x86/fpu: Validate the init_fpstate size

The init_fpstate is statically-allocated. But the setup code is missing to validate the init_fpstate.xsave buffer against init_fpstate.size. Add sanity check to stop XSTATE if the space is not enough. Signed-off-by: Chang S. Bae <chang.seok.bae@intel.com>
intel · Aug 9, 2022 · e1dead9 · e1dead9
1 parent c17cdb7
commit e1dead9
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
@@ -349,17 +349,23 @@ static __init void os_xrstor_booting(struct xregs_state *xstate)
 /*
  * setup the xstate image representing the init state
  */
-static void __init setup_init_fpu_buf(void)
+static int __init setup_init_fpu_buf(void)
 {
 	BUILD_BUG_ON((XFEATURE_MASK_USER_SUPPORTED |
 		      XFEATURE_MASK_SUPERVISOR_SUPPORTED) !=
 		     XFEATURES_INIT_FPSTATE_HANDLED);
 
 	if (!boot_cpu_has(X86_FEATURE_XSAVE))
-		return;
+		return -ENODEV;
 
 	print_xstate_features();
 
+	if (init_fpstate.size > sizeof(union fpregs_state)) {
+		pr_err("x86/fpu: init_fpstate (%lu bytes) is not enough for the configured size:"
+		       "%u bytes\n", sizeof(union fpregs_state), init_fpstate.size);
+		return -EINVAL;
+	}
+
 	xstate_init_xcomp_bv(&init_fpstate.regs.xsave, init_fpstate.xfeatures);
 
 	/*
@@ -384,6 +390,7 @@ static void __init setup_init_fpu_buf(void)
 	 * here.
 	 */
 	fxsave(&init_fpstate.regs.fxsave);
+	return 0;
 }
 
 int xfeature_size(int xfeature_nr)
@@ -879,7 +886,9 @@ void __init fpu__init_system_xstate(unsigned int legacy_size)
 	init_fpstate.size		= fpu_kernel_cfg.max_size;
 	init_fpstate.xfeatures		= fpu_kernel_cfg.max_features;
 
-	setup_init_fpu_buf();
+	err = setup_init_fpu_buf();
+	if (err)
+		goto out_disable;
 
 	/*
 	 * Paranoia check whether something in the setup modified the