From 5d74b627fa3bc618368e559bfa613f30eff9117d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 3 Mar 2019 19:39:17 +0100 Subject: [PATCH] 4.4-stable patches added patches: x86-uaccess-don-t-leak-the-ac-flag-into-__put_user-value-evaluation.patch --- queue-4.4/series | 1 + ...lag-into-__put_user-value-evaluation.patch | 62 +++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 queue-4.4/x86-uaccess-don-t-leak-the-ac-flag-into-__put_user-value-evaluation.patch diff --git a/queue-4.4/series b/queue-4.4/series index a116ea6ebf1..4f9474851f1 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -51,3 +51,4 @@ kvm-arm-arm64-fix-mmio-emulation-data-handling.patch powerpc-always-initialize-input-array-when-calling-epapr_hypercall.patch mmc-spi-fix-card-detection-during-probe.patch mm-enforce-min-addr-even-if-capable-in-expand_downwards.patch +x86-uaccess-don-t-leak-the-ac-flag-into-__put_user-value-evaluation.patch diff --git a/queue-4.4/x86-uaccess-don-t-leak-the-ac-flag-into-__put_user-value-evaluation.patch b/queue-4.4/x86-uaccess-don-t-leak-the-ac-flag-into-__put_user-value-evaluation.patch new file mode 100644 index 00000000000..1407ae87725 --- /dev/null +++ b/queue-4.4/x86-uaccess-don-t-leak-the-ac-flag-into-__put_user-value-evaluation.patch @@ -0,0 +1,62 @@ +From 2a418cf3f5f1caf911af288e978d61c9844b0695 Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Fri, 22 Feb 2019 17:17:04 -0800 +Subject: x86/uaccess: Don't leak the AC flag into __put_user() value evaluation + +From: Andy Lutomirski + +commit 2a418cf3f5f1caf911af288e978d61c9844b0695 upstream. + +When calling __put_user(foo(), ptr), the __put_user() macro would call +foo() in between __uaccess_begin() and __uaccess_end(). If that code +were buggy, then those bugs would be run without SMAP protection. + +Fortunately, there seem to be few instances of the problem in the +kernel. Nevertheless, __put_user() should be fixed to avoid doing this. +Therefore, evaluate __put_user()'s argument before setting AC. + +This issue was noticed when an objtool hack by Peter Zijlstra complained +about genregs_get() and I compared the assembly output to the C source. + + [ bp: Massage commit message and fixed up whitespace. ] + +Fixes: 11f1a4b9755f ("x86: reorganize SMAP handling in user space accesses") +Signed-off-by: Andy Lutomirski +Signed-off-by: Borislav Petkov +Acked-by: Linus Torvalds +Cc: Peter Zijlstra +Cc: Brian Gerst +Cc: Josh Poimboeuf +Cc: Denys Vlasenko +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/20190225125231.845656645@infradead.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/uaccess.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/x86/include/asm/uaccess.h ++++ b/arch/x86/include/asm/uaccess.h +@@ -314,8 +314,7 @@ do { \ + __put_user_asm(x, ptr, retval, "l", "k", "ir", errret); \ + break; \ + case 8: \ +- __put_user_asm_u64((__typeof__(*ptr))(x), ptr, retval, \ +- errret); \ ++ __put_user_asm_u64(x, ptr, retval, errret); \ + break; \ + default: \ + __put_user_bad(); \ +@@ -426,8 +425,10 @@ do { \ + #define __put_user_nocheck(x, ptr, size) \ + ({ \ + int __pu_err; \ ++ __typeof__(*(ptr)) __pu_val; \ ++ __pu_val = x; \ + __uaccess_begin(); \ +- __put_user_size((x), (ptr), (size), __pu_err, -EFAULT); \ ++ __put_user_size(__pu_val, (ptr), (size), __pu_err, -EFAULT);\ + __uaccess_end(); \ + __builtin_expect(__pu_err, 0); \ + }) -- 2.39.5