All of lore.kernel.org
 help / color / mirror / Atom feed
* Patch "metag/uaccess: Check access_ok in strncpy_from_user" has been added to the 4.11-stable tree
@ 2017-05-23 14:45 gregkh
  0 siblings, 0 replies; only message in thread
From: gregkh @ 2017-05-23 14:45 UTC (permalink / raw)
  To: james.hogan, gregkh, viro; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    metag/uaccess: Check access_ok in strncpy_from_user

to the 4.11-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     metag-uaccess-check-access_ok-in-strncpy_from_user.patch
and it can be found in the queue-4.11 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 3a158a62da0673db918b53ac1440845a5b64fd90 Mon Sep 17 00:00:00 2001
From: James Hogan <james.hogan@imgtec.com>
Date: Tue, 2 May 2017 19:41:06 +0100
Subject: metag/uaccess: Check access_ok in strncpy_from_user

From: James Hogan <james.hogan@imgtec.com>

commit 3a158a62da0673db918b53ac1440845a5b64fd90 upstream.

The metag implementation of strncpy_from_user() doesn't validate the src
pointer, which could allow reading of arbitrary kernel memory. Add a
short access_ok() check to prevent that.

Its still possible for it to read across the user/kernel boundary, but
it will invariably reach a NUL character after only 9 bytes, leaking
only a static kernel address being loaded into D0Re0 at the beginning of
__start, which is acceptable for the immediate fix.

Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/metag/include/asm/uaccess.h |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/arch/metag/include/asm/uaccess.h
+++ b/arch/metag/include/asm/uaccess.h
@@ -194,8 +194,13 @@ do {
 extern long __must_check __strncpy_from_user(char *dst, const char __user *src,
 					     long count);
 
-#define strncpy_from_user(dst, src, count) __strncpy_from_user(dst, src, count)
-
+static inline long
+strncpy_from_user(char *dst, const char __user *src, long count)
+{
+	if (!access_ok(VERIFY_READ, src, 1))
+		return -EFAULT;
+	return __strncpy_from_user(dst, src, count);
+}
 /*
  * Return the size of a string (including the ending 0)
  *


Patches currently in stable-queue which might be from james.hogan@imgtec.com are

queue-4.11/metag-uaccess-check-access_ok-in-strncpy_from_user.patch
queue-4.11/metag-uaccess-fix-access_ok.patch

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2017-05-23 14:47 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-23 14:45 Patch "metag/uaccess: Check access_ok in strncpy_from_user" has been added to the 4.11-stable tree gregkh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.