From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=C2Kb=RG=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.5 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
	SIGNED_OFF_BY,SPF_PASS,USER_AGENT_MUTT autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 42B58C43381
	for <stable@archiver.kernel.org>; Sun,  3 Mar 2019 18:06:10 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 0D65320866
	for <stable@archiver.kernel.org>; Sun,  3 Mar 2019 18:06:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1551636368;
	bh=bQiy8Ncvsix4/aMgG6UCzRZyX89D7VSXvMQ2K8CNFM4=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From;
	b=vtof0oVsREVYAQVJU+nyPDTh9zC6cpvL3Fj33ARcnYFOyW3FIBCzza27bPY1o9dyc
	 pPbVUsp5mH9ZGte1NOlIjoAF/vp9a2tndjcuI/dfeiJLFmfGxpYVaoMDvwJZN60AFW
	 apqS4486jBN5ihmd/Ny/m4QzZTzfl1OYNH5kYPp8=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726533AbfCCSGH (ORCPT <rfc822;stable@archiver.kernel.org>);
        Sun, 3 Mar 2019 13:06:07 -0500
Received: from mail.kernel.org ([198.145.29.99]:59398 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726416AbfCCSGH (ORCPT <rfc822;stable@vger.kernel.org>);
        Sun, 3 Mar 2019 13:06:07 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id D9F2220835;
        Sun,  3 Mar 2019 18:06:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1551636366;
        bh=bQiy8Ncvsix4/aMgG6UCzRZyX89D7VSXvMQ2K8CNFM4=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=n1e10vpI6hwzyANhuZ0ev55y7uRxM3nSP7fSr4QSsfQQ8pDdTtPgML9w1UTSqL+5K
         N0VhKvZFFa3hOm2xmRSH/Un6ey1bu1wt1mttdUE/1pYBfzH95OW4aAMmc6PdFRxbS8
         jArG5R/bi/ZQqG4WVM9/6eDhoH3Gc4s0vgqcxDNE=
Date:   Sun, 3 Mar 2019 19:06:02 +0100
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     Maxim Zhukov <mussitantesmortem@gmail.com>
Cc:     Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@suse.de>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Brian Gerst <brgerst@gmail.com>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        Denys Vlasenko <dvlasenk@redhat.com>, stable@vger.kernel.org
Subject: Re: [PATCH-V2 v4.9] x86/uaccess: Don't leak the AC flag into
 __put_user() value evaluation
Message-ID: <20190303180602.GD16636@kroah.com>
References: <20190303164505.21532-1-mussitantesmortem@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20190303164505.21532-1-mussitantesmortem@gmail.com>
User-Agent: Mutt/1.11.3 (2019-02-01)
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

On Sun, Mar 03, 2019 at 07:45:05PM +0300, Maxim Zhukov wrote:
> From: Andy Lutomirski <luto@kernel.org>
> 
> commit 2a418cf3f5f1caf911af288e978d61c9844b0695 upstream.
> 
> When calling __put_user(foo(), ptr), the __put_user() macro would call
> foo() in between __uaccess_begin() and __uaccess_end().  If that code
> were buggy, then those bugs would be run without SMAP protection.
> 
> Fortunately, there seem to be few instances of the problem in the
> kernel. Nevertheless, __put_user() should be fixed to avoid doing this.
> Therefore, evaluate __put_user()'s argument before setting AC.
> 
> This issue was noticed when an objtool hack by Peter Zijlstra complained
> about genregs_get() and I compared the assembly output to the C source.
> 
>  [ bp: Massage commit message and fixed up whitespace. ]
> 
> Fixes: 11f1a4b9755f ("x86: reorganize SMAP handling in user space accesses")
> Signed-off-by: Andy Lutomirski <luto@kernel.org>
> Signed-off-by: Borislav Petkov <bp@suse.de>
> Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Brian Gerst <brgerst@gmail.com>
> Cc: Josh Poimboeuf <jpoimboe@redhat.com>
> Cc: Denys Vlasenko <dvlasenk@redhat.com>
> Cc: stable@vger.kernel.org
> Link: http://lkml.kernel.org/r/20190225125231.845656645@infradead.org
> Signed-off-by: Maxim Zhukov <mussitantesmortem@gmail.com>
> ---
>  arch/x86/include/asm/uaccess.h | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
> index a8d85a687cf4..20f86ae9d92f 100644
> --- a/arch/x86/include/asm/uaccess.h
> +++ b/arch/x86/include/asm/uaccess.h
> @@ -292,7 +292,7 @@ do {									\
>  		__put_user_asm(x, ptr, retval, "l", "k", "ir", errret);	\
>  		break;							\
>  	case 8:								\
> -		__put_user_asm_u64((__typeof__(*ptr))(x), ptr, retval,	\
> +		__put_user_asm_u64(x, ptr, retval,	\
>  				   errret);				\

That can all be on one line now :(

Let me go see if I can do the backport, it doesn't look that complex...

greg k-h