Since the insn.prefixes.nbytes can be bigger than the size of
insn.prefixes.bytes[] when a same prefix is repeated, we have to
check whether the insn.prefixes.bytes[i] != 0 and i < 4 instead
of insn.prefixes.nbytes.
Fixes: 25189d08e516 ("x86/sev-es: Add support for handling IOIO exceptions")
Reported-by: Kees Cook <[email protected]>
Signed-off-by: Masami Hiramatsu <[email protected]>
---
arch/x86/boot/compressed/sev-es.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/boot/compressed/sev-es.c b/arch/x86/boot/compressed/sev-es.c
index 954cb2702e23..6a7a3027c9ac 100644
--- a/arch/x86/boot/compressed/sev-es.c
+++ b/arch/x86/boot/compressed/sev-es.c
@@ -36,7 +36,7 @@ static bool insn_has_rep_prefix(struct insn *insn)
insn_get_prefixes(insn);
- for (i = 0; i < insn->prefixes.nbytes; i++) {
+ for (i = 0; insn->prefixes.bytes[i] && i < 4; i++) {
insn_byte_t p = insn->prefixes.bytes[i];
if (p == 0xf2 || p == 0xf3)
On 12/2/20 2:51 AM, Masami Hiramatsu wrote:
> Since the insn.prefixes.nbytes can be bigger than the size of
> insn.prefixes.bytes[] when a same prefix is repeated, we have to
> check whether the insn.prefixes.bytes[i] != 0 and i < 4 instead
> of insn.prefixes.nbytes.
>
> Fixes: 25189d08e516 ("x86/sev-es: Add support for handling IOIO exceptions")
> Reported-by: Kees Cook <[email protected]>
> Signed-off-by: Masami Hiramatsu <[email protected]>
> ---
> arch/x86/boot/compressed/sev-es.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/x86/boot/compressed/sev-es.c b/arch/x86/boot/compressed/sev-es.c
> index 954cb2702e23..6a7a3027c9ac 100644
> --- a/arch/x86/boot/compressed/sev-es.c
> +++ b/arch/x86/boot/compressed/sev-es.c
> @@ -36,7 +36,7 @@ static bool insn_has_rep_prefix(struct insn *insn)
>
> insn_get_prefixes(insn);
>
> - for (i = 0; i < insn->prefixes.nbytes; i++) {
> + for (i = 0; insn->prefixes.bytes[i] && i < 4; i++) {
Wouldn't it be better to create a #define for the size rather than hard
coding 4 in the various files? That would protect everything should the
bytes array size ever change in the future.
Thanks,
Tom
> insn_byte_t p = insn->prefixes.bytes[i];
>
> if (p == 0xf2 || p == 0xf3)
>
On Wed, Dec 02, 2020 at 09:31:57AM -0600, Tom Lendacky wrote:
> On 12/2/20 2:51 AM, Masami Hiramatsu wrote:
> > Since the insn.prefixes.nbytes can be bigger than the size of
> > insn.prefixes.bytes[] when a same prefix is repeated, we have to
> > check whether the insn.prefixes.bytes[i] != 0 and i < 4 instead
> > of insn.prefixes.nbytes.
> >
> > Fixes: 25189d08e516 ("x86/sev-es: Add support for handling IOIO exceptions")
> > Reported-by: Kees Cook <[email protected]>
> > Signed-off-by: Masami Hiramatsu <[email protected]>
> > ---
> > arch/x86/boot/compressed/sev-es.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/arch/x86/boot/compressed/sev-es.c b/arch/x86/boot/compressed/sev-es.c
> > index 954cb2702e23..6a7a3027c9ac 100644
> > --- a/arch/x86/boot/compressed/sev-es.c
> > +++ b/arch/x86/boot/compressed/sev-es.c
> > @@ -36,7 +36,7 @@ static bool insn_has_rep_prefix(struct insn *insn)
> > insn_get_prefixes(insn);
> > - for (i = 0; i < insn->prefixes.nbytes; i++) {
> > + for (i = 0; insn->prefixes.bytes[i] && i < 4; i++) {
You must test "i" before bytes[i] or you still do the out-of-bounds-read.
>
> Wouldn't it be better to create a #define for the size rather than hard
> coding 4 in the various files? That would protect everything should the
> bytes array size ever change in the future.
Agreed, and perhaps instead of repeating the idiom in the for loop, add
a helper like:
#define insn_prefix_valid(prefixes, i) (i >=0 && i < 4 && prefixes->bytes[i])
to be used like:
for (i = 0; insn_prefix_valid(&insn->prefixes, i); i++) {
>
> Thanks,
> Tom
>
> > insn_byte_t p = insn->prefixes.bytes[i];
> > if (p == 0xf2 || p == 0xf3)
> >
--
Kees Cook
On Wed, 2 Dec 2020 11:07:26 -0800
Kees Cook <[email protected]> wrote:
> On Wed, Dec 02, 2020 at 09:31:57AM -0600, Tom Lendacky wrote:
> > On 12/2/20 2:51 AM, Masami Hiramatsu wrote:
> > > Since the insn.prefixes.nbytes can be bigger than the size of
> > > insn.prefixes.bytes[] when a same prefix is repeated, we have to
> > > check whether the insn.prefixes.bytes[i] != 0 and i < 4 instead
> > > of insn.prefixes.nbytes.
> > >
> > > Fixes: 25189d08e516 ("x86/sev-es: Add support for handling IOIO exceptions")
> > > Reported-by: Kees Cook <[email protected]>
> > > Signed-off-by: Masami Hiramatsu <[email protected]>
> > > ---
> > > arch/x86/boot/compressed/sev-es.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/arch/x86/boot/compressed/sev-es.c b/arch/x86/boot/compressed/sev-es.c
> > > index 954cb2702e23..6a7a3027c9ac 100644
> > > --- a/arch/x86/boot/compressed/sev-es.c
> > > +++ b/arch/x86/boot/compressed/sev-es.c
> > > @@ -36,7 +36,7 @@ static bool insn_has_rep_prefix(struct insn *insn)
> > > insn_get_prefixes(insn);
> > > - for (i = 0; i < insn->prefixes.nbytes; i++) {
> > > + for (i = 0; insn->prefixes.bytes[i] && i < 4; i++) {
>
> You must test "i" before bytes[i] or you still do the out-of-bounds-read.
Oops, thanks.
>
> >
> > Wouldn't it be better to create a #define for the size rather than hard
> > coding 4 in the various files? That would protect everything should the
> > bytes array size ever change in the future.
>
> Agreed, and perhaps instead of repeating the idiom in the for loop, add
> a helper like:
>
> #define insn_prefix_valid(prefixes, i) (i >=0 && i < 4 && prefixes->bytes[i])
>
> to be used like:
>
> for (i = 0; insn_prefix_valid(&insn->prefixes, i); i++) {
Hm, for all of these usage, they are looping on the prefixes, so
for_each_insn_prefix(insn, idx, prefix) {
...
}
will be simpler.
Thank you,
>
> >
> > Thanks,
> > Tom
> >
> > > insn_byte_t p = insn->prefixes.bytes[i];
> > > if (p == 0xf2 || p == 0xf3)
> > >
>
> --
> Kees Cook
--
Masami Hiramatsu <[email protected]>