git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Dave Hansen <dave.hansen@linux.intel.com>
	Wed, 11 Nov 2015 18:19:31 +0000 (10:19 -0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 9 Dec 2015 19:34:19 +0000 (14:34 -0500)
commit	10ec42fc4ed17919a154c3f6448cb3db4bbeed6d
tree	23be1794cd76f0b64c32cda11c6a7653426a7e23	tree
parent	44a06ce07b02abb8a0b5c03e055dae3613fce390	commit \| diff

x86/mpx: Do proper get_user() when running 32-bit binaries on 64-bit kernels

commit 46561c3959d6307d22139c24cd0bf196162e5681 upstream.

When you call get_user(foo, bar), you effectively do a

copy_from_user(&foo, bar, sizeof(*bar));

Note that the sizeof() is implicit.

When we reach out to userspace to try to zap an entire "bounds
table" we need to go read a "bounds directory entry" in order to
locate the table's address. The size of a "directory entry"
depends on the binary being run and is always the size of a
pointer.

But, when we have a 64-bit kernel and a 32-bit application, the
directory entry is still only 32-bits long, but we fetch it with
a 64-bit pointer which makes get_user() does a 64-bit fetch.
Reading 4 extra bytes isn't harmful, unless we are at the end of
and run off the table. It might also cause the zero page to get
faulted in unnecessarily even if you are not at the end.

Fix it up by doing a special 32-bit get_user() via a cast when
we have 32-bit userspace.

Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Dave Hansen <dave@sr71.net>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20151111181931.3ACF6822@viggo.jf.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>