From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:45318 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753121AbeDEUBq (ORCPT ); Thu, 5 Apr 2018 16:01:46 -0400 Subject: Patch "/dev/mem: Avoid overwriting "err" in read_mem()" has been added to the 4.16-stable tree To: keescook@chromium.org, gregkh@linuxfoundation.org, spender@grsecurity.net Cc: , From: Date: Thu, 05 Apr 2018 22:01:06 +0200 Message-ID: <15229584661249@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled /dev/mem: Avoid overwriting "err" in read_mem() to the 4.16-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: dev-mem-avoid-overwriting-err-in-read_mem.patch and it can be found in the queue-4.16 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From b5b38200ebe54879a7264cb6f33821f61c586a7e Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Tue, 27 Mar 2018 14:06:14 -0700 Subject: /dev/mem: Avoid overwriting "err" in read_mem() From: Kees Cook commit b5b38200ebe54879a7264cb6f33821f61c586a7e upstream. Successes in probe_kernel_read() would mask failures in copy_to_user() during read_mem(). Reported-by: Brad Spengler Fixes: 22ec1a2aea73 ("/dev/mem: Add bounce buffer for copy-out") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook Signed-off-by: Greg Kroah-Hartman --- drivers/char/mem.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -137,7 +137,7 @@ static ssize_t read_mem(struct file *fil while (count > 0) { unsigned long remaining; - int allowed; + int allowed, probe; sz = size_inside_page(p, count); @@ -160,9 +160,9 @@ static ssize_t read_mem(struct file *fil if (!ptr) goto failed; - err = probe_kernel_read(bounce, ptr, sz); + probe = probe_kernel_read(bounce, ptr, sz); unxlate_dev_mem_ptr(p, ptr); - if (err) + if (probe) goto failed; remaining = copy_to_user(buf, bounce, sz); Patches currently in stable-queue which might be from keescook@chromium.org are queue-4.16/dev-mem-avoid-overwriting-err-in-read_mem.patch