On Tue, Sep 19, 2017 at 5:44 PM, Eric Biggers <[email protected]> wrote: > From: Eric Biggers <[email protected]> > > This is a second attempt to fix the bug found by syzkaller where the > ptrace syscall can be used to set invalid bits in a task's FPU state. > I also found that an equivalent bug was reachable using the sigreturn > syscall, so the first patch fixes the bug in both cases. > > The other two patches start validating the other parts of the > xstate_header and make it so that invalid FPU states can no longer be > abused to leak the FPU registers of other processes. > > Eric Biggers (3): > x86/fpu: don't let userspace set bogus xcomp_bv > x86/fpu: tighten validation of user-supplied xstate_header > x86/fpu: reinitialize FPU registers if restoring FPU state fails
This series looks sensible to me! Thanks for getting this fixed up. Reviewed-by: Kees Cook <[email protected]> -Kees > > arch/x86/include/asm/fpu/internal.h | 29 ++++++++++++++++++++--------- > arch/x86/include/asm/fpu/xstate.h | 19 +++++++++++++++++++ > arch/x86/kernel/fpu/core.c | 16 ++++++++++++++++ > arch/x86/kernel/fpu/regset.c | 20 +++++++++----------- > arch/x86/kernel/fpu/signal.c | 15 +++++++++++---- > arch/x86/kernel/fpu/xstate.c | 27 ++++++++++----------------- > 6 files changed, 85 insertions(+), 41 deletions(-) > > -- > 2.14.1.690.gbb1197296e-goog > -- Kees Cook Pixel Security
