From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Lukasz Odzioba <lukasz.odzioba@intel.com>,
Borislav Petkov <bp@suse.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>,
andi.kleen@intel.com, bp@alien8.de, dave.hansen@linux.intel.com,
luto@kernel.org, slaoub@gmail.com, Ingo Molnar <mingo@kernel.org>
Subject: [PATCH 4.4 34/48] x86/cpu: Fix bootup crashes by sanitizing the argument of the clearcpuid= command-line option
Date: Wed, 18 Jan 2017 11:46:43 +0100 [thread overview]
Message-ID: <20170118104626.979931109@linuxfoundation.org> (raw)
In-Reply-To: <20170118104625.550018627@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukasz Odzioba <lukasz.odzioba@intel.com>
commit dd853fd216d1485ed3045ff772079cc8689a9a4a upstream.
A negative number can be specified in the cmdline which will be used as
setup_clear_cpu_cap() argument. With that we can clear/set some bit in
memory predceeding boot_cpu_data/cpu_caps_cleared which may cause kernel
to misbehave. This patch adds lower bound check to setup_disablecpuid().
Boris Petkov reproduced a crash:
[ 1.234575] BUG: unable to handle kernel paging request at ffffffff858bd540
[ 1.236535] IP: memcpy_erms+0x6/0x10
Signed-off-by: Lukasz Odzioba <lukasz.odzioba@intel.com>
Acked-by: Borislav Petkov <bp@suse.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: andi.kleen@intel.com
Cc: bp@alien8.de
Cc: dave.hansen@linux.intel.com
Cc: luto@kernel.org
Cc: slaoub@gmail.com
Fixes: ac72e7888a61 ("x86: add generic clearcpuid=... option")
Link: http://lkml.kernel.org/r/1482933340-11857-1-git-send-email-lukasz.odzioba@intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1129,7 +1129,7 @@ static __init int setup_disablecpuid(cha
{
int bit;
- if (get_option(&arg, &bit) && bit < NCAPINTS*32)
+ if (get_option(&arg, &bit) && bit >= 0 && bit < NCAPINTS * 32)
setup_clear_cpu_cap(bit);
else
return 0;
next prev parent reply other threads:[~2017-01-18 11:27 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20170118104957epcas3p3c8bb456f6ed6bf7171f9b645196aafc7@epcas3p3.samsung.com>
2017-01-18 10:46 ` [PATCH 4.4 00/48] 4.4.44-stable review Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 01/48] Input: xpad - use correct product id for x360w controllers Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 02/48] Input: i8042 - add Pegatron touchpad to noloop table Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 03/48] selftests: do not require bash to run netsocktests testcase Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 04/48] selftests: do not require bash for the generated test Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 05/48] mm: fix devm_memremap_pages crash, use mem_hotplug_{begin, done} Greg Kroah-Hartman
2017-02-09 15:26 ` Ben Hutchings
2017-02-10 5:00 ` Dan Williams
2017-02-10 5:00 ` Dan Williams
2017-02-10 5:00 ` Dan Williams
2017-01-18 10:46 ` [PATCH 4.4 06/48] ocfs2: fix crash caused by stale lvb with fsdlm plugin Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 07/48] mm/hugetlb.c: fix reservation race when freeing surplus pages Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 08/48] KVM: x86: fix emulation of "MOV SS, null selector" Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 10/48] jump_labels: API for flushing deferred jump label updates Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 11/48] KVM: x86: flush pending lapic jump label updates on module unload Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 15/48] KVM: x86: Introduce segmented_write_std Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 16/48] nl80211: fix sched scan netlink socket owner destruction Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 17/48] USB: serial: kl5kusb105: fix line-state error handling Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 18/48] USB: serial: ch341: fix initial modem-control state Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 19/48] USB: serial: ch341: fix open error handling Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 20/48] USB: serial: ch341: fix control-message " Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 21/48] USB: serial: ch341: fix open and resume after B0 Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 22/48] Input: elants_i2c - avoid divide by 0 errors on bad touchscreen data Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 23/48] i2c: print correct device invalid address Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 24/48] i2c: fix kernel memory disclosure in dev interface Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 25/48] xhci: fix deadlock at host remove by running watchdog correctly Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 27/48] mnt: Protect the mountpoint hashtable with mount_lock Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 28/48] tty/serial: atmel_serial: BUG: stop DMA from transmitting in stop_tx Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 29/48] sysrq: attach sysrq handler correctly for 32-bit kernel Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 30/48] sysctl: Drop reference added by grab_header in proc_sys_readdir Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 31/48] drm/radeon: drop verde dpm quirks Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 32/48] USB: serial: ch341: fix resume after reset Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 33/48] USB: serial: ch341: fix modem-control and B0 handling Greg Kroah-Hartman
2017-01-18 10:46 ` Greg Kroah-Hartman [this message]
2017-01-18 10:46 ` [PATCH 4.4 35/48] btrfs: fix locking when we put back a delayed ref thats too new Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 36/48] btrfs: fix error handling when run_delayed_extent_op fails Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 37/48] pinctrl: meson: fix gpio request disabling other modes Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 38/48] pNFS: Fix race in pnfs_wait_on_layoutreturn Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 39/48] NFS: Fix a performance regression in readdir Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 40/48] NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 41/48] cpufreq: powernv: Disable preemption while checking CPU throttling state Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 42/48] block: cfq_cpd_alloc() should use @gfp Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 43/48] ACPI / APEI: Fix NMI notification handling Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 44/48] blk-mq: Always schedule hctx->next_cpu Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 45/48] bus: vexpress-config: fix device reference leak Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 46/48] powerpc/ibmebus: Fix further device reference leaks Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.4 47/48] powerpc/ibmebus: Fix device reference leaks in sysfs interface Greg Kroah-Hartman
2017-01-18 18:45 ` [PATCH 4.4 00/48] 4.4.44-stable review Guenter Roeck
2017-01-19 18:02 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170118104626.979931109@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andi.kleen@intel.com \
--cc=bp@alien8.de \
--cc=bp@suse.de \
--cc=dave.hansen@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lukasz.odzioba@intel.com \
--cc=luto@kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=slaoub@gmail.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.