APPLIED: [SRU][K][J][F][B][PATCH 0/1] kernel: fix __clear_user() inline assembly constraints (LP: 2013088)

Stefan Bader stefan.bader at canonical.com
Thu Apr 6 13:53:43 UTC 2023 

On 04.04.23 11:10, frank.heimes at canonical.com wrote:
> BugLink: https://bugs.launchpad.net/bugs/2013088
> 
> SRU Justification:
> 
> [ Impact ]
> 
>   * In case clear_user() crosses two pages and faults on the second page the
>     kernel may write lowcore contents to the first page, instead of
>     clearing it.
> 
>   * The __clear_user() inline assembly misses earlyclobber constraint
>     modifiers. Depending on compiler and compiler options this may lead to
>     incorrect code which copies kernel lowcore contents to user space instead
>     of clearing memory, in case clear_user() faults.
> 
> [Fix]
> 
>   * For Kinetic and Jammy cherrypick of
>     89aba4c26fae 89aba4c26fae4e459f755a18912845c348ee48f3
>     "s390/uaccess: add missing earlyclobber annotations to __clear_user()"
> 
>   * For Focal and Bionic a backport of the above commit is needed:
>     https://launchpadlibrarian.net/659551648/s390-uaccess.patch
> 
> [ Test Plan ]
> 
>   * A test program in C is needed and used for testing.
> 
>   * The test will be done by IBM.
> 
> [ Where problems could occur ]
> 
>   * The modification is limited to function 'long __clear_user'.
> 
>   * And there, just to one inline assembly constraints line.
> 
>   * This is usually difficult to trace.
> 
>   * A erroneous modification may lead to a wrong behavior in
>     'long __clear_user',
> 
>   * and maybe returning a wrong size (in uaccess.c).
> 
> [ Other ]
> 
>   * This affects all Ubuntu releases in service, down to 18.04.
> 
>   * Since we are close to 23.04 kernel freeze, I submit a patch request for
>     23.04 separately, and submit the SRU request for the all other
>     Ubuntu releases later.
> 
> Heiko Carstens (1):
>    s390/uaccess: add missing earlyclobber annotations to __clear_user()
> 
>   arch/s390/lib/uaccess.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 

Applied to kinetic,jammy,focal,bionic:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 44613 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230406/62c47f81/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230406/62c47f81/attachment-0001.sig>

More information about the kernel-team mailing list