RE: [PATCH] x86/uaccess: Fix missed zeroing of ia32 u64 get_user() range checking

Mon, 10 Jun 2024 23:57:21 -0700 

> From: Kees Cook <k...@kernel.org>
> [...]
> Subject: [PATCH] x86/uaccess: Fix missed zeroing of ia32 u64 get_user() range
> checking
> 
> When reworking the range checking for get_user(), the get_user_8() case on
> 32-bit wasn't zeroing the high register. (The jump to bad_get_user_8 was
> accidentally dropped.) Restore the correct error handling destination (and
> rename the jump to using the expected ".L" prefix).
> 
> While here, switch to using a named argument ("size") for the call template
> ("%c4" to "%c[size]") as already used in the other call templates in this 
> file.
> 
> Found after moving the usercopy selftests to KUnit:
> 
>       # usercopy_test_invalid: EXPECTATION FAILED at
>       lib/usercopy_kunit.c:278
>       Expected val_u64 == 0, but
>           val_u64 == -60129542144 (0xfffffff200000000)
> 
> Reported-by: David Gow <david...@google.com>
> Closes: https://lore.kernel.org/all/CABVgOSn=tb=Lj9SxHuT4_9MTjjKVxsq-
> ikdxc4kgho4cfkv...@mail.gmail.com
> Fixes: b19b74bc99b1 ("x86/mm: Rework address range check in get_user()
> and put_user()")
> Signed-off-by: Kees Cook <k...@kernel.org>
> [...]
>  arch/x86/include/asm/uaccess.h | 4 ++--
>  arch/x86/lib/getuser.S         | 6 +++++-
>  2 files changed, 7 insertions(+), 3 deletions(-)
> 
> diff --git a/arch/x86/include/asm/uaccess.h
> b/arch/x86/include/asm/uaccess.h index 0f9bab92a43d..3a7755c1a441
> 100644
> --- a/arch/x86/include/asm/uaccess.h
> +++ b/arch/x86/include/asm/uaccess.h
> @@ -78,10 +78,10 @@ extern int __get_user_bad(void);
>       int __ret_gu;                                                   \
>       register __inttype(*(ptr)) __val_gu asm("%"_ASM_DX);            \
>       __chk_user_ptr(ptr);                                            \
> -     asm volatile("call __" #fn "_%c4"                               \
> +     asm volatile("call __" #fn "_%c[size]"                          \
>                    : "=a" (__ret_gu), "=r" (__val_gu),                \
>                       ASM_CALL_CONSTRAINT
>       \
> -                  : "0" (ptr), "i" (sizeof(*(ptr))));                \
> +                  : "0" (ptr), [size] "i" (sizeof(*(ptr))));         \
>       instrument_get_user(__val_gu);
>       \
>       (x) = (__force __typeof__(*(ptr))) __val_gu;                    \
>       __builtin_expect(__ret_gu, 0);                                  \
> diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S index
> 10d5ed8b5990..a1cb3a4e6742 100644
> --- a/arch/x86/lib/getuser.S
> +++ b/arch/x86/lib/getuser.S
> @@ -44,7 +44,11 @@
>       or %rdx, %rax
>  .else
>       cmp $TASK_SIZE_MAX-\size+1, %eax
> +.if \size != 8
>       jae .Lbad_get_user
> +.else
> +     jae .Lbad_get_user_8
> +.endif
>       sbb %edx, %edx          /* array_index_mask_nospec() */
>       and %edx, %eax
>  .endif
> @@ -154,7 +158,7 @@ SYM_CODE_END(__get_user_handle_exception)
>  #ifdef CONFIG_X86_32
>  SYM_CODE_START_LOCAL(__get_user_8_handle_exception)
>       ASM_CLAC
> -bad_get_user_8:
> +.Lbad_get_user_8:
>       xor %edx,%edx
>       xor %ecx,%ecx
>       mov $(-EFAULT),%_ASM_AX
> --
> 2.34.1

LGTM. Thanks!

Reviewed-by: Qiuxu Zhuo <qiuxu.z...@intel.com>

Reply via email to