From: Willy Tarreau <w@1wt.eu> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org, linux@roeck-us.net Cc: Vineet Gupta <Vineet.Gupta1@synopsys.com>, Linus Torvalds <torvalds@linux-foundation.org>, linux-snps-arc@lists.infradead.org, Vineet Gupta <vgupta@synopsys.com>, Al Viro <viro@zeniv.linux.org.uk>, Willy Tarreau <w@1wt.eu> Subject: [PATCH 3.10 081/319] ARC: uaccess: get_user to zero out dest in cause of fault Date: Sun, 5 Feb 2017 20:21:08 +0100 [thread overview] Message-ID: <1486322486-8024-52-git-send-email-w@1wt.eu> (raw) In-Reply-To: <1486322486-8024-1-git-send-email-w@1wt.eu> From: Vineet Gupta <Vineet.Gupta1@synopsys.com> commit 05d9d0b96e53c52a113fd783c0c97c830c8dc7af upstream. Al reported potential issue with ARC get_user() as it wasn't clearing out destination pointer in case of fault due to bad address etc. Verified using following | { | u32 bogus1 = 0xdeadbeef; | u64 bogus2 = 0xdead; | int rc1, rc2; | | pr_info("Orig values %x %llx\n", bogus1, bogus2); | rc1 = get_user(bogus1, (u32 __user *)0x40000000); | rc2 = get_user(bogus2, (u64 __user *)0x50000000); | pr_info("access %d %d, new values %x %llx\n", | rc1, rc2, bogus1, bogus2); | } | [ARCLinux]# insmod /mnt/kernel-module/qtn.ko | Orig values deadbeef dead | access -14 -14, new values 0 0 Reported-by: Al Viro <viro@ZenIV.linux.org.uk> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: linux-snps-arc@lists.infradead.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Vineet Gupta <vgupta@synopsys.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Willy Tarreau <w@1wt.eu> --- arch/arc/include/asm/uaccess.h | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/arch/arc/include/asm/uaccess.h b/arch/arc/include/asm/uaccess.h index 30c9baf..08770c7 100644 --- a/arch/arc/include/asm/uaccess.h +++ b/arch/arc/include/asm/uaccess.h @@ -83,7 +83,10 @@ "2: ;nop\n" \ " .section .fixup, \"ax\"\n" \ " .align 4\n" \ - "3: mov %0, %3\n" \ + "3: # return -EFAULT\n" \ + " mov %0, %3\n" \ + " # zero out dst ptr\n" \ + " mov %1, 0\n" \ " j 2b\n" \ " .previous\n" \ " .section __ex_table, \"a\"\n" \ @@ -101,7 +104,11 @@ "2: ;nop\n" \ " .section .fixup, \"ax\"\n" \ " .align 4\n" \ - "3: mov %0, %3\n" \ + "3: # return -EFAULT\n" \ + " mov %0, %3\n" \ + " # zero out dst ptr\n" \ + " mov %1, 0\n" \ + " mov %R1, 0\n" \ " j 2b\n" \ " .previous\n" \ " .section __ex_table, \"a\"\n" \ -- 2.8.0.rc2.1.gbe9624a
WARNING: multiple messages have this Message-ID (diff)
From: w@1wt.eu (Willy Tarreau) To: linux-snps-arc@lists.infradead.org Subject: [PATCH 3.10 081/319] ARC: uaccess: get_user to zero out dest in cause of fault Date: Sun, 5 Feb 2017 20:21:08 +0100 [thread overview] Message-ID: <1486322486-8024-52-git-send-email-w@1wt.eu> (raw) In-Reply-To: <1486322486-8024-1-git-send-email-w@1wt.eu> From: Vineet Gupta <Vineet.Gupta1@synopsys.com> commit 05d9d0b96e53c52a113fd783c0c97c830c8dc7af upstream. Al reported potential issue with ARC get_user() as it wasn't clearing out destination pointer in case of fault due to bad address etc. Verified using following | { | u32 bogus1 = 0xdeadbeef; | u64 bogus2 = 0xdead; | int rc1, rc2; | | pr_info("Orig values %x %llx\n", bogus1, bogus2); | rc1 = get_user(bogus1, (u32 __user *)0x40000000); | rc2 = get_user(bogus2, (u64 __user *)0x50000000); | pr_info("access %d %d, new values %x %llx\n", | rc1, rc2, bogus1, bogus2); | } | [ARCLinux]# insmod /mnt/kernel-module/qtn.ko | Orig values deadbeef dead | access -14 -14, new values 0 0 Reported-by: Al Viro <viro at ZenIV.linux.org.uk> Cc: Linus Torvalds <torvalds at linux-foundation.org> Cc: linux-snps-arc at lists.infradead.org Cc: linux-kernel at vger.kernel.org Signed-off-by: Vineet Gupta <vgupta at synopsys.com> Signed-off-by: Al Viro <viro at zeniv.linux.org.uk> Signed-off-by: Willy Tarreau <w at 1wt.eu> --- arch/arc/include/asm/uaccess.h | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/arch/arc/include/asm/uaccess.h b/arch/arc/include/asm/uaccess.h index 30c9baf..08770c7 100644 --- a/arch/arc/include/asm/uaccess.h +++ b/arch/arc/include/asm/uaccess.h @@ -83,7 +83,10 @@ "2: ;nop\n" \ " .section .fixup, \"ax\"\n" \ " .align 4\n" \ - "3: mov %0, %3\n" \ + "3: # return -EFAULT\n" \ + " mov %0, %3\n" \ + " # zero out dst ptr\n" \ + " mov %1, 0\n" \ " j 2b\n" \ " .previous\n" \ " .section __ex_table, \"a\"\n" \ @@ -101,7 +104,11 @@ "2: ;nop\n" \ " .section .fixup, \"ax\"\n" \ " .align 4\n" \ - "3: mov %0, %3\n" \ + "3: # return -EFAULT\n" \ + " mov %0, %3\n" \ + " # zero out dst ptr\n" \ + " mov %1, 0\n" \ + " mov %R1, 0\n" \ " j 2b\n" \ " .previous\n" \ " .section __ex_table, \"a\"\n" \ -- 2.8.0.rc2.1.gbe9624a
next prev parent reply other threads:[~2017-02-05 20:13 UTC|newest] Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-02-05 19:20 [PATCH 3.10 030/319] PM / devfreq: Fix incorrect type issue Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 031/319] ppp: defer netns reference release for ppp channel Willy Tarreau 2017-02-05 19:20 ` Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 032/319] x86/mm/xen: Suppress hugetlbfs in PV guests Willy Tarreau 2017-02-05 19:20 ` Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 033/319] xen: Add RING_COPY_REQUEST() Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 034/319] xen-netback: don't use last request to determine minimum Tx credit Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 035/319] xen-netback: use RING_COPY_REQUEST() throughout Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 036/319] xen-blkback: only read request operation from shared ring once Willy Tarreau 2017-02-05 19:20 ` Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 037/319] xen/pciback: Save xen_pci_op commands before processing it Willy Tarreau 2017-02-06 14:33 ` Konrad Rzeszutek Wilk 2017-02-06 22:33 ` Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 038/319] xen/pciback: Return error on XEN_PCI_OP_enable_msi when device has MSI or MSI-X enabled Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 039/319] xen/pciback: Return error on XEN_PCI_OP_enable_msix " Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 040/319] xen/pciback: Do not install an IRQ handler for MSI interrupts Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 041/319] xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 042/319] xen/pciback: Don't allow MSI-X ops if PCI_COMMAND_MEMORY is not set Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 043/319] xen-pciback: Add name prefix to global 'permissive' variable Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 044/319] x86/xen: fix upper bound of pmd loop in xen_cleanhighmap() Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 045/319] x86/traps: Ignore high word of regs->cs in early_idt_handler_common Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 046/319] x86/mm: Disable preemption during CR3 read+write Willy Tarreau 2017-02-05 19:20 ` Willy Tarreau 2017-02-05 19:20 ` Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 047/319] x86/apic: Do not init irq remapping if ioapic is disabled Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 048/319] x86/mm/pat, /dev/mem: Remove superfluous error message Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 049/319] x86/paravirt: Do not trace _paravirt_ident_*() functions Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 050/319] x86/build: Build compressed x86 kernels as PIE Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 051/319] x86/um: reuse asm-generic/barrier.h Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 052/319] iommu/amd: Update Alias-DTE in update_device_table() Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 053/319] iommu/amd: Free domain id when free a domain of struct dma_ops_domain Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 054/319] ARM: 8616/1: dt: Respect property size when parsing CPUs Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 055/319] ARM: 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7 Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 056/319] ARM: sa1100: clear reset status prior to reboot Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 057/319] ARM: sa1111: fix pcmcia suspend/resume Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 058/319] arm64: avoid returning from bad_mode Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 059/319] arm64: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO Willy Tarreau 2017-02-05 19:20 ` Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 060/319] arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 061/319] arm64: debug: avoid resetting stepping state machine when TIF_SINGLESTEP Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 062/319] MIPS: Malta: Fix IOCU disable switch read for MIPS64 Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 063/319] MIPS: ptrace: Fix regs_return_value for kernel context Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 064/319] powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 065/319] powerpc/vdso64: Use double word compare on pointers Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 066/319] powerpc/powernv: Use CPU-endian PEST in pnv_pci_dump_p7ioc_diag_data() Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 067/319] powerpc/64: Fix incorrect return value from __copy_tofrom_user Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 068/319] powerpc/nvram: Fix an incorrect partition merge Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 069/319] avr32: fix copy_from_user() Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 070/319] avr32: fix 'undefined reference to `___copy_from_user' Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 071/319] avr32: off by one in at32_init_pio() Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 072/319] s390/dasd: fix hanging device after clear subchannel Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 073/319] parisc: Ensure consistent state when switching to kernel stack at syscall entry Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 074/319] microblaze: fix __get_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 075/319] microblaze: fix copy_from_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 076/319] mn10300: failing __get_user() and get_user() should zero Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 077/319] m32r: fix __get_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 078/319] sh64: failing __get_user() should zero Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 079/319] score: fix __get_user/get_user Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 080/319] s390: get_user() should zero on failure Willy Tarreau 2017-02-05 19:21 ` Willy Tarreau [this message] 2017-02-05 19:21 ` [PATCH 3.10 081/319] ARC: uaccess: get_user to zero out dest in cause of fault Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 082/319] asm-generic: make get_user() clear the destination on errors Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 083/319] frv: fix clear_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 084/319] cris: buggered copy_from_user/copy_to_user/clear_user Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 085/319] blackfin: fix copy_from_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 086/319] score: fix copy_from_user() and friends Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 087/319] sh: fix copy_from_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 088/319] hexagon: fix strncpy_from_user() error return Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 089/319] mips: copy_from_user() must zero the destination on access_ok() failure Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 090/319] asm-generic: make copy_from_user() zero the destination properly Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 091/319] alpha: fix copy_from_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 092/319] metag: copy_from_user() should zero the destination on access_ok() failure Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 093/319] parisc: fix copy_from_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 094/319] openrisc: " Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 095/319] openrisc: fix the fix of copy_from_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 096/319] mn10300: copy_from_user() should zero on access_ok() failure Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 097/319] sparc32: fix copy_from_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 098/319] ppc32: " Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 099/319] ia64: copy_from_user() should zero the destination on access_ok() failure Willy Tarreau
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1486322486-8024-52-git-send-email-w@1wt.eu \ --to=w@1wt.eu \ --cc=Vineet.Gupta1@synopsys.com \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-snps-arc@lists.infradead.org \ --cc=linux@roeck-us.net \ --cc=stable@vger.kernel.org \ --cc=torvalds@linux-foundation.org \ --cc=vgupta@synopsys.com \ --cc=viro@zeniv.linux.org.uk \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.