From patchwork Tue Sep  5 08:43:27 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
X-Patchwork-Id: 810000
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3xmgGy1w1hz9sNq;
	Tue,  5 Sep 2017 18:43:38 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1dp9SI-0005j4-Rh; Tue, 05 Sep 2017 08:43:34 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <kleber.souza@canonical.com>)
	id 1dp9SH-0005iR-2n
	for kernel-team@lists.ubuntu.com; Tue, 05 Sep 2017 08:43:33 +0000
Received: from mail-wm0-f71.google.com ([74.125.82.71])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <kleber.souza@canonical.com>)
	id 1dp9SG-0001Gs-Rq
	for kernel-team@lists.ubuntu.com; Tue, 05 Sep 2017 08:43:32 +0000
Received: by mail-wm0-f71.google.com with SMTP id l19so3240428wmi.1
	for <kernel-team@lists.ubuntu.com>;
	Tue, 05 Sep 2017 01:43:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=VYjE4JRpjPV+wZ6uNFInaNIVs6NnDQn7TPwakF3i3oM=;
	b=Sm5aZUSvqD7JprvFZw3moGDYTPGP7YoEmXNCJQJwVx9usn837EIeV5NFhefHmI4qbi
	rcFwUE8xJNqfcdS14Eu3vM6lHiMaBO3wztTLDGdzo0ouUU1HGOqBd5mLduA7zCOl0d50
	wk8II3wgbIA7PVyGASFU83lxsbPtkj3h1250+PqCotXbAk6TEjfZfyDfAzc54JYeuLMB
	Vii9yPNy/ykUvJoPZOQjvWQi3ZJp1F2Gj07QFfJCK7sQr7B5BJ67V3j+sB4ZO3pfisd3
	+x1dNQ8PYNfxidvxkDM0xfoV640q1I+FUiLSv309ru/UrUSLSESdI59Nws6eBj2KlDQA
	/49g==
X-Gm-Message-State: AHPjjUgAOSG4GIPjv/xMlyCxkanY/rQcHYaTYPOfOI1eUZChhXcemTYG
	FwOI3CqoK8757TCwidNNVSOL8nI4qSWhwlYxlbSE3eHRvkxdeR/9v6A4Q1jguBl+YYMky0G9qlR
	U+CjncSFsaS/UOrCrp/WoLjJW36defWVy
X-Received: by 10.80.148.239 with SMTP id t44mr2682494eda.108.1504601012300;
	Tue, 05 Sep 2017 01:43:32 -0700 (PDT)
X-Google-Smtp-Source: 
 ADKCNb7B4W4n7tml3UzF0R7KmiPv12GuYrPB6f77zxpiEELGVtFnNBEyLMVbZZPdsTtrewBT38T9Yg==
X-Received: by 10.80.148.239 with SMTP id t44mr2682488eda.108.1504601012090;
	Tue, 05 Sep 2017 01:43:32 -0700 (PDT)
Received: from localhost (ip5f5bd015.dynamic.kabel-deutschland.de.
	[95.91.208.21]) by smtp.gmail.com with ESMTPSA id
	r14sm21620edd.56.2017.09.05.01.43.30
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Tue, 05 Sep 2017 01:43:31 -0700 (PDT)
From: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [Trusty SRU][PATCH 1/1] fix minor infoleak in get_user_ex()
Date: Tue,  5 Sep 2017 10:43:27 +0200
Message-Id: <20170905084327.25062-2-kleber.souza@canonical.com>
X-Mailer: git-send-email 2.14.1
In-Reply-To: <20170905084327.25062-1-kleber.souza@canonical.com>
References: <20170905084327.25062-1-kleber.souza@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Al Viro <viro@ZenIV.linux.org.uk>

CVE-2016-9178

get_user_ex(x, ptr) should zero x on failure.  It's not a lot of a leak
(at most we are leaking uninitialized 64bit value off the kernel stack,
and in a fairly constrained situation, at that), but the fix is trivial,
so...

Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[ This sat in different branch from the uaccess fixes since mid-August ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 1c109fabbd51863475cd12ac206bdd249aee35af)
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
---
 arch/x86/include/asm/uaccess.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index 8ec57c07b125..20e5bacf961c 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -383,7 +383,11 @@ do {									\
 #define __get_user_asm_ex(x, addr, itype, rtype, ltype)			\
 	asm volatile("1:	mov"itype" %1,%"rtype"0\n"		\
 		     "2:\n"						\
-		     _ASM_EXTABLE_EX(1b, 2b)				\
+		     ".section .fixup,\"ax\"\n"				\
+                     "3:xor"itype" %"rtype"0,%"rtype"0\n"		\
+		     "  jmp 2b\n"					\
+		     ".previous\n"					\
+		     _ASM_EXTABLE_EX(1b, 3b)				\
 		     : ltype(x) : "m" (__m(addr)))
 
 #define __put_user_nocheck(x, ptr, size)			\