From: Greg Kroah-Hartman Date: Fri, 16 Aug 2019 18:40:56 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.19.68~66 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=248bb2cd1de63f4b06a388482b9d4bd4f186f432;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: mm-usercopy-use-memory-range-to-be-accessed-for-wraparound-check.patch --- diff --git a/queue-4.9/mm-usercopy-use-memory-range-to-be-accessed-for-wraparound-check.patch b/queue-4.9/mm-usercopy-use-memory-range-to-be-accessed-for-wraparound-check.patch new file mode 100644 index 00000000000..d151d12588c --- /dev/null +++ b/queue-4.9/mm-usercopy-use-memory-range-to-be-accessed-for-wraparound-check.patch @@ -0,0 +1,54 @@ +From 951531691c4bcaa59f56a316e018bc2ff1ddf855 Mon Sep 17 00:00:00 2001 +From: "Isaac J. Manjarres" +Date: Tue, 13 Aug 2019 15:37:37 -0700 +Subject: mm/usercopy: use memory range to be accessed for wraparound check + +From: Isaac J. Manjarres + +commit 951531691c4bcaa59f56a316e018bc2ff1ddf855 upstream. + +Currently, when checking to see if accessing n bytes starting at address +"ptr" will cause a wraparound in the memory addresses, the check in +check_bogus_address() adds an extra byte, which is incorrect, as the +range of addresses that will be accessed is [ptr, ptr + (n - 1)]. + +This can lead to incorrectly detecting a wraparound in the memory +address, when trying to read 4 KB from memory that is mapped to the the +last possible page in the virtual address space, when in fact, accessing +that range of memory would not cause a wraparound to occur. + +Use the memory range that will actually be accessed when considering if +accessing a certain amount of bytes will cause the memory address to +wrap around. + +Link: http://lkml.kernel.org/r/1564509253-23287-1-git-send-email-isaacm@codeaurora.org +Fixes: f5509cc18daa ("mm: Hardened usercopy") +Signed-off-by: Prasad Sodagudi +Signed-off-by: Isaac J. Manjarres +Co-developed-by: Prasad Sodagudi +Reviewed-by: William Kucharski +Acked-by: Kees Cook +Cc: Greg Kroah-Hartman +Cc: Trilok Soni +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +[kees: backport to v4.9] +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + mm/usercopy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/usercopy.c ++++ b/mm/usercopy.c +@@ -124,7 +124,7 @@ static inline const char *check_kernel_t + static inline const char *check_bogus_address(const void *ptr, unsigned long n) + { + /* Reject if object wraps past end of memory. */ +- if ((unsigned long)ptr + n < (unsigned long)ptr) ++ if ((unsigned long)ptr + (n - 1) < (unsigned long)ptr) + return ""; + + /* Reject if NULL or ZERO-allocation. */ diff --git a/queue-4.9/series b/queue-4.9/series index 9fb317f01cb..fe7db5d80ba 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -41,3 +41,4 @@ mwifiex-fix-802.11n-wpa-detection.patch iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch scsi-mpt3sas-use-63-bit-dma-addressing-on-sas35-hba.patch sh-kernel-hw_breakpoint-fix-missing-break-in-switch-statement.patch +mm-usercopy-use-memory-range-to-be-accessed-for-wraparound-check.patch