[Trusty,SRU,1/1] fix minor infoleak in get_user_ex()

Message ID 20170905084327.25062-2-kleber.souza@canonical.com
State New
Headers show
Series
  • Fix for CVE-2016-9178
Related show

Commit Message

Kleber Souza Sept. 5, 2017, 8:43 a.m.
From: Al Viro <viro@ZenIV.linux.org.uk>

CVE-2016-9178

get_user_ex(x, ptr) should zero x on failure.  It's not a lot of a leak
(at most we are leaking uninitialized 64bit value off the kernel stack,
and in a fairly constrained situation, at that), but the fix is trivial,
so...

Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[ This sat in different branch from the uaccess fixes since mid-August ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 1c109fabbd51863475cd12ac206bdd249aee35af)
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
---
 arch/x86/include/asm/uaccess.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

Colin King Sept. 5, 2017, 8:51 a.m. | #1
On 05/09/17 09:43, Kleber Sacilotto de Souza wrote:
> From: Al Viro <viro@ZenIV.linux.org.uk>
> 
> CVE-2016-9178
> 
> get_user_ex(x, ptr) should zero x on failure.  It's not a lot of a leak
> (at most we are leaking uninitialized 64bit value off the kernel stack,
> and in a fairly constrained situation, at that), but the fix is trivial,
> so...
> 
> Cc: stable@vger.kernel.org
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> [ This sat in different branch from the uaccess fixes since mid-August ]
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> (cherry picked from commit 1c109fabbd51863475cd12ac206bdd249aee35af)
> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
> ---
>  arch/x86/include/asm/uaccess.h | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
> index 8ec57c07b125..20e5bacf961c 100644
> --- a/arch/x86/include/asm/uaccess.h
> +++ b/arch/x86/include/asm/uaccess.h
> @@ -383,7 +383,11 @@ do {									\
>  #define __get_user_asm_ex(x, addr, itype, rtype, ltype)			\
>  	asm volatile("1:	mov"itype" %1,%"rtype"0\n"		\
>  		     "2:\n"						\
> -		     _ASM_EXTABLE_EX(1b, 2b)				\
> +		     ".section .fixup,\"ax\"\n"				\
> +                     "3:xor"itype" %"rtype"0,%"rtype"0\n"		\
> +		     "  jmp 2b\n"					\
> +		     ".previous\n"					\
> +		     _ASM_EXTABLE_EX(1b, 3b)				\
>  		     : ltype(x) : "m" (__m(addr)))
>  
>  #define __put_user_nocheck(x, ptr, size)			\
> 
Clean cherry pick, looks good to me.

Acked-by: Colin Ian King <colin.king@canonical.com>
Stefan Bader Sept. 5, 2017, 1:03 p.m. | #2
On 05.09.2017 10:43, Kleber Sacilotto de Souza wrote:
> From: Al Viro <viro@ZenIV.linux.org.uk>
> 
> CVE-2016-9178
> 
> get_user_ex(x, ptr) should zero x on failure.  It's not a lot of a leak
> (at most we are leaking uninitialized 64bit value off the kernel stack,
> and in a fairly constrained situation, at that), but the fix is trivial,
> so...
> 
> Cc: stable@vger.kernel.org
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> [ This sat in different branch from the uaccess fixes since mid-August ]
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> (cherry picked from commit 1c109fabbd51863475cd12ac206bdd249aee35af)
> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>

> ---
>  arch/x86/include/asm/uaccess.h | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
> index 8ec57c07b125..20e5bacf961c 100644
> --- a/arch/x86/include/asm/uaccess.h
> +++ b/arch/x86/include/asm/uaccess.h
> @@ -383,7 +383,11 @@ do {									\
>  #define __get_user_asm_ex(x, addr, itype, rtype, ltype)			\
>  	asm volatile("1:	mov"itype" %1,%"rtype"0\n"		\
>  		     "2:\n"						\
> -		     _ASM_EXTABLE_EX(1b, 2b)				\
> +		     ".section .fixup,\"ax\"\n"				\
> +                     "3:xor"itype" %"rtype"0,%"rtype"0\n"		\
> +		     "  jmp 2b\n"					\
> +		     ".previous\n"					\
> +		     _ASM_EXTABLE_EX(1b, 3b)				\
>  		     : ltype(x) : "m" (__m(addr)))
>  
>  #define __put_user_nocheck(x, ptr, size)			\
>
Kleber Souza Sept. 5, 2017, 2:23 p.m. | #3
Applied to trusty/master-next branch. Thanks.

Patch

diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index 8ec57c07b125..20e5bacf961c 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -383,7 +383,11 @@  do {									\
 #define __get_user_asm_ex(x, addr, itype, rtype, ltype)			\
 	asm volatile("1:	mov"itype" %1,%"rtype"0\n"		\
 		     "2:\n"						\
-		     _ASM_EXTABLE_EX(1b, 2b)				\
+		     ".section .fixup,\"ax\"\n"				\
+                     "3:xor"itype" %"rtype"0,%"rtype"0\n"		\
+		     "  jmp 2b\n"					\
+		     ".previous\n"					\
+		     _ASM_EXTABLE_EX(1b, 3b)				\
 		     : ltype(x) : "m" (__m(addr)))
 
 #define __put_user_nocheck(x, ptr, size)			\