From 109081e8beb75087da4c8c980c1574d4c5225687 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 10 Dec 2020 15:14:52 +0100 Subject: [PATCH] 5.4-stable patches added patches: x86-insn-eval-use-new-for_each_insn_prefix-macro-to-loop-over-prefixes-bytes.patch --- queue-5.4/series | 1 + ...ix-macro-to-loop-over-prefixes-bytes.patch | 55 +++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 queue-5.4/x86-insn-eval-use-new-for_each_insn_prefix-macro-to-loop-over-prefixes-bytes.patch diff --git a/queue-5.4/series b/queue-5.4/series index f622135a3c1..4d1b30619da 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -51,3 +51,4 @@ dm-writecache-remove-bug-and-fail-gracefully-instead.patch input-i8042-fix-error-return-code-in-i8042_setup_aux.patch netfilter-nf_tables-avoid-false-postive-lockdep-splat.patch netfilter-nftables_offload-set-address-type-in-control-dissector.patch +x86-insn-eval-use-new-for_each_insn_prefix-macro-to-loop-over-prefixes-bytes.patch diff --git a/queue-5.4/x86-insn-eval-use-new-for_each_insn_prefix-macro-to-loop-over-prefixes-bytes.patch b/queue-5.4/x86-insn-eval-use-new-for_each_insn_prefix-macro-to-loop-over-prefixes-bytes.patch new file mode 100644 index 00000000000..6fa98baec82 --- /dev/null +++ b/queue-5.4/x86-insn-eval-use-new-for_each_insn_prefix-macro-to-loop-over-prefixes-bytes.patch @@ -0,0 +1,55 @@ +From foo@baz Thu Dec 10 03:09:29 PM CET 2020 +From: Masami Hiramatsu +Date: Thu, 3 Dec 2020 13:50:50 +0900 +Subject: x86/insn-eval: Use new for_each_insn_prefix() macro to loop over prefixes bytes + +From: Masami Hiramatsu + +commit 12cb908a11b2544b5f53e9af856e6b6a90ed5533 upstream + +Since insn.prefixes.nbytes can be bigger than the size of +insn.prefixes.bytes[] when a prefix is repeated, the proper check must +be + + insn.prefixes.bytes[i] != 0 and i < 4 + +instead of using insn.prefixes.nbytes. Use the new +for_each_insn_prefix() macro which does it correctly. + +Debugged by Kees Cook . + + [ bp: Massage commit message. ] + +Fixes: 32d0b95300db ("x86/insn-eval: Add utility functions to get segment selector") +Reported-by: syzbot+9b64b619f10f19d19a7c@syzkaller.appspotmail.com +Signed-off-by: Masami Hiramatsu +Signed-off-by: Borislav Petkov +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/160697104969.3146288.16329307586428270032.stgit@devnote2 +[sudip: adjust context] +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/lib/insn-eval.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/x86/lib/insn-eval.c ++++ b/arch/x86/lib/insn-eval.c +@@ -70,14 +70,15 @@ static int get_seg_reg_override_idx(stru + { + int idx = INAT_SEG_REG_DEFAULT; + int num_overrides = 0, i; ++ insn_byte_t p; + + insn_get_prefixes(insn); + + /* Look for any segment override prefixes. */ +- for (i = 0; i < insn->prefixes.nbytes; i++) { ++ for_each_insn_prefix(insn, i, p) { + insn_attr_t attr; + +- attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]); ++ attr = inat_get_opcode_attribute(p); + switch (attr) { + case INAT_MAKE_PREFIX(INAT_PFX_CS): + idx = INAT_SEG_REG_CS; -- 2.47.3