On Tue, 21 Jul 2020 10:59:07 +0200
Florian Weimer wrote:
> * Kevin Buettner:
>
> > This commit fixes a regression encountered while running the
> > gdb.base/corefile.exp test in GDB's test suite.
> >
> > In my testing, the typo prevented the sw_reserved field of struct
> > fxregs_state from being output to the kernel XSAVES area. Thus the
> > correct mask corresponding to XCR0 was not present in the core file
> > for GDB to interrogate, resulting in the following behavior:
> >
> > [kev@f32-1 gdb]$ ./gdb -q testsuite/outputs/gdb.base/corefile/corefile
> > testsuite/outputs/gdb.base/corefile/corefile.core
> > Reading symbols from testsuite/outputs/gdb.base/corefile/corefile...
> > [New LWP 232880]
> >
> > warning: Unexpected size of section `.reg-xstate/232880' in core file.
> >
> > With the typo fixed, the test works again as expected.
> >
> > Signed-off-by: Kevin Buettner
> > ---
> > arch/x86/kernel/fpu/xstate.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
> > index 6a54e83d5589..9cf40a7ff7ae 100644
> > --- a/arch/x86/kernel/fpu/xstate.c
> > +++ b/arch/x86/kernel/fpu/xstate.c
> > @@ -1022,7 +1022,7 @@ int copy_xstate_to_kernel(void *kbuf, struct
> > xregs_state *xsave, unsigned int of
> > copy_part(offsetof(struct fxregs_state, st_space), 128,
> > >i387.st_space, , _start, );
> > if (header.xfeatures & XFEATURE_MASK_SSE)
> > - copy_part(xstate_offsets[XFEATURE_MASK_SSE], 256,
> > + copy_part(xstate_offsets[XFEATURE_SSE], 256,
> > >i387.xmm_space, , _start, );
> > /*
> > * Fill xsave->i387.sw_reserved value for ptrace frame:
>
> Does this read out-of-bounds, potentially disclosing kernel memory?
> Not if the system supports AVX, I assume.
An overlarge offset (first parameter) passed to copy_part() will cause
fill_gap() to be called which will copy data out of _fpstate.xsave.
Care is taken in both fill_gap and copy_part to not copy more data
than the remaining count.
So, I think the answer is "no".
Kevin
