4.14-stable patches

added patches:
	mm-usercopy-use-memory-range-to-be-accessed-for-wraparound-check.patch

diff --git a/queue-4.14/mm-usercopy-use-memory-range-to-be-accessed-for-wraparound-check.patch b/queue-4.14/mm-usercopy-use-memory-range-to-be-accessed-for-wraparound-check.patch
new file mode 100644 (file)
index 0000000..d9d5f7e
--- /dev/null
+++ b/queue-4.14/mm-usercopy-use-memory-range-to-be-accessed-for-wraparound-check.patch
@@ -0,0 +1,54 @@
+From 951531691c4bcaa59f56a316e018bc2ff1ddf855 Mon Sep 17 00:00:00 2001
+From: "Isaac J. Manjarres" <isaacm@codeaurora.org>
+Date: Tue, 13 Aug 2019 15:37:37 -0700
+Subject: mm/usercopy: use memory range to be accessed for wraparound check
+
+From: Isaac J. Manjarres <isaacm@codeaurora.org>
+
+commit 951531691c4bcaa59f56a316e018bc2ff1ddf855 upstream.
+
+Currently, when checking to see if accessing n bytes starting at address
+"ptr" will cause a wraparound in the memory addresses, the check in
+check_bogus_address() adds an extra byte, which is incorrect, as the
+range of addresses that will be accessed is [ptr, ptr + (n - 1)].
+
+This can lead to incorrectly detecting a wraparound in the memory
+address, when trying to read 4 KB from memory that is mapped to the the
+last possible page in the virtual address space, when in fact, accessing
+that range of memory would not cause a wraparound to occur.
+
+Use the memory range that will actually be accessed when considering if
+accessing a certain amount of bytes will cause the memory address to
+wrap around.
+
+Link: http://lkml.kernel.org/r/1564509253-23287-1-git-send-email-isaacm@codeaurora.org
+Fixes: f5509cc18daa ("mm: Hardened usercopy")
+Signed-off-by: Prasad Sodagudi <psodagud@codeaurora.org>
+Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
+Co-developed-by: Prasad Sodagudi <psodagud@codeaurora.org>
+Reviewed-by: William Kucharski <william.kucharski@oracle.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Trilok Soni <tsoni@codeaurora.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[kees: backport to v4.14]
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/usercopy.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/usercopy.c
++++ b/mm/usercopy.c
+@@ -121,7 +121,7 @@ static inline const char *check_kernel_t
+ static inline const char *check_bogus_address(const void *ptr, unsigned long n)
+ {
+       /* Reject if object wraps past end of memory. */
+-      if ((unsigned long)ptr + n < (unsigned long)ptr)
++      if ((unsigned long)ptr + (n - 1) < (unsigned long)ptr)
+               return "<wrapped address>";
+ 
+       /* Reject if NULL or ZERO-allocation. */

diff --git a/queue-4.14/series b/queue-4.14/series
index ba301d23ec7f94536b8bddaf743399470c97c9df..942474c8538ac93f93322d05b4a9f883d5491327 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -1,2 +1,3 @@
 scsi-mpt3sas-use-63-bit-dma-addressing-on-sas35-hba.patch
 sh-kernel-hw_breakpoint-fix-missing-break-in-switch-statement.patch
+mm-usercopy-use-memory-range-to-be-accessed-for-wraparound-check.patch