Skip to content

fix: bound nest counter in bsdkm vecreg save#10874

Draft
MarkAtwood wants to merge 1 commit into
wolfSSL:masterfrom
MarkAtwood:fix/bsdkm-vecreg-nest-overflow
Draft

fix: bound nest counter in bsdkm vecreg save#10874
MarkAtwood wants to merge 1 commit into
wolfSSL:masterfrom
MarkAtwood:fix/bsdkm-vecreg-nest-overflow

Conversation

@MarkAtwood

@MarkAtwood MarkAtwood commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Bug: In bsdkm/x86_vecreg.c, wolfkmod_vecreg_save() increments the per-CPU nest counter (volatile u_int, line 33) with no upper bound. The re-entrant KERNFPU-active path (was line 168) increments nest on every nested SAVE_VECTOR_REGISTERS(). If it ever wrapped UINT_MAX -> 0, wolfkmod_vecreg_restore() would treat nest == 0 as the last level and call fpu_kern_leave() prematurely, releasing kernel FPU context while outer logical nesting frames still hold it — corrupting FPU/SIMD state or leaking kernel register state to userspace.

Fix: Add a bound check before each increment in wolfkmod_vecreg_save(); on saturation, print an error and return EINVAL (the RESTORE_VECTOR_REGISTERS() path already tolerates a failed save). No behavioral change on the normal path. UINT_MAX is available via <sys/param.h> -> <sys/limits.h>, already included by wolfkmod.c:25.

Severity is low (defense-in-depth): reaching the wrap requires 2^32 unmatched save calls, which would itself be a runaway calling-code bug. The second increment site is already guarded by the preceding nest != 0 check, so it cannot overflow in practice; the guard is added there too for symmetry.

How verified: BSD/amd64 kernel module — not buildable on Linux. Source- and preprocessor-analyzed against master 4c68523; the edited guard construct was compiled clean with gcc -Wall -Wextra -Werror -fsyntax-only, and <sys/param.h> inclusion at wolfkmod.c:25 was confirmed to supply UINT_MAX.

Reported by static analysis (Fenrir finding 655).

[fenrir-sweep:held]

Copilot AI review requested due to automatic review settings July 9, 2026 23:47

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot couldn't run its full agentic review because no GitHub Actions runner was available. Make sure your repository has a runner available to run Copilot's review, or add a copilot-setup-steps.yml file specifying one with the runs-on attribute. See the docs for more details.

Adds an overflow guard to the per-CPU nest counter in wolfkmod_vecreg_save() to prevent wraparound from causing premature fpu_kern_leave() and potential FPU/SIMD state corruption.

Changes:

  • Check nest against UINT_MAX before incrementing (both increment sites).
  • On saturation, emit an error and return EINVAL to stop further nesting.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread bsdkm/x86_vecreg.c
td_tid, curthread->td_tid);
return (EINVAL);
}
if (fpu_states[PCPU_GET(cpuid)].nest == UINT_MAX) {
Comment thread bsdkm/x86_vecreg.c
Comment on lines +169 to +170
printf("error: wolfkmod_vecreg_save: nest overflow\n");
return (EINVAL);
Comment thread bsdkm/x86_vecreg.c
Comment on lines +168 to 172
if (fpu_states[PCPU_GET(cpuid)].nest == UINT_MAX) {
printf("error: wolfkmod_vecreg_save: nest overflow\n");
return (EINVAL);
}
fpu_states[PCPU_GET(cpuid)].nest++;
@MarkAtwood MarkAtwood assigned MarkAtwood and unassigned wolfSSL-Bot Jul 10, 2026
@MarkAtwood MarkAtwood marked this pull request as draft July 10, 2026 16:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants