ACK: [SRU][Jammy-OEM-5.17/OEM-6.0][PATCH 0/1] CVE-2023-0459
Cengiz Can
cengiz.can at canonical.com
Wed May 31 18:15:25 UTC 2023
On Tue, 2023-05-30 at 20:34 -0400, Yuxuan Luo wrote:
> [Impact]
> There is a spectre-v1 like CVE in lib/usercopy.c, where there is no
> spectre
> barrier for __copy_from_user(). This vulnerability allows attackers
> to retrieve
> sensitive kernel memory information, leading to info leak.
>
> [Backport]
> There is a prerequisite commit, 33b75c1d884e (“instrumented.h: allow
> instrumenting both sides of copy_from_user()”), to solve a conflict
> at
> lib/usercopy.c. However, this commit mainly instrument the
> introduction of
> KMSAN and did not have any intersection with this fix, which is
> irrelevant to
> this CVE. Therefore, we can ignore this commit and directly backport
> the fix
> commit.
>
> [Test]
> Compile and boot tested.
>
> [Potential Regression]
> Expecting relative low regression potential since the fix basically
> adds an
> `NOP` after the branching statement. However, considering the wide
> usage of
> copy_from_user(), the potential is not negligible.
>
>
> Dave Hansen (1):
> uaccess: Add speculation barrier to copy_from_user()
Acked-by: Cengiz Can <cengiz.can at canonical.com>
>
> include/linux/nospec.h | 4 ++++
> kernel/bpf/core.c | 2 --
> lib/usercopy.c | 7 +++++++
> 3 files changed, 11 insertions(+), 2 deletions(-)
>
> --
> 2.34.1
>
>
More information about the kernel-team
mailing list