Received: by 2002:a05:7412:8d1c:b0:fa:4c10:6cad with SMTP id bj28csp688566rdb; Wed, 17 Jan 2024 14:31:17 -0800 (PST) X-Google-Smtp-Source: AGHT+IHQaX4O4XXZp2tENdSdFps0ZF5YMrMDUGAlvRjZSz7p3bvGKSvX2EVWlPvnlOqB9g3jFN5X X-Received: by 2002:a05:6808:1415:b0:3bd:93f4:602b with SMTP id w21-20020a056808141500b003bd93f4602bmr1873051oiv.56.1705530677565; Wed, 17 Jan 2024 14:31:17 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1705530677; cv=pass; d=google.com; s=arc-20160816; b=BJh8ZnM/Mql4Z6FuTDCcwDKHwoBvuzCnXEgYwCJYvVpodICzZhrH5NTDseRavvWBLO qO7KR2U/QFzeA/liQMsw1Q5q9JejIYcEosmyLdwWxtNdtlDLS5K6efdHQHk7z0OxV/it Xj6uBwx0yxUqrLeYBcGlg9IGV/xmrYCUzhD0mnVzdT645rvNm9d2SGjYbkpWd61dlt+9 ht7gG5tTqn+z6Uzxt3DekyuBSiLQR6+9XHUo7aiGfp/ErtPFpe7ebgJbOR7863f04uPs QjJEpoj+9PzI4iWfFT7uzqTQDjHZgyS/3ndykZhqZDpc7FOd1Z68GjYRSNu0vVS5MDnG zfhA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=/a8gE34dI8NjsS8VJpR4MrnFRbqSC1FKg49JTFwcTQA=; fh=nXMBBQ3rZ5GkdnC+KGuR0AqWjpg7jwkgh5X7AQeONY4=; b=XIXjoPCeqwBVjD+y3n7iRNPww8za0NV1NsGquzP/QOW2qEDbHrnpSZTuv7K1Q9iE2Z q552REb34vYQqnDlg+qFjITFygW7aMqGs9AkTRKAagtoupH08bCqD8v2lQjdqHFrC+7d tuAClBtVnvTNsFveGegnZx+3pVnXAuzfBaI3WVPKJixdCUi3y4S6pWdI4zRK6W72RH6a 0SjgKIBGgmy60WqmZIbM/cEmFhqr8Pj8t7j84bS2+J3t6RPoKTN6CO2mY0Smps3myWe3 6MLedkf/Lafii1F7nCptBB2u7j1S1It7rYBk2Ce+0KmjRroje0kUoA9N5ZjWcbESvY3X qeaQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Wkh2t6ld; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-29485-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-29485-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id v22-20020ae9e316000000b007830932dd78si12316678qkf.446.2024.01.17.14.31.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Jan 2024 14:31:17 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-29485-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Wkh2t6ld; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-29485-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-29485-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 4F6271C21EBA for ; Wed, 17 Jan 2024 22:31:17 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A57EA1E860; Wed, 17 Jan 2024 22:31:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Wkh2t6ld" Received: from mail-lj1-f181.google.com (mail-lj1-f181.google.com [209.85.208.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4587D67C46 for ; Wed, 17 Jan 2024 22:31:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.181 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705530670; cv=none; b=CUcyYdMdcqpW9iHY8nrKWk0VW3i/5Vm+TxLG2S8Q81rwpa3oDMaOSqLuWEfItu75JwFlTMP1koJK4pGfgwaRU1NRtUh0JZj38k+MRMkanS/q48XpeAwfwKQtZY6pMqnH8Sq8PZnTiYLFsucLGUScu04N+mVnsLlmzbFVGyIFJGo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705530670; c=relaxed/simple; bh=4f1kY/emerjctETgsSCrNxLIJQK/YvsfI/jXTSsl0T0=; h=Received:DKIM-Signature:X-Google-DKIM-Signature: X-Gm-Message-State:X-Google-Smtp-Source:X-Received:MIME-Version: References:In-Reply-To:From:Date:Message-ID:Subject:To:Cc: Content-Type:Content-Transfer-Encoding; b=GmI/FA1OwovFiFh7dYas8x1IOYGqXXc4fD913aXdy9BaghPCkCMK038mMRNjllvxFOR2LL5rsVH9CYFbenOWnv67qF6aZQXRUxzK8cPcfECsHXl3t5FkyHsPNZZGO8/yyHx5fvkZ/JdPwyHNNBmsq7PtGbsWA2LzPo4qYgAYYWc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Wkh2t6ld; arc=none smtp.client-ip=209.85.208.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-lj1-f181.google.com with SMTP id 38308e7fff4ca-2cd64022164so141062301fa.3 for ; Wed, 17 Jan 2024 14:31:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705530667; x=1706135467; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=/a8gE34dI8NjsS8VJpR4MrnFRbqSC1FKg49JTFwcTQA=; b=Wkh2t6ldVf/+liRYk0qU2ungUtPlnW43vko/O7eQ1o13BUHlbeN+uCpw/6iWu9W7Ft c9H/S1/eG1zNp52Rvckrl/PrG+YekfZlZ5LZrJYdsWyx2qaqi+RLZiWJiEMmLF0OjFV4 znT5piPUmjgwmBQjg/r5M6BV36FYNNEDgrXjPqPD1WjzDpTI8sFplhtfYq5Jt0+jzS9g KSKmwull7BYsJ/UN8k7LOBXbPW85KPt4Dd9w6qo4+CXJV80nfT59VlHchRsyG1YALSVF 3akePkNtXdSc4fPhYRNEat61mvwIrZnZLzbDm6YWqYyDUPtMfQixCerGF3uYQC0SQqXi lm7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705530667; x=1706135467; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/a8gE34dI8NjsS8VJpR4MrnFRbqSC1FKg49JTFwcTQA=; b=s6Cxr5/xoTixhbANsFBiqznbg1/Py1Xzv35xASlusn2er93xqjB7LE8bP3HICYzY8Z H4qPUWZQE18m+e0MGXgn2Gbnitb43rdpy5+FRvMnP1GHms/0gW+DBiPuwbrVh5wwni0p PUgFE3BQGETMBBqQ5vh5PROLki09z0/cg8YPlOxmRgwSUAKBp06S5dNDKz9ZvcN0KV1z V11oB72VPYBEU4NGT9zvNarYTkhafe79NJNZBA4ns6DvSfKNJVdzLFy2hHd4QEmIFV1Q 2u9LMIBHEcQiyv9W9QlNfyF5+wIu/6y+JGo85rnoqTV+9KUOTpwHpZAxb6HUXG3FpUAB /rZQ== X-Gm-Message-State: AOJu0Yyayu2TjMIaTf0/a3xo01+m1VeHmNhpUvr3jRNE4J0724JhtpRy ABGEMY1zEaSpNWP8eobUIMPvtp12fBbeD0q0f8I= X-Received: by 2002:a2e:a49a:0:b0:2cd:2cb2:8ea9 with SMTP id h26-20020a2ea49a000000b002cd2cb28ea9mr4831144lji.90.1705530666957; Wed, 17 Jan 2024 14:31:06 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240116234901.3238852-1-avagin@google.com> <30cd0be4-705f-4d63-bdad-fc57301e7eda@intel.com> In-Reply-To: <30cd0be4-705f-4d63-bdad-fc57301e7eda@intel.com> From: Andrei Vagin Date: Wed, 17 Jan 2024 14:30:55 -0800 Message-ID: Subject: Re: [PATCH] x86/fpu: verify xstate buffer size according with requested features To: Dave Hansen Cc: Andrei Vagin , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , LKML , x86@kernel.org, "H. Peter Anvin" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Jan 17, 2024 at 11:34=E2=80=AFAM Dave Hansen wrote: > > .. adding LKML. More context here: > > https://lore.kernel.org/all/20240116234901.3238852-1-avagin@google.com/ > > On 1/16/24 15:49, Andrei Vagin wrote: > > + /* xstate_size has to fit all requested components. */ > > + if (fx_sw->xstate_size !=3D fpstate->user_size) { > > + int min_xstate_size =3D > > + xstate_calculate_size(fx_sw->xfeatures, false); > > + > > + if (min_xstate_size < 0 || > > + fx_sw->xstate_size < min_xstate_size || > > + fx_sw->xstate_size > fpstate->user_size) > > + goto setfx; > > + } > > The bug here is that the buffer from userspace is garbage and the (XSAVE > XSTATE_BV) metadata doesn't match the size of the buffer. Right? right > > This proposed fix just checks another piece of user-supplied metadata > instead: fx_sw->xstate_size. > > Can't userspace just provide more bad data there and end up with the > same problem? It can't... I would not post this change if I thought otherwise... > > Seems like the real problem here is that the fault_in_readable() doesn't > match the XRSTOR. It's going to continue to be a problem as long as we > don't know what memory XRSTOR tried to access. We can try all day long > to precalculate what XRSTOR _will_ do, but that seems a bit silly I don't understand this part. The behavior of XRSTOR is well-defined by CPU specifications, allowing us to easily precalculate the memory it will attempt to access. What does it mean "we don't know what memory XRSTOR tried to access"? xrstor restores only features that are set in fx_sw->xfeatures. > because the CPU knows where the fault happened. It told us in CR2 and > all we have to do is plumb that back to fault_in_readable(). I considered this option as well, but then I decided that this approach is better. The most important aspect is that it always rejects bad buffers, allowing a user space to detect an issue even when a fault isn't triggered. I believe proper handling of xrstor page faults could be a valuable additional improvement to this change. If we detect a fault outside of a provided buffer, we can print a warning to signal that check_xstate_in_sigframe is incomplete. > > It would take a little XSTATE_OP() munging to pass something back other > than 'err', but that doesn't seem insurmountable. > > Anybody have better ideas? >