From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linuxfoundation.org ([140.211.169.12]:57872 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727158AbeICUgx (ORCPT
        <rfc822;stable@vger.kernel.org>); Mon, 3 Sep 2018 16:36:53 -0400
Date: Mon, 3 Sep 2018 18:16:01 +0200
From: Greg KH <gregkh@linuxfoundation.org>
To: Jann Horn <jannh@google.com>
Cc: stable@vger.kernel.org
Subject: Re: [PATCH for 4.18.y] x86/dumpstack: Don't dump kernel memory based
 on usermode RIP
Message-ID: <20180903161601.GA5823@kroah.com>
References: <20180903143248.98687-1-jannh@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180903143248.98687-1-jannh@google.com>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Mon, Sep 03, 2018 at 04:32:48PM +0200, Jann Horn wrote:
> commit 342db04ae71273322f0011384a9ed414df8bdae4 upstream.
> 
> show_opcodes() is used both for dumping kernel instructions and for dumping
> user instructions. If userspace causes #PF by jumping to a kernel address,
> show_opcodes() can be reached with regs->ip controlled by the user,
> pointing to kernel code. Make sure that userspace can't trick us into
> dumping kernel memory into dmesg.
> 
> Manually backported: show_opcodes() has changed a bit in the meantime.
> I have manually tested the backport.
> 
> Fixes: 7cccf0725cf7 ("x86/dumpstack: Add a show_ip() function")
> Cc: stable@vger.kernel.org
> Link: https://lkml.kernel.org/r/20180828154901.112726-1-jannh@google.com
> Signed-off-by: Jann Horn <jannh@google.com>
> ---
> Since I manually backported this, I have removed all other
> sign-off/reviewed-by lines. I hope that's correct?

Yes, that's fine, but I added them back as this wasn't that different of
a backport :)

THanks for the patch, now queued up.

greg k-h