From: Al Viro <viro@ZenIV.linux.org.uk>
To: Joe Korty <joe.korty@ccur.com>
Cc: linux-kernel@vger.kernel.org,
Linus Torvalds <torvalds@linux-foundation.org>,
Sasha Levin <alexander.levin@verizon.com>
Subject: Re: [4.1 backport trouble] Re: BUGreport: fix minor infoleak in get_user_ex()
Date: Fri, 28 Oct 2016 20:34:24 +0100 [thread overview]
Message-ID: <20161028193423.GO19539@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20161028164033.GA29952@zipoli.ccur.com>
On Fri, Oct 28, 2016 at 12:40:33PM -0400, Joe Korty wrote:
> Backporting 548acf19234d to 4.1.35 does indeed fix the
> issue. However, it is not clear to my _why_ it works,
> so it might be better that someone else push the backport
> to stable.
Because the trick used in fixup_exception() prior to that commit depended
upon the handler being very close to faulting instruction.
# define _ASM_EXTABLE_EX(from,to) \
.pushsection "__ex_table","a" ; \
.balign 8 ; \
.long (from) - . ; \
.long (to) - . + 0x7ffffff0 ; \
.popsection
puts a recognizable value (handler + offset a bit under 2G) into
->fixup and in fixup_exception() we had
if (fixup->fixup - fixup->insn >= 0x7ffffff0 - 4) {
/* Special hack for uaccess_err */
current_thread_info()->uaccess_err = 1;
new_ip -= 0x7ffffff0;
}
checking that the value in ->fixup is just below 2G from the faulting
instruction. So _ASM_EXTABLE_EX relied upon the handler very close to
the faulting insn, and worked only because all of its uses had
been "set the ->uaccess_err and continue immediately past the faulting
insn". When the kludge in fixup_exception() had been eliminated
(check what it and _ASM_EXTABLE_EX do these days) this restriction has
disappeared, so the mainline commit had no problems. Backport to 4.1
had it run afoul of that restriction, with the results you've observed -
this "handler + constant offset" had _not_ been recognized as that magic and
had been interpreted as handler being about 2G away from its actual location.
That's where the bogus RIP in your oopsen have come from.
next prev parent reply other threads:[~2016-10-28 19:34 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20161027193210.GA23006@zipoli.ccur.com>
2016-10-28 0:03 ` BUGreport: fix minor infoleak in get_user_ex() Al Viro
2016-10-28 2:02 ` [4.1 backport trouble] " Al Viro
[not found] ` <20161028164033.GA29952@zipoli.ccur.com>
2016-10-28 18:21 ` Linus Torvalds
2016-10-28 19:49 ` Al Viro
2016-10-28 21:29 ` Greg KH
2016-10-28 19:34 ` Al Viro [this message]
2016-10-30 18:16 ` Levin, Alexander
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161028193423.GO19539@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=alexander.levin@verizon.com \
--cc=joe.korty@ccur.com \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.