On Wed, May 24, 2017 at 03:55:00PM +0200, Mateusz Jurczyk wrote: > In the current form of the code, if a->replacementlen is 0, the reference > to *insnbuf for comparison touches potentially garbage memory. While it > doesn't affect the execution flow due to the subsequent a->replacementlen > comparison, it is (rightly) detected as use of uninitialized memory by a > runtime instrumentation currently under my development, and could be > detected as such by other tools in the future, too (e.g. KMSAN). > > Fix the "false-positive" by reordering the conditions to first check the > replacement instruction length before referencing specific opcode bytes. > > Signed-off-by: Mateusz Jurczyk <[email protected]> > --- > Changes in v2: > - Add an explaining comment, as per Borislav Petkov's request. > > arch/x86/kernel/alternative.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c > index c5b8f760473c..32e14d137416 100644 > --- a/arch/x86/kernel/alternative.c > +++ b/arch/x86/kernel/alternative.c > @@ -409,8 +409,13 @@ void __init_or_module noinline apply_alternatives(struct > alt_instr *start, > memcpy(insnbuf, replacement, a->replacementlen); > insnbuf_sz = a->replacementlen; > > - /* 0xe8 is a relative jump; fix the offset. */ > - if (*insnbuf == 0xe8 && a->replacementlen == 5) { > + /* > + * 0xe8 is a relative jump; fix the offset. > + * > + * Instruction length is checked before the opcode to avoid > + * accessing uninitialized bytes for zero-length replacements. > + */ > + if (a->replacementlen == 5 && *insnbuf == 0xe8) { > *(s32 *)(insnbuf + 1) += replacement - instr; > DPRINTK("Fix CALL offset: 0x%x, CALL 0x%lx", > *(s32 *)(insnbuf + 1), > --
Reviewed-by: Borislav Petkov <[email protected]> -- Regards/Gruss, Boris. SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) --
