From: Jimmy Tran <jtoantran@google.com>
To: stable@vger.kernel.org, Thomas Gleixner <tglx@linutronix.de>,
Borislav Petkov <bp@alien8.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>,
Arnd Bergmann <arnd@arndb.de>, Ingo Molnar <mingo@redhat.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
David Laight <david.laight@aculab.com>,
Andrei Vagin <avagin@gmail.com>,
David Laight <David.Laight@ACULAB.COM>,
Jimmy Tran <jtoantran@google.com>
Subject: [PATCH v2 6/7] x86: fix off-by-one in access_ok()
Date: Wed, 6 Aug 2025 16:20:02 +0000 [thread overview]
Message-ID: <20250806162003.1134886-7-jtoantran@google.com> (raw)
In-Reply-To: <20250806162003.1134886-1-jtoantran@google.com>
From: David Laight <David.Laight@ACULAB.COM>
commit 573f45a9f9a47fed4c7957609689b772121b33d7 upstream.
When the size isn't a small constant, __access_ok() will call
valid_user_address() with the address after the last byte of the user
buffer.
It is valid for a buffer to end with the last valid user address so
valid_user_address() must allow accesses to the base of the guard page.
[ This introduces an off-by-one in the other direction for the plain
non-sized accesses, but since we have that guard region that is a
whole page, those checks "allowing" accesses to that guard region
don't really matter. The access will fault anyway, whether to the
guard page or if the address has been masked to all ones - Linus ]
Cc: <stable@vger.kernel.org> # 6.12.x: 86e6b15: x86: fix user address masking non-canonical speculation issue
Cc: <stable@vger.kernel.org> # 6.10.x: e60cc61: vfs: dcache: move hashlen_hash() from callers into d_hash()
Cc: <stable@vger.kernel.org> # 6.10.x: e782985: runtime constants: add default dummy infrastructure
Cc: <stable@vger.kernel.org> # 6.10.x: e3c92e8: runtime constants: add x86 architecture support
Fixes: 86e6b1547b3d0 ("x86: fix user address masking non-canonical speculation issue")
Signed-off-by: David Laight <david.laight@aculab.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jimmy Tran <jtoantran@google.com>
---
arch/x86/kernel/cpu/common.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index 2369e85055c0e..6c69dea644ffc 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -2491,12 +2491,12 @@ void __init arch_cpu_finalize_init(void)
alternative_instructions();
if (IS_ENABLED(CONFIG_X86_64)) {
- unsigned long USER_PTR_MAX = TASK_SIZE_MAX-1;
+ unsigned long USER_PTR_MAX = TASK_SIZE_MAX;
/*
* Enable this when LAM is gated on LASS support
if (cpu_feature_enabled(X86_FEATURE_LAM))
- USER_PTR_MAX = (1ul << 63) - PAGE_SIZE - 1;
+ USER_PTR_MAX = (1ul << 63) - PAGE_SIZE;
*/
runtime_const_init(ptr, USER_PTR_MAX);
--
2.50.1.470.g6ba607880d-goog
next prev parent reply other threads:[~2025-08-06 16:20 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-06 16:19 [PATCH 6.6 v2 0/7] x86: fix user address masking non-canonical Jimmy Tran
2025-08-06 16:19 ` [PATCH v2 1/7] vfs: dcache: move hashlen_hash() from callers into d_hash() Jimmy Tran
2025-08-06 16:19 ` [PATCH v2 2/7] runtime constants: add default dummy infrastructure Jimmy Tran
2025-08-12 13:00 ` Greg Kroah-Hartman
2025-08-06 16:19 ` [PATCH v2 3/7] runtime constants: add x86 architecture support Jimmy Tran
2025-08-06 21:01 ` David Laight
2025-08-06 16:20 ` [PATCH v2 4/7] arm64: add 'runtime constant' support Jimmy Tran
2025-08-06 16:20 ` [PATCH v2 5/7] x86: fix user address masking non-canonical speculation issue Jimmy Tran
2025-08-06 16:20 ` Jimmy Tran [this message]
2025-08-06 16:20 ` [PATCH v2 7/7] x86: use cmov for user address masking Jimmy Tran
2025-08-06 18:02 ` [PATCH 6.6 v2 0/7] x86: fix user address masking non-canonical Linus Torvalds
-- strict thread matches above, loose matches on Subject: below --
2025-07-23 16:32 [PATCH v1 0/6] Backport "x86: fix off-by-one in access_ok()" to 6.6.y Jimmy Tran
2025-07-28 17:56 ` [PATCH v2 0/7] x86: fix user address masking non-canonical Jimmy Tran
2025-07-28 17:56 ` [PATCH v2 6/7] x86: fix off-by-one in access_ok() Jimmy Tran
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250806162003.1134886-7-jtoantran@google.com \
--to=jtoantran@google.com \
--cc=arnd@arndb.de \
--cc=avagin@gmail.com \
--cc=bp@alien8.de \
--cc=brauner@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=dave.hansen@linux.intel.com \
--cc=david.laight@aculab.com \
--cc=gregkh@linuxfoundation.org \
--cc=mingo@redhat.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox