From: Greg Kroah-Hartman Date: Sun, 3 Mar 2019 18:40:28 +0000 (+0100) Subject: 4.20-stable patches X-Git-Tag: v4.9.162~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c1851a0925b6aae0bb23104d0c3b37272b5b783a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.20-stable patches added patches: x86-uaccess-don-t-leak-the-ac-flag-into-__put_user-value-evaluation.patch --- diff --git a/queue-4.20/series b/queue-4.20/series index 8596779717c..aecf3a4f301 100644 --- a/queue-4.20/series +++ b/queue-4.20/series @@ -85,3 +85,4 @@ scsi-3w-9xxx-fix-calls-to-dma_set_mask_and_coherent.patch scsi-aic94xx-fix-calls-to-dma_set_mask_and_coherent.patch arm64-dts-qcom-msm8998-extend-tz-reserved-memory-area.patch mips-ebpf-fix-icache-flush-end-address.patch +x86-uaccess-don-t-leak-the-ac-flag-into-__put_user-value-evaluation.patch diff --git a/queue-4.20/x86-uaccess-don-t-leak-the-ac-flag-into-__put_user-value-evaluation.patch b/queue-4.20/x86-uaccess-don-t-leak-the-ac-flag-into-__put_user-value-evaluation.patch new file mode 100644 index 00000000000..1a8346549fe --- /dev/null +++ b/queue-4.20/x86-uaccess-don-t-leak-the-ac-flag-into-__put_user-value-evaluation.patch @@ -0,0 +1,62 @@ +From 2a418cf3f5f1caf911af288e978d61c9844b0695 Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Fri, 22 Feb 2019 17:17:04 -0800 +Subject: x86/uaccess: Don't leak the AC flag into __put_user() value evaluation + +From: Andy Lutomirski + +commit 2a418cf3f5f1caf911af288e978d61c9844b0695 upstream. + +When calling __put_user(foo(), ptr), the __put_user() macro would call +foo() in between __uaccess_begin() and __uaccess_end(). If that code +were buggy, then those bugs would be run without SMAP protection. + +Fortunately, there seem to be few instances of the problem in the +kernel. Nevertheless, __put_user() should be fixed to avoid doing this. +Therefore, evaluate __put_user()'s argument before setting AC. + +This issue was noticed when an objtool hack by Peter Zijlstra complained +about genregs_get() and I compared the assembly output to the C source. + + [ bp: Massage commit message and fixed up whitespace. ] + +Fixes: 11f1a4b9755f ("x86: reorganize SMAP handling in user space accesses") +Signed-off-by: Andy Lutomirski +Signed-off-by: Borislav Petkov +Acked-by: Linus Torvalds +Cc: Peter Zijlstra +Cc: Brian Gerst +Cc: Josh Poimboeuf +Cc: Denys Vlasenko +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/20190225125231.845656645@infradead.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/uaccess.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/x86/include/asm/uaccess.h ++++ b/arch/x86/include/asm/uaccess.h +@@ -293,8 +293,7 @@ do { \ + __put_user_asm(x, ptr, retval, "l", "k", "ir", errret); \ + break; \ + case 8: \ +- __put_user_asm_u64((__typeof__(*ptr))(x), ptr, retval, \ +- errret); \ ++ __put_user_asm_u64(x, ptr, retval, errret); \ + break; \ + default: \ + __put_user_bad(); \ +@@ -440,8 +439,10 @@ do { \ + #define __put_user_nocheck(x, ptr, size) \ + ({ \ + int __pu_err; \ ++ __typeof__(*(ptr)) __pu_val; \ ++ __pu_val = x; \ + __uaccess_begin(); \ +- __put_user_size((x), (ptr), (size), __pu_err, -EFAULT); \ ++ __put_user_size(__pu_val, (ptr), (size), __pu_err, -EFAULT);\ + __uaccess_end(); \ + __builtin_expect(__pu_err, 0); \ + })