ACK: [SRU][Jammy-OEM-5.17/OEM-6.0][PATCH 0/1] CVE-2023-0459
Tim Gardner
tim.gardner at canonical.com
Wed May 31 18:05:01 UTC 2023
On 5/30/23 6:34 PM, Yuxuan Luo wrote:
> [Impact]
> There is a spectre-v1 like CVE in lib/usercopy.c, where there is no spectre
> barrier for __copy_from_user(). This vulnerability allows attackers to retrieve
> sensitive kernel memory information, leading to info leak.
>
> [Backport]
> There is a prerequisite commit, 33b75c1d884e (“instrumented.h: allow
> instrumenting both sides of copy_from_user()”), to solve a conflict at
> lib/usercopy.c. However, this commit mainly instrument the introduction of
> KMSAN and did not have any intersection with this fix, which is irrelevant to
> this CVE. Therefore, we can ignore this commit and directly backport the fix
> commit.
>
> [Test]
> Compile and boot tested.
>
> [Potential Regression]
> Expecting relative low regression potential since the fix basically adds an
> `NOP` after the branching statement. However, considering the wide usage of
> copy_from_user(), the potential is not negligible.
>
>
> Dave Hansen (1):
> uaccess: Add speculation barrier to copy_from_user()
>
> include/linux/nospec.h | 4 ++++
> kernel/bpf/core.c | 2 --
> lib/usercopy.c | 7 +++++++
> 3 files changed, 11 insertions(+), 2 deletions(-)
>
Acked-by: Tim Gardner <tim.gardner at canonical.com>
--
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list