Hi! (stable removed from cc).
> [ Upstream commit 67a0514afdbb8b2fc70b771b8c77661a9cb9d3a9 ]
>
> Objtool spotted that we call native_load_gs_index() with AC set.
> Re-arrange the code to avoid that.
Does this introduce undefined behaviour?
>
> @@ -72,6 +71,7 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
> struct sigcontext_32 __user *sc)
> {
> unsigned int tmpflags, err = 0;
> + u16 gs, fs, es, ds;
> void __user *buf;
> u32 tmp;
>
> @@ -79,16 +79,10 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
> current->restart_block.fn = do_no_restart_syscall;
>
> get_user_try {
> - /*
> - * Reload fs and gs if they have changed in the signal
> - * handler. This does not handle long fs/gs base changes in
> - * the handler, but does not clobber them at least in the
> - * normal case.
> - */
> - RELOAD_SEG(gs);
> - RELOAD_SEG(fs);
> - RELOAD_SEG(ds);
> - RELOAD_SEG(es);
> + gs = GET_SEG(gs);
es is unitialized at this point, and we can trap.
> + fs = GET_SEG(fs);
> + ds = GET_SEG(ds);
> + es = GET_SEG(es);
>
> COPY(di); COPY(si); COPY(bp); COPY(sp); COPY(bx);
> COPY(dx); COPY(cx); COPY(ip); COPY(ax);
> @@ -106,6 +100,17 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
> buf = compat_ptr(tmp);
> } get_user_catch(err);
>
> + /*
> + * Reload fs and gs if they have changed in the signal
> + * handler. This does not handle long fs/gs base changes in
> + * the handler, but does not clobber them at least in the
> + * normal case.
> + */
> + RELOAD_SEG(gs);
> + RELOAD_SEG(fs);
> + RELOAD_SEG(ds);
> + RELOAD_SEG(es);
> +
But now we use uninitialized value in es...
> err |= fpu__restore_sig(buf, 1);
>
> force_iret();
Best regards,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures)
http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
signature.asc
Description: Digital signature
