[PATCH AUTOSEL 4.9 3/6] x86/uaccess: Don't leak the AC flags into __get_user() argument evaluation

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Peter Zijlstra <peterz@infradead.org>,
	Randy Dunlap <rdunlap@infradead.org>,
	Josh Poimboeuf <jpoimboe@redhat.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	broonie@kernel.org, sfr@canb.auug.org.au,
	akpm@linux-foundation.org, mhocko@suse.cz,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.9 3/6] x86/uaccess: Don't leak the AC flags into __get_user() argument evaluation
Date: Mon,  9 Sep 2019 11:42:02 -0400	[thread overview]
Message-ID: <20190909154205.31376-3-sashal@kernel.org> (raw)
In-Reply-To: <20190909154205.31376-1-sashal@kernel.org>

From: Peter Zijlstra <peterz@infradead.org>

[ Upstream commit 9b8bd476e78e89c9ea26c3b435ad0201c3d7dbf5 ]

Identical to __put_user(); the __get_user() argument evalution will too
leak UBSAN crud into the __uaccess_begin() / __uaccess_end() region.
While uncommon this was observed to happen for:

  drivers/xen/gntdev.c: if (__get_user(old_status, batch->status[i]))

where UBSAN added array bound checking.

This complements commit:

  6ae865615fc4 ("x86/uaccess: Dont leak the AC flag into __put_user() argument evaluation")

Tested-by Sedat Dilek <sedat.dilek@gmail.com>
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: broonie@kernel.org
Cc: sfr@canb.auug.org.au
Cc: akpm@linux-foundation.org
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: mhocko@suse.cz
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Link: https://lkml.kernel.org/r/20190829082445.GM2369@hirez.programming.kicks-ass.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/include/asm/uaccess.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index 2177c7551ff77..9db8d8758ed3b 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -438,8 +438,10 @@ do {									\
 ({									\
 	int __gu_err;							\
 	__inttype(*(ptr)) __gu_val;					\
+	__typeof__(ptr) __gu_ptr = (ptr);				\
+	__typeof__(size) __gu_size = (size);				\
 	__uaccess_begin_nospec();					\
-	__get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT);	\
+	__get_user_size(__gu_val, __gu_ptr, __gu_size, __gu_err, -EFAULT);	\
 	__uaccess_end();						\
 	(x) = (__force __typeof__(*(ptr)))__gu_val;			\
 	__builtin_expect(__gu_err, 0);					\
-- 
2.20.1

next prev parent reply	other threads:[~2019-09-09 22:17 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-09 15:42 [PATCH AUTOSEL 4.9 1/6] dmaengine: ti: dma-crossbar: Fix a memory leak bug Sasha Levin
2019-09-09 15:42 ` [PATCH AUTOSEL 4.9 2/6] dmaengine: ti: omap-dma: Add cleanup in omap_dma_probe() Sasha Levin
2019-09-09 15:42 ` Sasha Levin [this message]
2019-09-09 15:42 ` [PATCH AUTOSEL 4.9 4/6] configfs_register_group() shouldn't be (and isn't) called in rmdirable parts Sasha Levin
2019-09-09 15:42 ` [PATCH AUTOSEL 4.9 5/6] keys: Fix missing null pointer check in request_key_auth_describe() Sasha Levin
2019-09-09 15:42   ` Sasha Levin
2019-09-09 15:42 ` [PATCH AUTOSEL 4.9 6/6] iommu/amd: Fix race in increase_address_space() Sasha Levin
2019-09-09 15:42   ` Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:2177c7551ff7 dfblob:9db8d8758ed3 )
 OR (
bs:"[PATCH AUTOSEL 4.9 3/6] x86/uaccess: Don't leak the AC flags into __get_user() argument evaluation" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190909154205.31376-3-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=akpm@linux-foundation.org \
    --cc=broonie@kernel.org \
    --cc=jpoimboe@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mhocko@suse.cz \
    --cc=peterz@infradead.org \
    --cc=rdunlap@infradead.org \
    --cc=sfr@canb.auug.org.au \
    --cc=stable@vger.kernel.org \
    --cc=tglx@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.