Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp225334pxu;
        Wed, 2 Dec 2020 20:53:08 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxcttmxuHkvFBBujZyh5wMJpQoImklc3biCoNBRih82HCVInfup2Rze8boGEg8c1M3XZ6ha
X-Received: by 2002:a17:906:a1cb:: with SMTP id bx11mr947188ejb.508.1606971188509;
        Wed, 02 Dec 2020 20:53:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1606971188; cv=none;
        d=google.com; s=arc-20160816;
        b=GA3CSNR08r8dtMkMC8BbJLhg4vbhXVVnSxztiSNHb2qYPFuYDhR0550JsaV+ohg/rO
         3JSXYGH30bFhhISV2ZKnaMN7TTI+Ug5s29Hm9teBpg63iESDs9XI4OhXD2X0j2S8tFjX
         WsQJTM88M7LDDLN/TVKw3Vz9h8Ccg37qMzBd+69eEqsrz6TBWPu+XP4KzGO5gcwj3dG6
         wIrgzchVXMLvnz1lzcWYU/URG8Qd5T/pj1Ud/Mzb9XuDYRo6AIWctKAWm/P28zbA+hl4
         qGDov19NzlJElATGLQMeC0EyRVH6fBekFDX+RtTkMt2+TJ5lrqQGvLiXDbxD105Q6L+j
         zbDA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:message-id:date:subject:cc:to:from;
        bh=E8ZVvbhtOsM8OYpnu5Qu+10/lr872sLSriEYzanX8FI=;
        b=dQwHgqwx3ks/AZOgAXeDikibmYxc6yUq7IURhgT3SLY6R2vtJRCjG7jGQvmXzMLxjO
         0eTYtvKPhUNDKqoJha+MDEhycSDRw8pJajq9j0ossOMY5LxYiZ6CMEtmAo5Gk9CFxM4Z
         0qVJjz9JsAwcog7q4jxAUCKN9CUFOA9qDlbnk2msMGiZOUIk5agm1j/jRFpNEPBxuLRU
         XoHE6gBGw7vsPcC4EgYN5PjTHXmnZlS2wqV3mZuCWSUB4/8naon9fN7V3yDnhmmZDogp
         ZVzHDlqmw4dWoJXiK5ftkkyd4JYFwGLSukiK+W24zCiFhhKwOFnjiKEeA/SVCepBdcCl
         CY1A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id a20si437037ejd.75.2020.12.02.20.52.40;
        Wed, 02 Dec 2020 20:53:08 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726158AbgLCEvN (ORCPT <rfc822;sunnyliangjy@gmail.com>
        + 99 others); Wed, 2 Dec 2020 23:51:13 -0500
Received: from mail.kernel.org ([198.145.29.99]:47822 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725933AbgLCEvM (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 2 Dec 2020 23:51:12 -0500
From:   Masami Hiramatsu <mhiramat@kernel.org>
Authentication-Results: mail.kernel.org; dkim=permerror (bad message/signature format)
To:     x86@kernel.org, Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@kernel.org>, Borislav Petkov <bp@alien8.de>
Cc:     Kees Cook <keescook@chromium.org>,
        Masami Hiramatsu <mhiramat@kernel.org>,
        "H . Peter Anvin" <hpa@zytor.com>, Joerg Roedel <jroedel@suse.de>,
        Tom Lendacky <thomas.lendacky@amd.com>,
        "Gustavo A . R . Silva" <gustavoars@kernel.org>,
        Jann Horn <jannh@google.com>,
        Srikar Dronamraju <srikar@linux.vnet.ibm.com>,
        Ricardo Neri <ricardo.neri-calderon@linux.intel.com>,
        linux-kernel@vger.kernel.org
Subject: [PATCH v2 0/3] x86/insn: Fix not using prefixes.nbytes for loop over prefixes.bytes
Date:   Thu,  3 Dec 2020 13:50:26 +0900
Message-Id: <160697102582.3146288.10127018634865687932.stgit@devnote2>
X-Mailer: git-send-email 2.25.1
User-Agent: StGit/0.19
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi,

Here are the 2nd version of patches to fix the wrong loop boundary
check on insn.prefixes.bytes[] array.

The previous version is here;

https://lkml.kernel.org/r/160689905099.3084105.7880450206184269465.stgit@devnote2

In this version, I introduced for_each_insn_prefix() macro to
for looping on the prefixes in the given instruction and fixed
out-of-bounds-read issue by checking index first. Also, I sorted 
the patches so that the oldest commit fix becomes the first patch
because it will go into the older stable kernel and that introduces
the new iteration macro.

Kees Cook got a syzbot warning and found this issue and there were 
similar wrong boundary check patterns in the x86 code.

Since the insn.prefixes.nbytes can be bigger than the size of
insn.prefixes.bytes[] when a same prefix is repeated, we have to
check whether the insn.prefixes.bytes[i] != 0 (*) and i < 4 instead
of insn.prefixes.nbytes.

(*) Note that insn.prefixes.bytes[] should be zeroed in insn_init()
before decoding, and 0x00 is not a legacy prefix. So if you see 0
on insn.prefix.bytes[], it indicates the end of the array. Or,
if the prefixes.bytes[] is filled with prefix bytes, we can check
the index is less than 4.

Thank you,

---

Masami Hiramatsu (3):
      x86/uprobes: Fix not using prefixes.nbytes for loop over prefixes.bytes
      x86/insn-eval: Fix not using prefixes.nbytes for loop over prefixes.bytes
      x86/sev-es: Fix not using prefixes.nbytes for loop over prefixes.bytes


 arch/x86/boot/compressed/sev-es.c |    5 ++---
 arch/x86/include/asm/insn.h       |   15 +++++++++++++++
 arch/x86/kernel/uprobes.c         |   10 ++++++----
 arch/x86/lib/insn-eval.c          |   10 +++++-----
 4 files changed, 28 insertions(+), 12 deletions(-)

-- 
Masami Hiramatsu (Linaro) <mhiramat@kernel.org>