Patch "x86: fix off-by-one in access_ok()" has been added to the 6.11-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 1 Dec 2024 07:57:51 -0500

This is a note to let you know that I've just added the patch titled

    x86: fix off-by-one in access_ok()

to the 6.11-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     x86-fix-off-by-one-in-access_ok.patch
and it can be found in the queue-6.11 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 42d0bdd0b24e03f989bbb5197e0b5d1e77d8f54a
Author: David Laight <David.Laight@xxxxxxxxxx>
Date:   Sun Nov 24 15:39:00 2024 +0000

    x86: fix off-by-one in access_ok()
    
    [ Upstream commit 573f45a9f9a47fed4c7957609689b772121b33d7 ]
    
    When the size isn't a small constant, __access_ok() will call
    valid_user_address() with the address after the last byte of the user
    buffer.
    
    It is valid for a buffer to end with the last valid user address so
    valid_user_address() must allow accesses to the base of the guard page.
    
    [ This introduces an off-by-one in the other direction for the plain
      non-sized accesses, but since we have that guard region that is a
      whole page, those checks "allowing" accesses to that guard region
      don't really matter. The access will fault anyway, whether to the
      guard page or if the address has been masked to all ones - Linus ]
    
    Fixes: 86e6b1547b3d0 ("x86: fix user address masking non-canonical speculation issue")
    Signed-off-by: David Laight <david.laight@xxxxxxxxxx>
    Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index c472282ab40fd..fd89f1c65c947 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -2374,12 +2374,12 @@ void __init arch_cpu_finalize_init(void)
 	alternative_instructions();
 
 	if (IS_ENABLED(CONFIG_X86_64)) {
-		unsigned long USER_PTR_MAX = TASK_SIZE_MAX-1;
+		unsigned long USER_PTR_MAX = TASK_SIZE_MAX;
 
 		/*
 		 * Enable this when LAM is gated on LASS support
 		if (cpu_feature_enabled(X86_FEATURE_LAM))
-			USER_PTR_MAX = (1ul << 63) - PAGE_SIZE - 1;
+			USER_PTR_MAX = (1ul << 63) - PAGE_SIZE;
 		 */
 		runtime_const_init(ptr, USER_PTR_MAX);
 







