On Wed, Feb 21, 2024 at 09:29:08PM +0100, Thomas Gleixner wrote:
>
> From: Andrei Vagin <avagin@xxxxxxxxxx>
>
> Before this change, the expected size of the user space buffer was
> taken from fx_sw->xstate_size. fx_sw->xstate_size can be changed
> from user-space, so it is possible construct a sigreturn frame where:
>
> * fx_sw->xstate_size is smaller than the size required by valid bits in
> fx_sw->xfeatures.
> * user-space unmaps parts of the sigrame fpu buffer so that not all of
> the buffer required by xrstor is accessible.
>
> In this case, xrstor tries to restore and accesses the unmapped area
> which results in a fault. But fault_in_readable succeeds because buf +
> fx_sw->xstate_size is within the still mapped area, so it goes back and
> tries xrstor again. It will spin in this loop forever.
>
> Instead, fault in the maximum size which can be touched by XRSTOR (taken
> from fpstate->user_size).
>
> [ dhansen: tweak subject / changelog ]
> [ tglx: Backport to 5.15 stable ]
>
> Fixes: fcb3635f5018 ("x86/fpu/signal: Handle #PF in the direct restore path")
> Reported-by: Konstantin Bogomolov <bogomolov@xxxxxxxxxx>
> Suggested-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
> Signed-off-by: Andrei Vagin <avagin@xxxxxxxxxx>
> Signed-off-by: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
> Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
> Link: https://lore.kernel.org/all/20240130063603.3392627-1-avagin%40google.com
> ---
> arch/x86/kernel/fpu/signal.c | 12 +++++-------
> 1 file changed, 5 insertions(+), 7 deletions(-)
Nit, you forgot to give me a hint what the git id was :(
I figured it out, now queued up, thanks.
greg k-h
