From: Greg KH <greg@kroah.com>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Joe Korty <joe.korty@ccur.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Sasha Levin <alexander.levin@verizon.com>,
stable <stable@vger.kernel.org>
Subject: Re: [4.1 backport trouble] Re: BUGreport: fix minor infoleak in get_user_ex()
Date: Fri, 28 Oct 2016 17:29:47 -0400 [thread overview]
Message-ID: <20161028212947.GA25964@kroah.com> (raw)
In-Reply-To: <20161028194958.GP19539@ZenIV.linux.org.uk>
On Fri, Oct 28, 2016 at 08:49:58PM +0100, Al Viro wrote:
> On Fri, Oct 28, 2016 at 11:21:24AM -0700, Linus Torvalds wrote:
>
> > End result: either commit 1c109fabbd51 shouldn't be backported (it's
> > really not that important - if people properly check the exception
> > error results it shouldn't matter), or you need to also backport
> > 548acf19234d as Al suggested.
> >
> > I'd be inclined to say "don't backport 1c109fabbd51", but it's really
> > a judgment call.
>
> *nod*
>
> FWIW, that infoleak _does_ allow to leak an uninitialized word into
> coredump (in sigreturn the value from uninitialized local variable is
> copied into pt_regs of process and when we eventually check that error
> has happened and hit the sucker with SIGSEGV, that value gets stored into
> the coredump), but in the worst case that's 64 bits leaked from fixed depth
> in the kernel stack of attacker's process, with fixed call chain.
>
> I very much doubt that it's escalatable to anything practically interesting.
> If spender et.al. can come up with a usable way to escalate that, I would be
> quite surprised (and would love to see the details), but hey, it might be
> possible. More likely possibility is that the bug is harmless in practice.
Hm, I think I'll backport 548acf19234d to 4.4-stable, as people have
shown that leaking anything can be used in odd ways that they shouldn't
be, just to be "safe" :)
thanks for the heads up.
greg k-h
prev parent reply other threads:[~2016-10-28 21:29 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20161027193210.GA23006@zipoli.ccur.com>
[not found] ` <20161028000355.GK19539@ZenIV.linux.org.uk>
[not found] ` <20161028020210.GL19539@ZenIV.linux.org.uk>
[not found] ` <20161028164033.GA29952@zipoli.ccur.com>
2016-10-28 18:21 ` [4.1 backport trouble] Re: BUGreport: fix minor infoleak in get_user_ex() Linus Torvalds
2016-10-28 19:49 ` Al Viro
2016-10-28 21:29 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161028212947.GA25964@kroah.com \
--to=greg@kroah.com \
--cc=alexander.levin@verizon.com \
--cc=joe.korty@ccur.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).