On Sun, 2016-11-13 at 18:14 -0800, Linus Torvalds wrote:
> No, this is no good.
>
> I had a slightly different version of this that is OK for older
> kernels.
And I thought I'd dropped this after you mentioned the problem at
Kernel Summit. Thanks for checking.
Sasha, this still needs to be reverted in 3.18 and 4.1 stable branches.
Ben.
> Linus
>
> On Nov 13, 2016 6:04 PM, "Ben Hutchings" <ben@xxxxxxxxxxxxxxx> wrote:
>
> > 3.16.39-rc1 review patch. If anyone has any objections, please let me
> > know.
> >
> > ------------------
> >
> > From: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
> >
> > commit 1c109fabbd51863475cd12ac206bdd249aee35af upstream.
> >
> > get_user_ex(x, ptr) should zero x on failure. It's not a lot of a leak
> > (at most we are leaking uninitialized 64bit value off the kernel stack,
> > and in a fairly constrained situation, at that), but the fix is trivial,
> > so...
> >
> > > Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
> > [ This sat in different branch from the uaccess fixes since mid-August ]
> > Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
> > Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
> > ---
> > arch/x86/include/asm/uaccess.h | 6 +++++-
> > 1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > --- a/arch/x86/include/asm/uaccess.h
> > +++ b/arch/x86/include/asm/uaccess.h
> > @@ -391,7 +391,11 @@ do {
> > \
> > #define __get_user_asm_ex(x, addr, itype, rtype, ltype)
> > \
> > asm volatile("1: mov"itype" %1,%"rtype"0\n" \
> > "2:\n" \
> > - _ASM_EXTABLE_EX(1b, 2b) \
> > + ".section .fixup,\"ax\"\n" \
> > + "3:xor"itype" %"rtype"0,%"rtype"0\n" \
> > + " jmp 2b\n" \
> > + ".previous\n" \
> > + _ASM_EXTABLE_EX(1b, 3b) \
> > : ltype(x) : "m" (__m(addr)))
> >
> > #define __put_user_nocheck(x, ptr, size) \
> >
> >
--
Ben Hutchings
If more than one person is responsible for a bug, no one is at fault.
Attachment:
signature.asc
Description: This is a digitally signed message part