCE(). This would get rid of a few layers of wrappers and would get rid of branches and code size in the success path. --Andy
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.