Google Git
Sign in
fuchsia / fuchsia / 7eb8c8fb29fd8b6620c66f502bbed182f1b6c5c4
commit7eb8c8fb29fd8b6620c66f502bbed182f1b6c5c4[log] [tgz]
authorMarco Vanotti <mvanotti@google.com>Tue Apr 28 02:39:21 2020 +0000
committerCQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>Tue Apr 28 02:39:21 2020 +0000
tree75aac34e9842ead31d603a135a803750c8d8f267
parent102bedf5e86861d3fd9009783193f90562be6eca [diff]
[zircon][debugger] Don't write reserved part of mxcsr register.

This CL fixes a kernel panic in zircon, in which the
`zx_thread_write_state` syscall could overwrite the entire `mxcsr`,
including the reserved bits.

According to section "10.2.3 MXCSR Control and Status Register" in
Intel's Software Developer Manual Volume 1: Basic Architecture,
writing a non-zero value to the reserved bits causes a general
protection fault.

The fix reads the mxcsr_mask from the `x86_xsave_legacy_area` and checks
whether the function is trying to write into a non-set bit. Note that
it's possible for the mxcsr_mask to be zero, and in that case, the mask
is hard-coded to the value 0x0000ffbf, as specified by the intel and amd
manuals[0][1].

If the mxcsr has invalid bits, the function returns `ZX_ERR_INVALID_ARGS`,
not copying anything to the fxsave area.

I added a unit test to test this behavior: writing all ones to the
register would trigger a general protection fault if this fix is not included.

To run the test:

```
$ fx set bringup.x64 \
    --with-base //garnet/packages/tests:zircon \
    --with-base //bundles/bringup:tests
```

And run it with `runtests -t threads-test`

BUG=50632
This vulnerability was reported by: Quarkslab

[0]: Intel 64 and IA-32 Architectures Software Developer’s Manual
       Volume 1: Basic Architecture
       Section: 11.6.6 Guidelines for Writing to the MXCSR Register
[1]: AMD64 Architecture Programmer’s Manual
       Volume 2: System Programming
       Section: 11.5.9  MXCSR State Management

Change-Id: If1794258a086e20beb24591e63d8da87b74b828a
Reviewed-on: https://fuchsia-review.googlesource.com/c/fuchsia/+/383146
Commit-Queue: Marco Vanotti <mvanotti@google.com>
Reviewed-by: Gianfranco Valentino <gevalentino@google.com>
Reviewed-by: Venkatesh Srinivas <venkateshs@google.com>
Reviewed-by: Brett Wilson <brettw@google.com>
Testability-Review: Gianfranco Valentino <gevalentino@google.com>
Testability-Review: Brett Wilson <brettw@google.com>
2 files changed
tree: 75aac34e9842ead31d603a135a803750c8d8f267
  1. boards/
  2. build/
  3. bundles/
  4. docs/
  5. examples/
  6. garnet/
  7. products/
  8. scripts/
  9. sdk/
  10. src/
  11. third_party/
  12. tools/
  13. zircon/
  14. .clang-format
  15. .clang-tidy
  16. .dir-locals.el
  17. .gitattributes
  18. .gitignore
  19. .gn
  20. .style.yapf
  21. AUTHORS
  22. BUILD.gn
  23. CODE_OF_CONDUCT.md
  24. CONTRIBUTING.md
  25. LICENSE
  26. OWNERS
  27. PATENTS
  28. README.md
  29. rustfmt.toml
README.md

Fuchsia

Pink + Purple == Fuchsia (a new operating system)

What is Fuchsia?

Fuchsia is a modular, capability-based operating system. Fuchsia runs on modern 64-bit Intel and ARM processors.

Fuchsia is an open source project with a code of conduct that we expect everyone who interacts with the project to respect.

How can I build and run Fuchsia?

See Getting Started.

Where can I learn more about Fuchsia?

See fuchsia.dev.