From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qt0-f194.google.com ([209.85.216.194]:36167 "EHLO mail-qt0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751916AbeCTJsu (ORCPT ); Tue, 20 Mar 2018 05:48:50 -0400 MIME-Version: 1.0 In-Reply-To: <20180319161117.17833-44-alexander.levin@microsoft.com> References: <20180319161117.17833-1-alexander.levin@microsoft.com> <20180319161117.17833-44-alexander.levin@microsoft.com> From: Geert Uytterhoeven Date: Tue, 20 Mar 2018 10:48:48 +0100 Message-ID: Subject: Re: [PATCH AUTOSEL for 3.18 044/102] fix race in drivers/char/random.c:get_reg() To: Sasha Levin Cc: "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" , Michael Schmitz , "Theodore Ts'o" Content-Type: text/plain; charset="UTF-8" Sender: stable-owner@vger.kernel.org List-ID: Hi Sasha, On Mon, Mar 19, 2018 at 5:12 PM, Sasha Levin wrote: > From: Michael Schmitz > > [ Upstream commit 9dfa7bba35ac08a63565d58c454dccb7e1bb0a08 ] > > get_reg() can be reentered on architectures with prioritized interrupts > (m68k in this case), causing f->reg_index to be incremented after the > range check. Out of bounds memory access past the pt_regs struct results. > This will go mostly undetected unless access is beyond end of memory. > > Prevent the race by disabling interrupts in get_reg(). > > Tested on m68k (Atari Falcon, and ARAnyM emulator). > > Kudos to Geert Uytterhoeven for helping to trace this race. > > Signed-off-by: Michael Schmitz > Signed-off-by: Theodore Ts'o > Signed-off-by: Sasha Levin You probably want to apply follow-up commit 92e75428ffc90e2a ("random: use lockless method of accessing and updating f->reg_idx"), too. Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds