Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp225634pxu; Wed, 2 Dec 2020 20:53:58 -0800 (PST) X-Google-Smtp-Source: ABdhPJxaDae8Gf+iwiuDlKexu0yed5Z78/LG/IXnpEfJjL2+Bty5LVtb/6PlNsnk2DsufXDzpkfm X-Received: by 2002:a17:906:d1c3:: with SMTP id bs3mr952774ejb.306.1606971238404; Wed, 02 Dec 2020 20:53:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606971238; cv=none; d=google.com; s=arc-20160816; b=cIvCh+KoAoy5auFk2oRvxsNLGJQ7/G3mOf66q3YsXV0Oo3z+Eb7kEftoj3DUdkR5OC npcZyYYCEPRCwDFEakOLUxVpnew4my2tOsyztZpGdrw8WTqfyFTSNVchPHhlpbw4y4Ue S8cyuHI7lVM4NQbM0L24umR9bowK1ULJ26+3j32MgiVoKLoMxg53jDJhjgl0hWcbsyIs PMjmYzSpDzGLBxtYpA6t6z24LT0ujFPPLAf0SN4ws9xxIcU+GywUEGxI+SvMOMGAQW2x MsKiFE7RMUMPkBKERYwWh8G4ssRkQrfiI1CvJqBNqEaYH5lFsHp70tfpCn2RB/jIp61I tELA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=ses2ZU8V95IcV+gfhD2iwHBGixCCb7Rov2Kz48HY27Q=; b=09BATpN5tOS6y84RjkTEm+eqn5zAlt1FwbtmlB8qrlJkJOs0W2/SpnUy7q4wSDAK94 KZrxyWrHI6iIlnSiyTthgvMcZzAwttlHvIWKo6xQ/339Sf63e7rj7PEAL++yt0QftaGf o1ss4Mp8CMZICCbVGDv6ip+qUidfhIRiNgkmEeamcaloHkCdfwZvDN4/prIHAZhHviQh NslXmfAgIsdwBKLlU1Mf9irgVASRXpiAB1NW64aajdhsMdtHaH8O+2mlorSVl7ayzks9 TNwupxemYDzig0E/iYiK8gSUlKpJ7JZpJiRtTdV2apv18AS9fzA8IOOx63c0zoO3JgHn Gx0Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y16si259637edw.601.2020.12.02.20.53.35; Wed, 02 Dec 2020 20:53:58 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727696AbgLCEvg (ORCPT + 99 others); Wed, 2 Dec 2020 23:51:36 -0500 Received: from mail.kernel.org ([198.145.29.99]:47944 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725933AbgLCEvg (ORCPT ); Wed, 2 Dec 2020 23:51:36 -0500 From: Masami Hiramatsu Authentication-Results: mail.kernel.org; dkim=permerror (bad message/signature format) To: x86@kernel.org, Thomas Gleixner , Ingo Molnar , Borislav Petkov Cc: Kees Cook , Masami Hiramatsu , "H . Peter Anvin" , Joerg Roedel , Tom Lendacky , "Gustavo A . R . Silva" , Jann Horn , Srikar Dronamraju , Ricardo Neri , linux-kernel@vger.kernel.org Subject: [PATCH v2 2/3] x86/insn-eval: Fix not using prefixes.nbytes for loop over prefixes.bytes Date: Thu, 3 Dec 2020 13:50:50 +0900 Message-Id: <160697104969.3146288.16329307586428270032.stgit@devnote2> X-Mailer: git-send-email 2.25.1 In-Reply-To: <160697102582.3146288.10127018634865687932.stgit@devnote2> References: <160697102582.3146288.10127018634865687932.stgit@devnote2> User-Agent: StGit/0.19 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Since the insn.prefixes.nbytes can be bigger than the size of insn.prefixes.bytes[] when a same prefix is repeated, we have to check whether the insn.prefixes.bytes[i] != 0 and i < 4 instead of insn.prefixes.nbytes. Fixes: 32d0b95300db ("x86/insn-eval: Add utility functions to get segment selector") Reported-by: syzbot+9b64b619f10f19d19a7c@syzkaller.appspotmail.com Debugged-by: Kees Cook Signed-off-by: Masami Hiramatsu Cc: stable@vger.kernel.org --- arch/x86/lib/insn-eval.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/arch/x86/lib/insn-eval.c b/arch/x86/lib/insn-eval.c index 58f7fb95c7f4..4229950a5d78 100644 --- a/arch/x86/lib/insn-eval.c +++ b/arch/x86/lib/insn-eval.c @@ -63,13 +63,12 @@ static bool is_string_insn(struct insn *insn) */ bool insn_has_rep_prefix(struct insn *insn) { + insn_byte_t p; int i; insn_get_prefixes(insn); - for (i = 0; i < insn->prefixes.nbytes; i++) { - insn_byte_t p = insn->prefixes.bytes[i]; - + for_each_insn_prefix(insn, i, p) { if (p == 0xf2 || p == 0xf3) return true; } @@ -95,14 +94,15 @@ static int get_seg_reg_override_idx(struct insn *insn) { int idx = INAT_SEG_REG_DEFAULT; int num_overrides = 0, i; + insn_byte_t p; insn_get_prefixes(insn); /* Look for any segment override prefixes. */ - for (i = 0; i < insn->prefixes.nbytes; i++) { + for_each_insn_prefix(insn, i, p) { insn_attr_t attr; - attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]); + attr = inat_get_opcode_attribute(p); switch (attr) { case INAT_MAKE_PREFIX(INAT_PFX_CS): idx = INAT_SEG_REG_CS;