On Jan 20, 2015 5:59 AM, "Thomas Gleixner" <[email protected]> wrote: > > On Tue, 13 Jan 2015, Andy Lutomirski wrote: > > > This reduces the degree to which we're exposing the instruction decoder > > to malicious user code at very little complexity cost. > > > > Signed-off-by: Andy Lutomirski <[email protected]> > > --- > > arch/x86/mm/mpx.c | 25 ++++++++++++++++--------- > > 1 file changed, 16 insertions(+), 9 deletions(-) > > > > diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c > > index 67ebf5751222..a73004330732 100644 > > --- a/arch/x86/mm/mpx.c > > +++ b/arch/x86/mm/mpx.c > > @@ -230,6 +230,22 @@ static int mpx_insn_decode(struct insn *insn, > > */ > > if (!nr_copied) > > return -EFAULT; > > + > > + /* > > + * We only _really_ need to decode bndcl/bndcn/bndcu > > + * Error out on anything else. Check this before decoding the > > + * instruction to reduce our exposure to intentionally bad code > > + * to some extent. Note that this shortcut can incorrectly return > > + * -EINVAL instead of -EFAULT under some circumstances. This > > + * discrepancy has no effect. > > + */ > > + if (nr_copied < 2) > > + goto bad_opcode; > > + if (buf[0] != 0x0f) > > + goto bad_opcode; > > + if (buf[1] != 0x1a && buf[1] != 0x1b) > > + goto bad_opcode; > > These opcodes can never have a prefix? If so, then we want to add this > to the comment.
No, I think I just misunderstood the original code. Please disregard this patch. --Andy > > Thanks, > > tglx -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
