[SRU][Jammy-OEM-5.17/OEM-6.0][PATCH 0/1] CVE-2023-0459
Yuxuan Luo
yuxuan.luo at canonical.com
Wed May 31 00:34:46 UTC 2023
[Impact]
There is a spectre-v1 like CVE in lib/usercopy.c, where there is no spectre
barrier for __copy_from_user(). This vulnerability allows attackers to retrieve
sensitive kernel memory information, leading to info leak.
[Backport]
There is a prerequisite commit, 33b75c1d884e (“instrumented.h: allow
instrumenting both sides of copy_from_user()”), to solve a conflict at
lib/usercopy.c. However, this commit mainly instrument the introduction of
KMSAN and did not have any intersection with this fix, which is irrelevant to
this CVE. Therefore, we can ignore this commit and directly backport the fix
commit.
[Test]
Compile and boot tested.
[Potential Regression]
Expecting relative low regression potential since the fix basically adds an
`NOP` after the branching statement. However, considering the wide usage of
copy_from_user(), the potential is not negligible.
Dave Hansen (1):
uaccess: Add speculation barrier to copy_from_user()
include/linux/nospec.h | 4 ++++
kernel/bpf/core.c | 2 --
lib/usercopy.c | 7 +++++++
3 files changed, 11 insertions(+), 2 deletions(-)
--
2.34.1
More information about the kernel-team
mailing list