On Mon, Dec 29, 2014 at 4:52 PM, Andy Lutomirski <l...@amacapital.net> wrote: > This reduces the degree to which we're exposing the instruction decoder > to malicious user code and very little complexity cost.
Don't apply this as is -- it's obviously incorrect. I'll send a v2 in a couple of days. However: can an MPX instruction use a segment override? FS and GS seem plausible for TLS. If so, is the current decoding logic handling it correctly? Presumably the byte 0 == 0x0f check will completely prevent it from working, even if the decode logic would later forget to correct for the segment base. --Andy > > Signed-off-by: Andy Lutomirski <l...@amacapital.net> > --- > arch/x86/mm/mpx.c | 26 +++++++++++++++++--------- > 1 file changed, 17 insertions(+), 9 deletions(-) > > diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c > index 082ab9c4ac1c..cefa615becb3 100644 > --- a/arch/x86/mm/mpx.c > +++ b/arch/x86/mm/mpx.c > @@ -230,6 +230,23 @@ static int mpx_insn_decode(struct insn *insn, > */ > if (!nr_copied) > return -EFAULT; > + > + /* > + * We only _really_ need to decode bndcl/bndcn/bndcu > + * Error out on anything else. Check this before decoding the > + * instruction to reduce our exposure to intentionally bad code > + * to some extent. Note that this shortcut cat incorrectly return > + * -EINVAL instead of -EFAULT under some circumstances. This > + * discrepency has no effect. > + */ > + if (nr_copied < 2) > + goto bad_opcode; > + if (insn->opcode.bytes[0] != 0x0f) > + goto bad_opcode; > + if ((insn->opcode.bytes[1] != 0x1a) && > + (insn->opcode.bytes[1] != 0x1b)) > + goto bad_opcode; > + > insn_init(insn, buf, nr_copied, x86_64); > insn_get_length(insn); > /* > @@ -244,15 +261,6 @@ static int mpx_insn_decode(struct insn *insn, > return -EFAULT; > > insn_get_opcode(insn); > - /* > - * We only _really_ need to decode bndcl/bndcn/bndcu > - * Error out on anything else. > - */ > - if (insn->opcode.bytes[0] != 0x0f) > - goto bad_opcode; > - if ((insn->opcode.bytes[1] != 0x1a) && > - (insn->opcode.bytes[1] != 0x1b)) > - goto bad_opcode; > > return 0; > bad_opcode: > -- > 2.1.0 > -- Andy Lutomirski AMA Capital Management, LLC -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/