ACK: [Trusty SRU][PATCH 1/1] fix minor infoleak in get_user_ex()
Colin Ian King
colin.king at canonical.com
Tue Sep 5 08:51:29 UTC 2017
On 05/09/17 09:43, Kleber Sacilotto de Souza wrote:
> From: Al Viro <viro at ZenIV.linux.org.uk>
>
> CVE-2016-9178
>
> get_user_ex(x, ptr) should zero x on failure. It's not a lot of a leak
> (at most we are leaking uninitialized 64bit value off the kernel stack,
> and in a fairly constrained situation, at that), but the fix is trivial,
> so...
>
> Cc: stable at vger.kernel.org
> Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
> [ This sat in different branch from the uaccess fixes since mid-August ]
> Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> (cherry picked from commit 1c109fabbd51863475cd12ac206bdd249aee35af)
> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
> ---
> arch/x86/include/asm/uaccess.h | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
> index 8ec57c07b125..20e5bacf961c 100644
> --- a/arch/x86/include/asm/uaccess.h
> +++ b/arch/x86/include/asm/uaccess.h
> @@ -383,7 +383,11 @@ do { \
> #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
> asm volatile("1: mov"itype" %1,%"rtype"0\n" \
> "2:\n" \
> - _ASM_EXTABLE_EX(1b, 2b) \
> + ".section .fixup,\"ax\"\n" \
> + "3:xor"itype" %"rtype"0,%"rtype"0\n" \
> + " jmp 2b\n" \
> + ".previous\n" \
> + _ASM_EXTABLE_EX(1b, 3b) \
> : ltype(x) : "m" (__m(addr)))
>
> #define __put_user_nocheck(x, ptr, size) \
>
Clean cherry pick, looks good to me.
Acked-by: Colin Ian King <colin.king at canonical.com>
More information about the kernel-team
mailing list