lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Sep 2021 13:15:03 +0530 From: Naresh Kamboju <naresh.kamboju@...aro.org> To: Will Deacon <will@...nel.org> Cc: open list <linux-kernel@...r.kernel.org>, X86 ML <x86@...nel.org>, Nick Desaulniers <ndesaulniers@...gle.com>, Bill Wendling <morbo@...gle.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, Peter Zijlstra <peterz@...radead.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: Re: [PATCH] x86/uaccess: Fix 32-bit __get_user_asm_u64() when CC_HAS_ASM_GOTO_OUTPUT=y On Mon, 13 Sept 2021 at 22:06, Will Deacon <will@...nel.org> wrote: > > Commit 865c50e1d279 ("x86/uaccess: utilize CONFIG_CC_HAS_ASM_GOTO_OUTPUT") > added an optimised version of __get_user_asm() for x86 using 'asm goto'. > > Like the non-optimised code, the 32-bit implementation of 64-bit get_user() > expands to a pair of 32-bit accesses. Unlike the non-optimised code, the > _original_ pointer is incremented to copy the high word instead of loading > through a new pointer explicitly constructed to point at a 32-bit type. > Consequently, if the pointer points at a 64-bit type then we end up > loading the wrong data for the upper 32-bits. > > This was observed as a mount() failure in Android targetting i686 after > b0cfcdd9b967 ("d_path: make 'prepend()' fill up the buffer exactly on > overflow") because the call to copy_from_kernel_nofault() from > prepend_copy() ends up in __get_kernel_nofault() and casts the source > pointer to a 'u64 __user *'. An attempt to mount at "/debug_ramdisk" > therefore ends up failing trying to mount "/debumdismdisk". > > Use the existing '__gu_ptr' source pointer to unsigned int for 32-bit > __get_user_asm_u64() instead of the original pointer. > > Cc: Nick Desaulniers <ndesaulniers@...gle.com> > Cc: Bill Wendling <morbo@...gle.com> > Cc: Linus Torvalds <torvalds@...ux-foundation.org> > Cc: Thomas Gleixner <tglx@...utronix.de> > Cc: Ingo Molnar <mingo@...hat.com> > Cc: Borislav Petkov <bp@...en8.de> > Cc: Peter Zijlstra <peterz@...radead.org> > Reported-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org> > Fixes: 865c50e1d279 ("x86/uaccess: utilize CONFIG_CC_HAS_ASM_GOTO_OUTPUT") > Signed-off-by: Will Deacon <will@...nel.org> This patch merged into Linux next (next-20210914) and the reported problem has been fixed. Tested-by: Linux Kernel Functional Testing <lkft@...aro.org> -- Linaro LKFT https://lkft.linaro.org
Powered by blists - more mailing lists