| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 18 Nov 2021 17:34:17 +0100
From: Vincent Whitchurch <vincent.whitchurch@...s.com>
To: <catalin.marinas@....com>, <will@...nel.org>,
<mark.rutland@....com>
CC: <kernel@...s.com>, <linux-arm-kernel@...ts.infradead.org>,
<linux-kernel@...r.kernel.org>,
Vincent Whitchurch <vincent.whitchurch@...s.com>
Subject: [PATCH] arm64: uaccess: fix put_user() with TTBR0 PAN
The value argument to put_user() must be evaluated before the TTBR0
switch is done. Otherwise, if it is a function and the function sleeps,
the reserved TTBR0 will be restored when the process is switched in
again and the process will end up in an infinite loop of faults.
This problem was seen with the put_user() in schedule_tail(). A similar
fix was done for RISC-V in commit 285a76bb2cf51b0c74c634 ("riscv:
evaluate put_user() arg before enabling user access").
Fixes: f253d827f33cb5a5990 ("arm64: uaccess: refactor __{get,put}_user")
Signed-off-by: Vincent Whitchurch <vincent.whitchurch@...s.com>
---
arch/arm64/include/asm/uaccess.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
index 6e2e0b7031ab..96b26fa9d3d0 100644
--- a/arch/arm64/include/asm/uaccess.h
+++ b/arch/arm64/include/asm/uaccess.h
@@ -362,10 +362,11 @@ do { \
#define __put_user_error(x, ptr, err) \
do { \
__typeof__(*(ptr)) __user *__p = (ptr); \
+ __typeof__(*(__p)) __val = (x); \
might_fault(); \
if (access_ok(__p, sizeof(*__p))) { \
__p = uaccess_mask_ptr(__p); \
- __raw_put_user((x), __p, (err)); \
+ __raw_put_user(__val, __p, (err)); \
} else { \
(err) = -EFAULT; \
} \
--
2.33.1
Powered by blists - more mailing lists