From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757436AbdKGPw3 (ORCPT ); Tue, 7 Nov 2017 10:52:29 -0500 Received: from zeniv.linux.org.uk ([195.92.253.2]:48800 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750953AbdKGPw1 (ORCPT ); Tue, 7 Nov 2017 10:52:27 -0500 Date: Tue, 7 Nov 2017 15:52:22 +0000 From: Al Viro To: Arnd Bergmann Cc: Richard Henderson , Ivan Kokshaysky , Matt Turner , y2038@lists.linaro.org, Deepa Dinamani , stable@vger.kernel.org, linux-alpha@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 1/2] alpha: osf_sys.c: fix put_tv32 regression Message-ID: <20171107155222.GV21978@ZenIV.linux.org.uk> References: <20171107141029.3160278-1-arnd@arndb.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171107141029.3160278-1-arnd@arndb.de> User-Agent: Mutt/1.9.0 (2017-09-02) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 07, 2017 at 03:09:24PM +0100, Arnd Bergmann wrote: > There was a typo in the new version of put_tv32() that caused > uninitialized stack data to be written back to user space, rather > than writing the actual timeval for the emulation of > gettimeofday(), wait4(), usleep_thread() and old_adjtimex(). > > This fixes it to write the correct data again. *blink* the bug is real, all right, and the fix is correct one, but where do you get an infoleak? What it is is a user-triggerable oops - just pass it an unmapped address. For anything mapped r/w it's simply a no-op - userland data is unchanged. IOW, the fix is correct, but commit message isn't - it's "user-triggerable oops and in all cases failed to modify userland timeval32" not "uninitialized stack data to be written back to user space"