x86/fpu/signal: Sanitize the xstate check on sigframe

Utilize the check for the extended state magic in the FX software reserved bytes and set the parameters for restoring fx_only in the relevant members of fw_sw_user. This allows further cleanups on top because the data is consistent. Signed-off-by: N Thomas Gleixner <tglx@linutronix.de> Signed-off-by: N Borislav Petkov <bp@suse.de> Reviewed-by: N Borislav Petkov <bp@suse.de> Link: https://lkml.kernel.org/r/20210623121457.277738268@linutronix.de

x86/fpu/signal: Sanitize the xstate check on sigframe
Utilize the check for the extended state magic in the FX software reserved bytes and set the parameters for restoring fx_only in the relevant members of fw_sw_user. This allows further cleanups on top because the data is consistent. Signed-off-by: N Thomas Gleixner <tglx@linutronix.de> Signed-off-by: N Borislav Petkov <bp@suse.de> Reviewed-by: N Borislav Petkov <bp@suse.de> Link: https://lkml.kernel.org/r/20210623121457.277738268@linutronix.de
1258a8c8 · Thomas Gleixner · Borislav Petkov · 9ba589f9 · 1258a8c8
隐藏空白更改
内联并排

Showing with 33 addition and 37 deletion

arch/x86/kernel/fpu/signal.c arch/x86/kernel/fpu/signal.c +33 -37

未找到文件。
--- a/arch/x86/kernel/fpu/signal.c
+++ b/arch/x86/kernel/fpu/signal.c
@@ -15,29 +15,30 @@
 #include <asm/sigframe.h>
 #include <asm/trace/fpu.h>
-static struct _fpx_sw_bytes fx_sw_reserved, fx_sw_reserved_ia32;
+static struct _fpx_sw_bytes fx_sw_reserved __ro_after_init;
+static struct _fpx_sw_bytes fx_sw_reserved_ia32 __ro_after_init;
 /*
 * Check for the presence of extended state information in the
 * user fpstate pointer in the sigcontext.
 */
-static inline int check_for_xstate(struct fxregs_state __user *buf,
+static inline int check_xstate_in_sigframe(struct fxregs_state __user *fxbuf,
-				   void __user *fpstate,
+					   struct _fpx_sw_bytes *fx_sw)
-				   struct _fpx_sw_bytes *fx_sw)
 {
 	int min_xstate_size = sizeof(struct fxregs_state) +
 			      sizeof(struct xstate_header);
+	void __user *fpstate = fxbuf;
 	unsigned int magic2;
-	if (__copy_from_user(fx_sw, &buf->sw_reserved[0], sizeof(*fx_sw)))
+	if (__copy_from_user(fx_sw, &fxbuf->sw_reserved[0], sizeof(*fx_sw)))
-		return -1;
+		return -EFAULT;
 	/* Check for the first magic field and other error scenarios. */
 	if (fx_sw->magic1 != FP_XSTATE_MAGIC1 ||
 	    fx_sw->xstate_size < min_xstate_size ||
 	    fx_sw->xstate_size > fpu_user_xstate_size ||
 	    fx_sw->xstate_size > fx_sw->extended_size)
-		return -1;
+		goto setfx;
 	/*
 	 * Check for the presence of second magic word at the end of memory
@@ -45,10 +46,18 @@ static inline int check_for_xstate(struct fxregs_state __user *buf,
 	 * fpstate layout with out copying the extended state information
 	 * in the memory layout.
 	 */
-	if (__get_user(magic2, (__u32 __user *)(fpstate + fx_sw->xstate_size))
+	if (__get_user(magic2, (__u32 __user *)(fpstate + fx_sw->xstate_size)))
-	    || magic2 != FP_XSTATE_MAGIC2)
+		return -EFAULT;
-		return -1;
+	if (likely(magic2 == FP_XSTATE_MAGIC2))
+		return 0;
+setfx:
+	trace_x86_fpu_xstate_check_failed(&current->thread.fpu);
+	/* Set the parameters for fx only state */
+	fx_sw->magic1 = 0;
+	fx_sw->xstate_size = sizeof(struct fxregs_state);
+	fx_sw->xfeatures = XFEATURE_MASK_FPSSE;
 	return 0;
 }
@@ -213,21 +222,15 @@ int copy_fpstate_to_sigframe(void __user *buf, void __user *buf_fx, int size)
 static inline void
 sanitize_restored_user_xstate(union fpregs_state *state,
-			      struct user_i387_ia32_struct *ia32_env,
+			      struct user_i387_ia32_struct *ia32_env, u64 mask)
-			      u64 user_xfeatures, int fx_only)
 {
 	struct xregs_state *xsave = &state->xsave;
 	struct xstate_header *header = &xsave->header;
 	if (use_xsave()) {
 		/*
-		 * Clear all feature bits which are not set in
+		 * Clear all feature bits which are not set in mask.
-		 * user_xfeatures and clear all extended features
+		 *
-		 * for fx_only mode.
-		 */
-		u64 mask = fx_only ? XFEATURE_MASK_FPSSE : user_xfeatures;
-		/*
 		 * Supervisor state has to be preserved. The sigframe
 		 * restore can only modify user features, i.e. @mask
 		 * cannot contain them.
@@ -286,24 +289,19 @@ static int __fpu_restore_sig(void __user *buf, void __user *buf_fx,
 	struct fpu *fpu = &tsk->thread.fpu;
 	struct user_i387_ia32_struct env;
 	u64 user_xfeatures = 0;
-	int fx_only = 0;
+	bool fx_only = false;
 	int ret = 0;
 	if (use_xsave()) {
 		struct _fpx_sw_bytes fx_sw_user;
-		if (unlikely(check_for_xstate(buf_fx, buf_fx, &fx_sw_user))) {
-			/*
+		ret = check_xstate_in_sigframe(buf_fx, &fx_sw_user);
-			 * Couldn't find the extended state information in the
+		if (unlikely(ret))
-			 * memory layout. Restore just the FP/SSE and init all
+			return ret;
-			 * the other extended state.
-			 */
+		fx_only = !fx_sw_user.magic1;
-			state_size = sizeof(struct fxregs_state);
+		state_size = fx_sw_user.xstate_size;
-			fx_only = 1;
+		user_xfeatures = fx_sw_user.xfeatures;
-			trace_x86_fpu_xstate_check_failed(fpu);
-		} else {
-			state_size = fx_sw_user.xstate_size;
-			user_xfeatures = fx_sw_user.xfeatures;
-		}
 	}
 	if (!ia32_fxstate) {
@@ -403,8 +401,7 @@ static int __fpu_restore_sig(void __user *buf, void __user *buf_fx,
 		if (ret)
 			return ret;
-		sanitize_restored_user_xstate(&fpu->state, envp, user_xfeatures,
+		sanitize_restored_user_xstate(&fpu->state, envp, user_xfeatures);
-					      fx_only);
 		fpregs_lock();
 		if (unlikely(init_bv))
@@ -422,8 +419,7 @@ static int __fpu_restore_sig(void __user *buf, void __user *buf_fx,
 		if (ret)
 			return -EFAULT;
-		sanitize_restored_user_xstate(&fpu->state, envp, user_xfeatures,
+		sanitize_restored_user_xstate(&fpu->state, envp, user_xfeatures);
-					      fx_only);
 		fpregs_lock();
 		if (use_xsave()) {