Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp3705770pxv; Mon, 28 Jun 2021 10:44:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyjCHS/XYSLFeNvXTy9nUfJ3nhdDHcbECo09tIRgcifSzr/nc3q1SB1M0x7iX45NZE9JyXb X-Received: by 2002:a92:6902:: with SMTP id e2mr10886390ilc.275.1624902298599; Mon, 28 Jun 2021 10:44:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624902298; cv=none; d=google.com; s=arc-20160816; b=fJjMRddlC3iuf4XxjW7Vfo6z3rCGlOW0vn0gQ8uWrVI2hzkHrl7xOVqpJTp3UGijMD ymTpK0uKNQburhAZusip+9vqPUb0Rsh/ukzv9K3pEiql47a3tWKnJEHSuQv8NiVtuWAx JWlqpWRzqBADbP8oX9VKeIztG7MyS911wWU9XajwQcGuTsybs0CynRUITjFEey5TDVOa yclrWQNNT+kN2NC2LgHkZ6M5Xk4R0iCk3baeOcSNY4iQYZqJexxfKiJPIB2k8dhb4dgl K2RvCG3JzKAShFxSX4mFAx6zO39ysqujTEtkoFCGBdd8yqQtXRxRbEmQWfbYPuSydyt3 vwhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=sST1MtPYbHrSxPMvC9jgJoA6kVVbVypJ65+qEMPS7XI=; b=zghkMuzBbvMzv0ZdXTh5utAytpWCaIb0Pu0AkmwzHP1PiylU5i1hyvVFXUk8QTQ0Ao 36lrSw7HcHXwcEkesykpH37wmQNaTCNRSCBL8rd6BtPHrJzG+v6hpC0Y+NbmTSskvFmf RyOjM5/5TRweuu0Ja81Q0CxFtCAphpuwIR3yrwq6Iek8uPRiiuxP7znzIMF1SI6xq96G +hHz+LkfSmiZ0j96nIAwkaIcH2e9AbBz7FsIx6qdawUkTOtnJJaT16XptYv+ZFkxqL6L 97Jp95Bhk5YGQYWtOLOSlx+c2Q9XRiFlXLC3+vhSaxOoomDT0ZDFfyGS9qyo8TRYcZfW TWpg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=K8izc3dg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z13si18642790ill.61.2021.06.28.10.44.45; Mon, 28 Jun 2021 10:44:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=K8izc3dg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233654AbhF1O1b (ORCPT + 99 others); Mon, 28 Jun 2021 10:27:31 -0400 Received: from mail.kernel.org ([198.145.29.99]:54978 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233243AbhF1OWS (ORCPT ); Mon, 28 Jun 2021 10:22:18 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 8BADB61C8D; Mon, 28 Jun 2021 14:19:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1624889978; bh=kRkkdBSK9MbzVLfnBU/bdoew6ycpzlGvh1n13YWZ0+w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=K8izc3dg8L92K1muzrAKF9gLEbRRQqacfITupqkals8REXZF7Ml1e8GG+Wj1Lj0o2 kxxcnfApOwRe5NH6gH1FUJjrrovSBN0Sccs1TAcg1JYfrGdhQ6XO6JJnVcO8pwfHIC Dp8Bv5Nds+YWvD++y0JoxSznO2U4SB18lzJHHXUEkVU0NtYlEAoX7oxV00NxtNAw7O 3CB/RCgU2CpoJ7g/oabb60mVh1+Mv5lHmPaNVxn2AtUP/qNCCeUofzuZrUMskNqCkE 4GdsAntSGqouu2Ozh8zMhY3GUAkhniK26/1YrK0Ww4sJ3GstpMrLlaeA/jNi8rSOR8 yzkb/ULzLsASQ== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Thomas Gleixner , Borislav Petkov , Greg Kroah-Hartman Subject: [PATCH 5.12 079/110] x86/fpu: Preserve supervisor states in sanitize_restored_user_xstate() Date: Mon, 28 Jun 2021 10:17:57 -0400 Message-Id: <20210628141828.31757-80-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210628141828.31757-1-sashal@kernel.org> References: <20210628141828.31757-1-sashal@kernel.org> MIME-Version: 1.0 X-KernelTest-Patch: http://kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.12.14-rc1.gz X-KernelTest-Tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git X-KernelTest-Branch: linux-5.12.y X-KernelTest-Patches: git://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git X-KernelTest-Version: 5.12.14-rc1 X-KernelTest-Deadline: 2021-06-30T14:18+00:00 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Thomas Gleixner commit 9301982c424a003c0095bf157154a85bf5322bd0 upstream. sanitize_restored_user_xstate() preserves the supervisor states only when the fx_only argument is zero, which allows unprivileged user space to put supervisor states back into init state. Preserve them unconditionally. [ bp: Fix a typo or two in the text. ] Fixes: 5d6b6a6f9b5c ("x86/fpu/xstate: Update sanitize_restored_xstate() for supervisor xstates") Signed-off-by: Thomas Gleixner Signed-off-by: Borislav Petkov Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20210618143444.438635017@linutronix.de Signed-off-by: Greg Kroah-Hartman --- arch/x86/kernel/fpu/signal.c | 26 ++++++++------------------ 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c index ec3ae3054792..b7b92cdf3add 100644 --- a/arch/x86/kernel/fpu/signal.c +++ b/arch/x86/kernel/fpu/signal.c @@ -221,28 +221,18 @@ sanitize_restored_user_xstate(union fpregs_state *state, if (use_xsave()) { /* - * Note: we don't need to zero the reserved bits in the - * xstate_header here because we either didn't copy them at all, - * or we checked earlier that they aren't set. + * Clear all feature bits which are not set in + * user_xfeatures and clear all extended features + * for fx_only mode. */ + u64 mask = fx_only ? XFEATURE_MASK_FPSSE : user_xfeatures; /* - * 'user_xfeatures' might have bits clear which are - * set in header->xfeatures. This represents features that - * were in init state prior to a signal delivery, and need - * to be reset back to the init state. Clear any user - * feature bits which are set in the kernel buffer to get - * them back to the init state. - * - * Supervisor state is unchanged by input from userspace. - * Ensure supervisor state bits stay set and supervisor - * state is not modified. + * Supervisor state has to be preserved. The sigframe + * restore can only modify user features, i.e. @mask + * cannot contain them. */ - if (fx_only) - header->xfeatures = XFEATURE_MASK_FPSSE; - else - header->xfeatures &= user_xfeatures | - xfeatures_mask_supervisor(); + header->xfeatures &= mask | xfeatures_mask_supervisor(); } if (use_fxsr()) { -- 2.30.2