Patchwork [3.5.y.z,extended,stable] Patch "x86: Do not leak kernel page mapping locations" has been added to staging queue

mail settings
Submitter Herton Ronaldo Krzesinski
Date Feb. 15, 2013, 5:02 p.m.
Message ID <>
Download mbox | patch
Permalink /patch/221142/
State New
Headers show


Herton Ronaldo Krzesinski - Feb. 15, 2013, 5:02 p.m.
This is a note to let you know that I have just added a patch titled

    x86: Do not leak kernel page mapping locations

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



From 3c9014cacfa265b3a2fb2dd09202b377895dcfab Mon Sep 17 00:00:00 2001
From: Kees Cook <>
Date: Thu, 7 Feb 2013 09:44:13 -0800
Subject: [PATCH] x86: Do not leak kernel page mapping locations

commit e575a86fdc50d013bf3ad3aa81d9100e8e6cc60d upstream.

Without this patch, it is trivial to determine kernel page
mappings by examining the error code reported to dmesg[1].
Instead, declare the entire kernel memory space as a violation
of a present page.

Additionally, since show_unhandled_signals is enabled by
default, switch branch hinting to the more realistic
expectation, and unobfuscate the setting of the PF_PROT bit to
improve readability.


Reported-by: Dan Rosenberg <>
Suggested-by: Brad Spengler <>
Signed-off-by: Kees Cook <>
Acked-by: H. Peter Anvin <>
Cc: Paul E. McKenney <>
Cc: Frederic Weisbecker <>
Cc: Eric W. Biederman <>
Cc: Linus Torvalds <>
Cc: Andrew Morton <>
Cc: Peter Zijlstra <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Herton Ronaldo Krzesinski <>
 arch/x86/mm/fault.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)



diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 76dcd9d..c6b10e2 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -747,13 +747,15 @@  __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
+		/* Kernel addresses are always protection faults: */
+		if (address >= TASK_SIZE)
+			error_code |= PF_PROT;

-		if (unlikely(show_unhandled_signals))
+		if (likely(show_unhandled_signals))
 			show_signal_msg(regs, error_code, address, tsk);

-		/* Kernel addresses are always protection faults: */
 		tsk->thread.cr2		= address;
-		tsk->thread.error_code	= error_code | (address >= TASK_SIZE);
+		tsk->thread.error_code	= error_code;
 		tsk->thread.trap_nr	= X86_TRAP_PF;

 		force_sig_info_fault(SIGSEGV, si_code, address, tsk, 0);