From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:52574 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965552AbcIVPlm (ORCPT ); Thu, 22 Sep 2016 11:41:42 -0400 Subject: Patch "asm-generic: make get_user() clear the destination on errors" has been added to the 4.4-stable tree To: viro@zeniv.linux.org.uk, gregkh@linuxfoundation.org Cc: , From: Date: Thu, 22 Sep 2016 17:41:41 +0200 Message-ID: <147455890118132@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled asm-generic: make get_user() clear the destination on errors to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: asm-generic-make-get_user-clear-the-destination-on-errors.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa Mon Sep 17 00:00:00 2001 From: Al Viro Date: Wed, 17 Aug 2016 23:19:01 -0400 Subject: asm-generic: make get_user() clear the destination on errors From: Al Viro commit 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa upstream. both for access_ok() failures and for faults halfway through Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman --- include/asm-generic/uaccess.h | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) --- a/include/asm-generic/uaccess.h +++ b/include/asm-generic/uaccess.h @@ -230,14 +230,18 @@ extern int __put_user_bad(void) __attrib might_fault(); \ access_ok(VERIFY_READ, __p, sizeof(*ptr)) ? \ __get_user((x), (__typeof__(*(ptr)) *)__p) : \ - -EFAULT; \ + ((x) = (__typeof__(*(ptr)))0,-EFAULT); \ }) #ifndef __get_user_fn static inline int __get_user_fn(size_t size, const void __user *ptr, void *x) { - size = __copy_from_user(x, ptr, size); - return size ? -EFAULT : size; + size_t n = __copy_from_user(x, ptr, size); + if (unlikely(n)) { + memset(x + (size - n), 0, n); + return -EFAULT; + } + return 0; } #define __get_user_fn(sz, u, k) __get_user_fn(sz, u, k) Patches currently in stable-queue which might be from viro@zeniv.linux.org.uk are queue-4.4/nios2-copy_from_user-should-zero-the-tail-of-destination.patch queue-4.4/m32r-fix-__get_user.patch queue-4.4/microblaze-fix-copy_from_user.patch queue-4.4/cris-buggered-copy_from_user-copy_to_user-clear_user.patch queue-4.4/asm-generic-make-copy_from_user-zero-the-destination-properly.patch queue-4.4/metag-copy_from_user-should-zero-the-destination-on-access_ok-failure.patch queue-4.4/score-fix-__get_user-get_user.patch queue-4.4/parisc-fix-copy_from_user.patch queue-4.4/mips-copy_from_user-must-zero-the-destination-on-access_ok-failure.patch queue-4.4/alpha-fix-copy_from_user.patch queue-4.4/mn10300-failing-__get_user-and-get_user-should-zero.patch queue-4.4/openrisc-fix-copy_from_user.patch queue-4.4/avr32-fix-copy_from_user.patch queue-4.4/score-fix-copy_from_user-and-friends.patch queue-4.4/sh64-failing-__get_user-should-zero.patch queue-4.4/arc-uaccess-get_user-to-zero-out-dest-in-cause-of-fault.patch queue-4.4/hexagon-fix-strncpy_from_user-error-return.patch queue-4.4/frv-fix-clear_user.patch queue-4.4/fix-minor-infoleak-in-get_user_ex.patch queue-4.4/asm-generic-make-get_user-clear-the-destination-on-errors.patch queue-4.4/mn10300-copy_from_user-should-zero-on-access_ok-failure.patch queue-4.4/s390-get_user-should-zero-on-failure.patch queue-4.4/microblaze-fix-__get_user.patch queue-4.4/blackfin-fix-copy_from_user.patch queue-4.4/fix-iov_iter_fault_in_readable.patch queue-4.4/nios2-fix-__get_user.patch queue-4.4/sh-fix-copy_from_user.patch