Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 20 Sep 2017 08:41:00 -0700
From: Andy Lutomirski <luto@...nel.org>
To: Eric Biggers <ebiggers3@...il.com>
Cc: X86 ML <x86@...nel.org>, 
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, Andy Lutomirski <luto@...nel.org>, 
	Dave Hansen <dave.hansen@...ux.intel.com>, Dmitry Vyukov <dvyukov@...gle.com>, 
	Fenghua Yu <fenghua.yu@...el.com>, Ingo Molnar <mingo@...nel.org>, Kevin Hao <haokexin@...il.com>, 
	Oleg Nesterov <oleg@...hat.com>, Wanpeng Li <wanpeng.li@...mail.com>, 
	Yu-cheng Yu <yu-cheng.yu@...el.com>, Michael Halcrow <mhalcrow@...gle.com>, 
	Eric Biggers <ebiggers@...gle.com>
Subject: Re: [PATCH v2 3/3] x86/fpu: reinitialize FPU registers if restoring
 FPU state fails

> On Sep 19, 2017, at 5:44 PM, Eric Biggers <ebiggers3@...il.com> wrote:
>
> From: Eric Biggers <ebiggers@...gle.com>
>
> Userspace can change the FPU state of a task using the ptrace() or
> rt_sigreturn() system calls.  Because reserved bits in the FPU state can
> cause the XRSTOR instruction to fail, the kernel has to carefully
> validate that no reserved bits or other invalid values are being set.
>
> Unfortunately, there have been bugs in this validation code.  For
> example, we were not checking that the 'xcomp_bv' field in the
> xstate_header was 0.  As-is, such bugs are exploitable to read the FPU
> registers of other processes on the system.  To do so, an attacker can
> create a task, assign to it an invalid FPU state, then spin in a loop
> and monitor the values of the FPU registers.  Because the task's FPU
> registers are not being restored, sometimes the FPU registers will have
> the values from another process.
>
> This is likely to continue to be a problem in the future because the
> validation done by the CPU instructions like XRSTOR is not immediately
> visible to kernel developers.  Nor will invalid FPU states ever be
> encountered during ordinary use --- they will only be seen during
> fuzzing or exploits.  There can even be reserved bits outside the
> xstate_header which are easy to forget about.  For example, the MXCSR
> register contains reserved bits, which were not validated by the
> KVM_SET_XSAVE ioctl until commit a575813bfe4b ("KVM: x86: Fix load
> damaged SSEx MXCSR register").
>
> Therefore, mitigate this class of vulnerability by restoring the FPU
> registers from init_fpstate if restoring from the task's state fails.
>
> We actually used to do this, but it was (perhaps unwisely) removed by
> commit 9ccc27a5d297 ("x86/fpu: Remove error return values from
> copy_kernel_to_*regs() functions").  This new patch is also a bit
> different in that it only clears the registers, not also the bad
> in-memory state.  This is simpler and makes it easier to make the
> mitigation cover all callers of __copy_kernel_to_fpregs().
>

I think this code could be cleaned up a lot in the process rather than
adding even more complexity.  What if you added an
ex_handler_fprestore() in arch/x86/mm/extable.c and changed all the
xrstor, etc users to invoke it via _ASM_HANDLE_EXTABLE?  I don't even
thing you'd need to have the C wrappers return a value --
ex_handler_fprestore() could do a WARN_ON_ONCE().

This would get rid of a few layers of wrappers and would get rid of
branches and code size in the success path.

--Andy

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.