Commit 6164331d authored by Andy Lutomirski's avatar Andy Lutomirski Committed by Borislav Petkov

x86/fpu: Rewrite xfpregs_set()

xfpregs_set() was incomprehensible.  Almost all of the complexity was due
to trying to support nonsensically sized writes or -EFAULT errors that
would have partially or completely overwritten the destination before
failing.  Nonsensically sized input would only have been possible using
PTRACE_SETREGSET on REGSET_XFP.  Fortunately, it appears (based on Debian
code search results) that no one uses that API at all, let alone with the
wrong sized buffer.  Failed user access can be handled more cleanly by
first copying to kernel memory.

Just rewrite it to require sensible input.
Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
Reviewed-by: default avatarBorislav Petkov <bp@suse.de>
Link: https://lkml.kernel.org/r/20210623121452.504234607@linutronix.de
parent 3a335112
...@@ -47,30 +47,39 @@ int xfpregs_set(struct task_struct *target, const struct user_regset *regset, ...@@ -47,30 +47,39 @@ int xfpregs_set(struct task_struct *target, const struct user_regset *regset,
const void *kbuf, const void __user *ubuf) const void *kbuf, const void __user *ubuf)
{ {
struct fpu *fpu = &target->thread.fpu; struct fpu *fpu = &target->thread.fpu;
struct user32_fxsr_struct newstate;
int ret; int ret;
if (!boot_cpu_has(X86_FEATURE_FXSR)) BUILD_BUG_ON(sizeof(newstate) != sizeof(struct fxregs_state));
if (!cpu_feature_enabled(X86_FEATURE_FXSR))
return -ENODEV; return -ENODEV;
/* No funny business with partial or oversized writes is permitted. */
if (pos != 0 || count != sizeof(newstate))
return -EINVAL;
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &newstate, 0, -1);
if (ret)
return ret;
/* Mask invalid MXCSR bits (for historical reasons). */
newstate.mxcsr &= mxcsr_feature_mask;
fpu__prepare_write(fpu); fpu__prepare_write(fpu);
fpstate_sanitize_xstate(fpu);
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, /* Copy the state */
&fpu->state.fxsave, 0, -1); memcpy(&fpu->state.fxsave, &newstate, sizeof(newstate));
/* /* Clear xmm8..15 */
* mxcsr reserved bits must be masked to zero for security reasons. BUILD_BUG_ON(sizeof(fpu->state.fxsave.xmm_space) != 16 * 16);
*/ memset(&fpu->state.fxsave.xmm_space[8], 0, 8 * 16);
fpu->state.fxsave.mxcsr &= mxcsr_feature_mask;
/* /* Mark FP and SSE as in use when XSAVE is enabled */
* update the header bits in the xsave header, indicating the if (use_xsave())
* presence of FP and SSE state.
*/
if (boot_cpu_has(X86_FEATURE_XSAVE))
fpu->state.xsave.header.xfeatures |= XFEATURE_MASK_FPSSE; fpu->state.xsave.header.xfeatures |= XFEATURE_MASK_FPSSE;
return ret; return 0;
} }
int xstateregs_get(struct task_struct *target, const struct user_regset *regset, int xstateregs_get(struct task_struct *target, const struct user_regset *regset,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment