| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200721.182432.1321288727189331162.davem@davemloft.net>
Date: Tue, 21 Jul 2020 18:24:32 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: viro@...iv.linux.org.uk
Cc: sparclinux@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] sparc32: fix a user-triggerable oops in clear_user()
From: Al Viro <viro@...iv.linux.org.uk>
Date: Mon, 20 Jul 2020 02:21:51 +0100
> Back in 2.1.29 the clear_user() guts (__bzero()) had been merged
> with memset(). Unfortunately, while all exception handlers had been
> copied, one of the exception table entries got lost. As the result,
> clear_user() starting at 128*n bytes before the end of page and
> spanning between 8 and 127 bytes into the next page would oops when
> the second page is unmapped. It's trivial to reproduce - all
> it takes is
>
> main()
> {
> int fd = open("/dev/zero", O_RDONLY);
> char *p = mmap(NULL, 16384, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_ANON, -1, 0);
> munmap(p + 8192, 8192);
> read(fd, p + 8192 - 128, 192);
> }
>
> which had been oopsing since March 1997. Says something about
> the quality of test coverage... ;-/ And while today sparc32 port
> is nearly dead, back in '97 it had been very much alive; in fact,
> sparc64 had only been in mainline for 3 months by that point...
>
> Cc: stable@...nel.org
> Fixes: v2.1.29
> Signed-off-by: Al Viro <viro@...iv.linux.org.uk>
Applied, thanks Al.
Powered by blists - more mailing lists