| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20160916194532.GY2356@ZenIV.linux.org.uk>
Date: Fri, 16 Sep 2016 20:45:33 +0100
From: Al Viro <viro@...IV.linux.org.uk>
To: Guenter Roeck <linux@...ck-us.net>
Cc: linux-kernel@...r.kernel.org,
Yoshinori Sato <ysato@...rs.sourceforge.jp>,
linux-sh@...r.kernel.org, Rich Felker <dalias@...c.org>
Subject: Re: Runtime failure running sh:qemu in -next due to 'sh: fix
copy_from_user()'
On Fri, Sep 16, 2016 at 12:12:18PM -0700, Guenter Roeck wrote:
> Hi,
>
> I see the following runtime failure when running a 'sh' image with qemu in -next.
> Bisect points to commit 6e050503a150 ("sh: fix copy_from_user()"). Bisect log is
> attached.
Does reverting it recover the thing?
The change in question is
if (__copy_size && __access_ok(__copy_from, __copy_size))
- return __copy_user(to, from, __copy_size);
+ __copy_size = __copy_user(to, from, __copy_size);
+
+ if (unlikely(__copy_size))
+ memset(to + (n - __copy_size), 0, __copy_size);
return __copy_size;
so the only difference is zeroing the tail of destination; return value
remains the same in all cases (what used to be return foo(); becomes
__copy_size = foo(); /* operations not modifying __copy_size */
return __copy_size;) and that memset is 100% legitimate -
copy_from_user(to, from, n) returning m means that the last m bytes of
[to .. to + n - 1] have not been copied into and must be zeroed.
If it affects anything at all, we have a serious problem somewhere in the
caller.
Powered by blists - more mailing lists