On Fri, Aug 02, 2024 at 04:45:48PM -0600, lugomgom wrote:
> From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
>
> commit 78aafb3884f6bc6636efcc1760c891c8500b9922 upstream.
>
> There is a dead-lock in the hwrng device read path. This triggers
> when the user reads from /dev/hwrng into memory also mmap-ed from
> /dev/hwrng. The resulting page fault triggers a recursive read
> which then dead-locks.
>
> Fix this by using a stack buffer when calling copy_to_user.
>
> Reported-by: Edward Adam Davis <eadavis@xxxxxx>
> Reported-by: syzbot+c52ab18308964d248092@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: 9996508b3353 ("hwrng: core - Replace u32 in driver API with byte array")
> Cc: <stable@xxxxxxxxxxxxxxx>
> Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> (cherry picked from commit eafd83b92f6c044007a3591cbd476bcf90455990)
> Signed-off-by: Vegard Nossum <vegard.nossum@xxxxxxxxxx>
> (cherry picked from commit 581445afd04cac92963d8b56b3eea08b320d6330)
>
> Orabug: 36806668
> CVE: CVE-2023-52615
>
> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@xxxxxxxxxx>
> Reviewed-by: Saeed Mirzamohammadi <saeed.mirzamohammadi@xxxxxxxxxx>
>
> Conflicts:
> drivers/char/hw_random/core.c -- Minor contextual conflicts due
> to missing commit: affdec58dafc ("hwrng: core - Replace asm/uaccess.h by
> linux/uaccess.h") in UEK4, and it is not a candidate for backporting, so
> resolved conflicts instead
>
> Signed-off-by: Alok Tiwari <alok.a.tiwari@xxxxxxxxxx>
> ---
> drivers/char/hw_random/core.c | 34 +++++++++++++++++++++-------------
> 1 file changed, 21 insertions(+), 13 deletions(-)
Why are you resending this to us after it is already in the kernel tree?
What are we supposed to do with it?
confused,
greg k-h
