From: Greg KH <greg@kroah.com>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Joe Korty <joe.korty@ccur.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Sasha Levin <alexander.levin@verizon.com>,
stable <stable@vger.kernel.org>
Subject: Re: [4.1 backport trouble] Re: BUGreport: fix minor infoleak in get_user_ex()
Date: Fri, 28 Oct 2016 17:29:47 -0400 [thread overview]
Message-ID: <20161028212947.GA25964@kroah.com> (raw)
In-Reply-To: <20161028194958.GP19539@ZenIV.linux.org.uk>
On Fri, Oct 28, 2016 at 08:49:58PM +0100, Al Viro wrote:
> On Fri, Oct 28, 2016 at 11:21:24AM -0700, Linus Torvalds wrote:
>
> > End result: either commit 1c109fabbd51 shouldn't be backported (it's
> > really not that important - if people properly check the exception
> > error results it shouldn't matter), or you need to also backport
> > 548acf19234d as Al suggested.
> >
> > I'd be inclined to say "don't backport 1c109fabbd51", but it's really
> > a judgment call.
>
> *nod*
>
> FWIW, that infoleak _does_ allow to leak an uninitialized word into
> coredump (in sigreturn the value from uninitialized local variable is
> copied into pt_regs of process and when we eventually check that error
> has happened and hit the sucker with SIGSEGV, that value gets stored into
> the coredump), but in the worst case that's 64 bits leaked from fixed depth
> in the kernel stack of attacker's process, with fixed call chain.
>
> I very much doubt that it's escalatable to anything practically interesting.
> If spender et.al. can come up with a usable way to escalate that, I would be
> quite surprised (and would love to see the details), but hey, it might be
> possible. More likely possibility is that the bug is harmless in practice.
Hm, I think I'll backport 548acf19234d to 4.4-stable, as people have
shown that leaking anything can be used in odd ways that they shouldn't
be, just to be "safe" :)
thanks for the heads up.
greg k-h
next prev parent reply other threads:[~2016-10-28 21:29 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20161027193210.GA23006@zipoli.ccur.com>
2016-10-28 0:03 ` BUGreport: fix minor infoleak in get_user_ex() Al Viro
2016-10-28 2:02 ` [4.1 backport trouble] " Al Viro
[not found] ` <20161028164033.GA29952@zipoli.ccur.com>
2016-10-28 18:21 ` Linus Torvalds
2016-10-28 19:49 ` Al Viro
2016-10-28 21:29 ` Greg KH [this message]
2016-10-28 19:34 ` Al Viro
2016-10-30 18:16 ` Levin, Alexander
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161028212947.GA25964@kroah.com \
--to=greg@kroah.com \
--cc=alexander.levin@verizon.com \
--cc=joe.korty@ccur.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.