Commit bc404e79 authored by Andi Kleen's avatar Andi Kleen Committed by Linus Torvalds

[PATCH] i386 stack frame security fix

This fixes a potential security issue on i386. FXRSTOR raises an #GP
when the MXCSR field in the FXSAVE frame contains illegal values. By
putting an signal frame just at a border to an unmapped page a malicious
user could potentially cause an exception in the context switch using this.
When the EFAULT occurs in the last bytes of the signal frame the MXCSR
check would be skipped in the old code, but the rogue value would be already
in task_struct, causing problems later.

Here is the minimal fix for this.

Originally discovered by Andrea while doing x86-64 work. It was fixed in
a different way a bit more intrusive way on x86-64 - all FXRSTOR in the
kernel are guarded by exception handlers.
parent 9edd824d
......@@ -357,14 +357,14 @@ static inline int restore_i387_fsave( struct _fpstate *buf )
static inline int restore_i387_fxsave( struct _fpstate *buf )
{
int err;
struct task_struct *tsk = current;
clear_fpu( tsk );
if ( __copy_from_user( &tsk->thread.i387.fxsave, &buf->_fxsr_env[0],
sizeof(struct i387_fxsave_struct) ) )
return 1;
err = __copy_from_user( &tsk->thread.i387.fxsave, &buf->_fxsr_env[0],
sizeof(struct i387_fxsave_struct) );
/* mxcsr bit 6 and 31-16 must be zero for security reasons */
tsk->thread.i387.fxsave.mxcsr &= 0xffbf;
return convert_fxsr_from_user( &tsk->thread.i387.fxsave, buf );
return err ? 1 : convert_fxsr_from_user( &tsk->thread.i387.fxsave, buf );
}
int restore_i387( struct _fpstate *buf )
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment