From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F694C43381 for ; Sun, 3 Mar 2019 08:17:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4EFC720866 for ; Sun, 3 Mar 2019 08:17:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1551601048; bh=KW2UhqboOZ373qgV9crzf24vDOHHMCCSt+ZPX6Afjr8=; h=Subject:To:Cc:From:Date:List-ID:From; b=O54QT99azQm6qBK0jMR0u4Gm58Py8zc/O2dBzr82GD7PkoMa6lihq3H2wt0EFVgYf EliaF9WLOFLMlLTkZNskHVJK52gMfVd98Ncr3RX65bK+3R3dWqN/mXxKHmIbhd+58Q QhAzdcevUGgMgDbnNOG4NK/iHpSWQfEvCo+qfK+M= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725950AbfCCIR1 (ORCPT ); Sun, 3 Mar 2019 03:17:27 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:35817 "EHLO out2-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725933AbfCCIR1 (ORCPT ); Sun, 3 Mar 2019 03:17:27 -0500 Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 7E75A21E8C; Sun, 3 Mar 2019 03:17:26 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute6.internal (MEProxy); Sun, 03 Mar 2019 03:17:26 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=jd+Pkp sAtaWkP3qhgLYXsI78agAc/qNvxm3AMXyt99Y=; b=oLhIoHt3hcXwyEiuEeUwnA FkVnzYkgw1OXYodoMwBhu2xXVOpBckJr25HtJEoepb50wHNj8ChnUg5Pb2gC3jsj J0ONp22l3noabNbVSdBsN3QUu17XIj2bTkbYCMOOfdutpGQfBCcPobeTLpyqdNn0 cC7iX+8/1Z3erKs8qhPk4s+VTrTKg3xwWysdlQCV3cLpi1rClHrf4bIL0XWBBbnA A3tmNWoe77hUxbvhqYgAOMM6tOfB7uGsfGoZxQdFDZpHLHxmLQylJikfaFivUw3v /hQ/4YwSm3Hxvls7PEyP6Uh32pSvAjDwQw6y/cb6CueqPTOp69Sw958GoepY4khQ == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrvdekgdduuddvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefuvffhfffkgggtgfesthekredttd dtlfenucfhrhhomhepoehgrhgvghhkhheslhhinhhugihfohhunhgurghtihhonhdrohhr gheqnecuffhomhgrihhnpehkvghrnhgvlhdrohhrghenucfkphepkeefrdekiedrkeelrd dutdejnecurfgrrhgrmhepmhgrihhlfhhrohhmpehgrhgvgheskhhrohgrhhdrtghomhen ucevlhhushhtvghrufhiiigvpedu X-ME-Proxy: Received: from localhost (5356596b.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) by mail.messagingengine.com (Postfix) with ESMTPA id D32A6E4240; Sun, 3 Mar 2019 03:17:25 -0500 (EST) Subject: FAILED: patch "[PATCH] x86/uaccess: Don't leak the AC flag into __put_user() value" failed to apply to 4.9-stable tree To: luto@kernel.org, bp@suse.de, brgerst@gmail.com, dvlasenk@redhat.com, jpoimboe@redhat.com, peterz@infradead.org, torvalds@linux-foundation.org Cc: From: Date: Sun, 03 Mar 2019 09:17:21 +0100 Message-ID: <1551601041159246@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to . thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 2a418cf3f5f1caf911af288e978d61c9844b0695 Mon Sep 17 00:00:00 2001 From: Andy Lutomirski Date: Fri, 22 Feb 2019 17:17:04 -0800 Subject: [PATCH] x86/uaccess: Don't leak the AC flag into __put_user() value evaluation When calling __put_user(foo(), ptr), the __put_user() macro would call foo() in between __uaccess_begin() and __uaccess_end(). If that code were buggy, then those bugs would be run without SMAP protection. Fortunately, there seem to be few instances of the problem in the kernel. Nevertheless, __put_user() should be fixed to avoid doing this. Therefore, evaluate __put_user()'s argument before setting AC. This issue was noticed when an objtool hack by Peter Zijlstra complained about genregs_get() and I compared the assembly output to the C source. [ bp: Massage commit message and fixed up whitespace. ] Fixes: 11f1a4b9755f ("x86: reorganize SMAP handling in user space accesses") Signed-off-by: Andy Lutomirski Signed-off-by: Borislav Petkov Acked-by: Linus Torvalds Cc: Peter Zijlstra Cc: Brian Gerst Cc: Josh Poimboeuf Cc: Denys Vlasenko Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20190225125231.845656645@infradead.org diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index a77445d1b034..28376aa2d053 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -284,7 +284,7 @@ do { \ __put_user_goto(x, ptr, "l", "k", "ir", label); \ break; \ case 8: \ - __put_user_goto_u64((__typeof__(*ptr))(x), ptr, label); \ + __put_user_goto_u64(x, ptr, label); \ break; \ default: \ __put_user_bad(); \ @@ -431,8 +431,10 @@ do { \ ({ \ __label__ __pu_label; \ int __pu_err = -EFAULT; \ + __typeof__(*(ptr)) __pu_val; \ + __pu_val = x; \ __uaccess_begin(); \ - __put_user_size((x), (ptr), (size), __pu_label); \ + __put_user_size(__pu_val, (ptr), (size), __pu_label); \ __pu_err = 0; \ __pu_label: \ __uaccess_end(); \