commit | 7eb8c8fb29fd8b6620c66f502bbed182f1b6c5c4 | [log] [tgz] |
---|---|---|
author | Marco Vanotti <mvanotti@google.com> | Tue Apr 28 02:39:21 2020 +0000 |
committer | CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> | Tue Apr 28 02:39:21 2020 +0000 |
tree | 75aac34e9842ead31d603a135a803750c8d8f267 | |
parent | 102bedf5e86861d3fd9009783193f90562be6eca [diff] |
[zircon][debugger] Don't write reserved part of mxcsr register. This CL fixes a kernel panic in zircon, in which the `zx_thread_write_state` syscall could overwrite the entire `mxcsr`, including the reserved bits. According to section "10.2.3 MXCSR Control and Status Register" in Intel's Software Developer Manual Volume 1: Basic Architecture, writing a non-zero value to the reserved bits causes a general protection fault. The fix reads the mxcsr_mask from the `x86_xsave_legacy_area` and checks whether the function is trying to write into a non-set bit. Note that it's possible for the mxcsr_mask to be zero, and in that case, the mask is hard-coded to the value 0x0000ffbf, as specified by the intel and amd manuals[0][1]. If the mxcsr has invalid bits, the function returns `ZX_ERR_INVALID_ARGS`, not copying anything to the fxsave area. I added a unit test to test this behavior: writing all ones to the register would trigger a general protection fault if this fix is not included. To run the test: ``` $ fx set bringup.x64 \ --with-base //garnet/packages/tests:zircon \ --with-base //bundles/bringup:tests ``` And run it with `runtests -t threads-test` BUG=50632 This vulnerability was reported by: Quarkslab [0]: Intel 64 and IA-32 Architectures Software Developer’s Manual Volume 1: Basic Architecture Section: 11.6.6 Guidelines for Writing to the MXCSR Register [1]: AMD64 Architecture Programmer’s Manual Volume 2: System Programming Section: 11.5.9 MXCSR State Management Change-Id: If1794258a086e20beb24591e63d8da87b74b828a Reviewed-on: https://fuchsia-review.googlesource.com/c/fuchsia/+/383146 Commit-Queue: Marco Vanotti <mvanotti@google.com> Reviewed-by: Gianfranco Valentino <gevalentino@google.com> Reviewed-by: Venkatesh Srinivas <venkateshs@google.com> Reviewed-by: Brett Wilson <brettw@google.com> Testability-Review: Gianfranco Valentino <gevalentino@google.com> Testability-Review: Brett Wilson <brettw@google.com>
Pink + Purple == Fuchsia (a new operating system)
Fuchsia is a modular, capability-based operating system. Fuchsia runs on modern 64-bit Intel and ARM processors.
Fuchsia is an open source project with a code of conduct that we expect everyone who interacts with the project to respect.
See Getting Started.
See fuchsia.dev.