Patch "x86/uaccess: Fix missed zeroing of ia32 u64 get_user() range checking" has been added to the 6.6-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    x86/uaccess: Fix missed zeroing of ia32 u64 get_user() range checking

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     x86-uaccess-fix-missed-zeroing-of-ia32-u64-get_user-.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 7ab098cc736d580bb6cbc817254078874bced3a5
Author: Kees Cook <kees@xxxxxxxxxx>
Date:   Mon Jun 10 14:02:27 2024 -0700

    x86/uaccess: Fix missed zeroing of ia32 u64 get_user() range checking
    
    [ Upstream commit 8c860ed825cb85f6672cd7b10a8f33e3498a7c81 ]
    
    When reworking the range checking for get_user(), the get_user_8() case
    on 32-bit wasn't zeroing the high register. (The jump to bad_get_user_8
    was accidentally dropped.) Restore the correct error handling
    destination (and rename the jump to using the expected ".L" prefix).
    
    While here, switch to using a named argument ("size") for the call
    template ("%c4" to "%c[size]") as already used in the other call
    templates in this file.
    
    Found after moving the usercopy selftests to KUnit:
    
          # usercopy_test_invalid: EXPECTATION FAILED at
          lib/usercopy_kunit.c:278
          Expected val_u64 == 0, but
              val_u64 == -60129542144 (0xfffffff200000000)
    
    Closes: https://lore.kernel.org/all/CABVgOSn=tb=Lj9SxHuT4_9MTjjKVxsq-ikdXC4kGHO4CfKVmGQ@xxxxxxxxxxxxxx
    Fixes: b19b74bc99b1 ("x86/mm: Rework address range check in get_user() and put_user()")
    Reported-by: David Gow <davidgow@xxxxxxxxxx>
    Signed-off-by: Kees Cook <kees@xxxxxxxxxx>
    Signed-off-by: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
    Reviewed-by: Kirill A. Shutemov <kirill.shutemov@xxxxxxxxxxxxxxx>
    Reviewed-by: Qiuxu Zhuo <qiuxu.zhuo@xxxxxxxxx>
    Tested-by: David Gow <davidgow@xxxxxxxxxx>
    Link: https://lore.kernel.org/all/20240610210213.work.143-kees%40kernel.org
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index 0f9bab92a43d7..3a7755c1a4410 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -78,10 +78,10 @@ extern int __get_user_bad(void);
 	int __ret_gu;							\
 	register __inttype(*(ptr)) __val_gu asm("%"_ASM_DX);		\
 	__chk_user_ptr(ptr);						\
-	asm volatile("call __" #fn "_%c4"				\
+	asm volatile("call __" #fn "_%c[size]"				\
 		     : "=a" (__ret_gu), "=r" (__val_gu),		\
 			ASM_CALL_CONSTRAINT				\
-		     : "0" (ptr), "i" (sizeof(*(ptr))));		\
+		     : "0" (ptr), [size] "i" (sizeof(*(ptr))));		\
 	instrument_get_user(__val_gu);					\
 	(x) = (__force __typeof__(*(ptr))) __val_gu;			\
 	__builtin_expect(__ret_gu, 0);					\
diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S
index f6aad480febd3..6913fbce6544f 100644
--- a/arch/x86/lib/getuser.S
+++ b/arch/x86/lib/getuser.S
@@ -44,7 +44,11 @@
 	or %rdx, %rax
 .else
 	cmp $TASK_SIZE_MAX-\size+1, %eax
+.if \size != 8
 	jae .Lbad_get_user
+.else
+	jae .Lbad_get_user_8
+.endif
 	sbb %edx, %edx		/* array_index_mask_nospec() */
 	and %edx, %eax
 .endif
@@ -154,7 +158,7 @@ SYM_CODE_END(__get_user_handle_exception)
 #ifdef CONFIG_X86_32
 SYM_CODE_START_LOCAL(__get_user_8_handle_exception)
 	ASM_CLAC
-bad_get_user_8:
+.Lbad_get_user_8:
 	xor %edx,%edx
 	xor %ecx,%ecx
 	mov $(-EFAULT),%_ASM_AX




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux