+static void sigusr1(int sig, siginfo_t *info, void *uc_void) +{
ucontext_t *uc = uc_void;uint8_t *fpstate = (uint8_t *)uc->uc_mcontext.fpregs;uint64_t *xfeatures = (uint64_t *)(fpstate + 512);printf("\tOriginal XFEATURES = 0x%lx\n", *xfeatures);*(xfeatures+2) = 0xfffffff;//*xfeatures = ~(uint64_t)0;+}
I was trying to think of something which might be more durable than this, like if a new feature started using bytes 16->23 for something useful.
How about a memset() of the entire 64-byte header to 0xff?
On to
[PATCH v3 2/5] x86/fpu: Fix state corruption in ...
Instead of trying to give sensible semantics to the fpu clear functions in the presence of XSAVE header corruption, simply avoid corrupting the header in the first place by using copy_user_to_xstate().
Should we mention that the verbatim copying via __copy_from_user() copies the (bad) reserved bit contents and how copy_user_to_xstate() avoids it?
Maybe:
__copy_from_user() copies the entire user buffer into the kernel buffer, verbatim. This means that the kernel buffer may now contain entirely invalid state on which XRSTOR will #GP. validate_user_xstate_header() can detect some of that corruption, but that leaves the onus on callers to clear the buffer.
Avoid corruption of the kernel XSAVE buffer. Use copy_user_to_xstate() which validates the XSAVE header contents *BEFORE* copying the buffer into the kernel.
Note: copy_user_to_xstate() was previously only called for compacted-format kernel buffers. It functions for both compacted and non-compacted forms. Using it for the non-compacted form will be slower because of multiple __copy_from_user() operations in the compacted-format code, but that cost is less important than simpler code in an already slow path.
--- a/arch/x86/kernel/fpu/signal.c +++ b/arch/x86/kernel/fpu/signal.c @@ -405,14 +405,7 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size) if (use_xsave() && !fx_only) { u64 init_bv = xfeatures_mask_user() & ~user_xfeatures;
if (using_compacted_format()) {ret = copy_user_to_xstate(&fpu->state.xsave, buf_fx);} else {ret = __copy_from_user(&fpu->state.xsave, buf_fx, state_size);if (!ret && state_size > offsetof(struct xregs_state, header))ret = validate_user_xstate_header(&fpu->state.xsave.header);}
ret = copy_user_to_xstate(&fpu->state.xsave, buf_fx); if (ret) goto err_out;