| Message ID | 20170905084327.25062-2-kleber.souza@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | Fix for CVE-2016-9178 | expand |
On 05/09/17 09:43, Kleber Sacilotto de Souza wrote: > From: Al Viro <viro@ZenIV.linux.org.uk> > > CVE-2016-9178 > > get_user_ex(x, ptr) should zero x on failure. It's not a lot of a leak > (at most we are leaking uninitialized 64bit value off the kernel stack, > and in a fairly constrained situation, at that), but the fix is trivial, > so... > > Cc: stable@vger.kernel.org > Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> > [ This sat in different branch from the uaccess fixes since mid-August ] > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > (cherry picked from commit 1c109fabbd51863475cd12ac206bdd249aee35af) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > arch/x86/include/asm/uaccess.h | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h > index 8ec57c07b125..20e5bacf961c 100644 > --- a/arch/x86/include/asm/uaccess.h > +++ b/arch/x86/include/asm/uaccess.h > @@ -383,7 +383,11 @@ do { \ > #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \ > asm volatile("1: mov"itype" %1,%"rtype"0\n" \ > "2:\n" \ > - _ASM_EXTABLE_EX(1b, 2b) \ > + ".section .fixup,\"ax\"\n" \ > + "3:xor"itype" %"rtype"0,%"rtype"0\n" \ > + " jmp 2b\n" \ > + ".previous\n" \ > + _ASM_EXTABLE_EX(1b, 3b) \ > : ltype(x) : "m" (__m(addr))) > > #define __put_user_nocheck(x, ptr, size) \ > Clean cherry pick, looks good to me. Acked-by: Colin Ian King <colin.king@canonical.com>
On 05.09.2017 10:43, Kleber Sacilotto de Souza wrote: > From: Al Viro <viro@ZenIV.linux.org.uk> > > CVE-2016-9178 > > get_user_ex(x, ptr) should zero x on failure. It's not a lot of a leak > (at most we are leaking uninitialized 64bit value off the kernel stack, > and in a fairly constrained situation, at that), but the fix is trivial, > so... > > Cc: stable@vger.kernel.org > Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> > [ This sat in different branch from the uaccess fixes since mid-August ] > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > (cherry picked from commit 1c109fabbd51863475cd12ac206bdd249aee35af) > Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > arch/x86/include/asm/uaccess.h | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h > index 8ec57c07b125..20e5bacf961c 100644 > --- a/arch/x86/include/asm/uaccess.h > +++ b/arch/x86/include/asm/uaccess.h > @@ -383,7 +383,11 @@ do { \ > #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \ > asm volatile("1: mov"itype" %1,%"rtype"0\n" \ > "2:\n" \ > - _ASM_EXTABLE_EX(1b, 2b) \ > + ".section .fixup,\"ax\"\n" \ > + "3:xor"itype" %"rtype"0,%"rtype"0\n" \ > + " jmp 2b\n" \ > + ".previous\n" \ > + _ASM_EXTABLE_EX(1b, 3b) \ > : ltype(x) : "m" (__m(addr))) > > #define __put_user_nocheck(x, ptr, size) \ >
Applied to trusty/master-next branch. Thanks.
diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index 8ec57c07b125..20e5bacf961c 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -383,7 +383,11 @@ do { \ #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \ asm volatile("1: mov"itype" %1,%"rtype"0\n" \ "2:\n" \ - _ASM_EXTABLE_EX(1b, 2b) \ + ".section .fixup,\"ax\"\n" \ + "3:xor"itype" %"rtype"0,%"rtype"0\n" \ + " jmp 2b\n" \ + ".previous\n" \ + _ASM_EXTABLE_EX(1b, 3b) \ : ltype(x) : "m" (__m(addr))) #define __put_user_nocheck(x, ptr, size) \