| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <156742768563.30370.14506895450404848829.tip-bot2@tip-bot2>
Date: Mon, 02 Sep 2019 12:34:45 -0000
From: "tip-bot2 for Peter Zijlstra" <tip-bot2@...utronix.de>
To: linux-tip-commits@...r.kernel.org
Cc: Randy Dunlap <rdunlap@...radead.org>,
"Peter Zijlstra (Intel)" <peterz@...radead.org>,
Josh Poimboeuf <jpoimboe@...hat.com>,
Thomas Gleixner <tglx@...utronix.de>, broonie@...nel.org,
sfr@...b.auug.org.au, akpm@...ux-foundation.org, mhocko@...e.cz,
Ingo Molnar <mingo@...nel.org>, Borislav Petkov <bp@...en8.de>,
linux-kernel@...r.kernel.org
Subject: [tip: x86/urgent] x86/uaccess: Don't leak the AC flags into
__get_user() argument evaluation
The following commit has been merged into the x86/urgent branch of tip:
Commit-ID: 9b8bd476e78e89c9ea26c3b435ad0201c3d7dbf5
Gitweb: https://git.kernel.org/tip/9b8bd476e78e89c9ea26c3b435ad0201c3d7dbf5
Author: Peter Zijlstra <peterz@...radead.org>
AuthorDate: Thu, 29 Aug 2019 10:24:45 +02:00
Committer: Peter Zijlstra <peterz@...radead.org>
CommitterDate: Mon, 02 Sep 2019 14:22:38 +02:00
x86/uaccess: Don't leak the AC flags into __get_user() argument evaluation
Identical to __put_user(); the __get_user() argument evalution will too
leak UBSAN crud into the __uaccess_begin() / __uaccess_end() region.
While uncommon this was observed to happen for:
drivers/xen/gntdev.c: if (__get_user(old_status, batch->status[i]))
where UBSAN added array bound checking.
This complements commit:
6ae865615fc4 ("x86/uaccess: Dont leak the AC flag into __put_user() argument evaluation")
Tested-by Sedat Dilek <sedat.dilek@...il.com>
Reported-by: Randy Dunlap <rdunlap@...radead.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@...radead.org>
Reviewed-by: Josh Poimboeuf <jpoimboe@...hat.com>
Reviewed-by: Thomas Gleixner <tglx@...utronix.de>
Cc: broonie@...nel.org
Cc: sfr@...b.auug.org.au
Cc: akpm@...ux-foundation.org
Cc: Randy Dunlap <rdunlap@...radead.org>
Cc: mhocko@...e.cz
Cc: Josh Poimboeuf <jpoimboe@...hat.com>
Link: https://lkml.kernel.org/r/20190829082445.GM2369@hirez.programming.kicks-ass.net
---
arch/x86/include/asm/uaccess.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index 9c44353..35c225e 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -444,8 +444,10 @@ __pu_label: \
({ \
int __gu_err; \
__inttype(*(ptr)) __gu_val; \
+ __typeof__(ptr) __gu_ptr = (ptr); \
+ __typeof__(size) __gu_size = (size); \
__uaccess_begin_nospec(); \
- __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
+ __get_user_size(__gu_val, __gu_ptr, __gu_size, __gu_err, -EFAULT); \
__uaccess_end(); \
(x) = (__force __typeof__(*(ptr)))__gu_val; \
__builtin_expect(__gu_err, 0); \
Powered by blists - more mailing lists