[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20241109210313.440495-1-mikel@mikelr.com>
Date: Sat, 9 Nov 2024 16:03:12 -0500
From: Mikel Rychliski <mikel@...elr.com>
To: Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
x86@...nel.org,
"H. Peter Anvin" <hpa@...or.com>
Cc: Mikel Rychliski <mikel@...elr.com>,
linux-kernel@...r.kernel.org
Subject: [PATCH] x86: Fix off-by-one error in __access_ok
We were checking one byte beyond the actual range that would be accessed.
Originally, valid_user_address would consider the user guard page to be
valid, so checks including the final accessible byte would still succeed.
However, after commit 86e6b1547b3d ("x86: fix user address masking
non-canonical speculation issue") this is no longer the case.
Update the logic to always consider the final address in the range.
Fixes: 86e6b1547b3d ("x86: fix user address masking non-canonical speculation issue")
Signed-off-by: Mikel Rychliski <mikel@...elr.com>
---
arch/x86/include/asm/uaccess_64.h | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
index b0a887209400..3e0eb72c036f 100644
--- a/arch/x86/include/asm/uaccess_64.h
+++ b/arch/x86/include/asm/uaccess_64.h
@@ -100,9 +100,11 @@ static inline bool __access_ok(const void __user *ptr, unsigned long size)
if (__builtin_constant_p(size <= PAGE_SIZE) && size <= PAGE_SIZE) {
return valid_user_address(ptr);
} else {
- unsigned long sum = size + (__force unsigned long)ptr;
+ unsigned long end = (__force unsigned long)ptr;
- return valid_user_address(sum) && sum >= (__force unsigned long)ptr;
+ if (size)
+ end += size - 1;
+ return valid_user_address(end) && end >= (__force unsigned long)ptr;
}
}
#define __access_ok __access_ok
--
2.47.0
Powered by blists - more mailing lists