Re: [PATCH 1/3] x86/sev-es: Fix not using prefixes.nbytes for loop over prefixes.bytes
From: Kees Cook
Date: Wed Dec 02 2020 - 14:08:34 EST
On Wed, Dec 02, 2020 at 09:31:57AM -0600, Tom Lendacky wrote:
> On 12/2/20 2:51 AM, Masami Hiramatsu wrote:
> > Since the insn.prefixes.nbytes can be bigger than the size of
> > insn.prefixes.bytes[] when a same prefix is repeated, we have to
> > check whether the insn.prefixes.bytes[i] != 0 and i < 4 instead
> > of insn.prefixes.nbytes.
> >
> > Fixes: 25189d08e516 ("x86/sev-es: Add support for handling IOIO exceptions")
> > Reported-by: Kees Cook <keescook@xxxxxxxxxxxx>
> > Signed-off-by: Masami Hiramatsu <mhiramat@xxxxxxxxxx>
> > ---
> > arch/x86/boot/compressed/sev-es.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/arch/x86/boot/compressed/sev-es.c b/arch/x86/boot/compressed/sev-es.c
> > index 954cb2702e23..6a7a3027c9ac 100644
> > --- a/arch/x86/boot/compressed/sev-es.c
> > +++ b/arch/x86/boot/compressed/sev-es.c
> > @@ -36,7 +36,7 @@ static bool insn_has_rep_prefix(struct insn *insn)
> > insn_get_prefixes(insn);
> > - for (i = 0; i < insn->prefixes.nbytes; i++) {
> > + for (i = 0; insn->prefixes.bytes[i] && i < 4; i++) {
You must test "i" before bytes[i] or you still do the out-of-bounds-read.
>
> Wouldn't it be better to create a #define for the size rather than hard
> coding 4 in the various files? That would protect everything should the
> bytes array size ever change in the future.
Agreed, and perhaps instead of repeating the idiom in the for loop, add
a helper like:
#define insn_prefix_valid(prefixes, i) (i >=0 && i < 4 && prefixes->bytes[i])
to be used like:
for (i = 0; insn_prefix_valid(&insn->prefixes, i); i++) {
>
> Thanks,
> Tom
>
> > insn_byte_t p = insn->prefixes.bytes[i];
> > if (p == 0xf2 || p == 0xf3)
> >
--
Kees Cook