From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, "James Hogan" <james.hogan@imgtec.com>,
"David Daney" <david.daney@cavium.com>,
linux-mips@linux-mips.org, "Ralf Baechle" <ralf@linux-mips.org>,
"James Cowgill" <James.Cowgill@imgtec.com>
Subject: [PATCH 3.2 052/101] MIPS: OCTEON: Fix copy_from_user fault handling for large buffers
Date: Thu, 01 Jun 2017 16:40:55 +0100 [thread overview]
Message-ID: <lsq.1496331655.950607252@decadent.org.uk> (raw)
In-Reply-To: <lsq.1496331653.552489284@decadent.org.uk>
3.2.89-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Cowgill <James.Cowgill@imgtec.com>
commit 884b426917e4b3c85f33b382c792a94305dfdd62 upstream.
If copy_from_user is called with a large buffer (>= 128 bytes) and the
userspace buffer refers partially to unreadable memory, then it is
possible for Octeon's copy_from_user to report the wrong number of bytes
have been copied. In the case where the buffer size is an exact multiple
of 128 and the fault occurs in the last 64 bytes, copy_from_user will
report that all the bytes were copied successfully but leave some
garbage in the destination buffer.
The bug is in the main __copy_user_common loop in octeon-memcpy.S where
in the middle of the loop, src and dst are incremented by 128 bytes. The
l_exc_copy fault handler is used after this but that assumes that
"src < THREAD_BUADDR($28)". This is not the case if src has already been
incremented.
Fix by adding an extra fault handler which rewinds the src and dst
pointers 128 bytes before falling though to l_exc_copy.
Thanks to the pwritev test from the strace test suite for originally
highlighting this bug!
Fixes: 5b3b16880f40 ("MIPS: Add Cavium OCTEON processor support ...")
Signed-off-by: James Cowgill <James.Cowgill@imgtec.com>
Acked-by: David Daney <david.daney@cavium.com>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/14978/
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/cavium-octeon/octeon-memcpy.S | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
--- a/arch/mips/cavium-octeon/octeon-memcpy.S
+++ b/arch/mips/cavium-octeon/octeon-memcpy.S
@@ -223,18 +223,18 @@ EXC( STORE t2, UNIT(6)(dst), s_exc_p10u)
ADD src, src, 16*NBYTES
EXC( STORE t3, UNIT(7)(dst), s_exc_p9u)
ADD dst, dst, 16*NBYTES
-EXC( LOAD t0, UNIT(-8)(src), l_exc_copy)
-EXC( LOAD t1, UNIT(-7)(src), l_exc_copy)
-EXC( LOAD t2, UNIT(-6)(src), l_exc_copy)
-EXC( LOAD t3, UNIT(-5)(src), l_exc_copy)
+EXC( LOAD t0, UNIT(-8)(src), l_exc_copy_rewind16)
+EXC( LOAD t1, UNIT(-7)(src), l_exc_copy_rewind16)
+EXC( LOAD t2, UNIT(-6)(src), l_exc_copy_rewind16)
+EXC( LOAD t3, UNIT(-5)(src), l_exc_copy_rewind16)
EXC( STORE t0, UNIT(-8)(dst), s_exc_p8u)
EXC( STORE t1, UNIT(-7)(dst), s_exc_p7u)
EXC( STORE t2, UNIT(-6)(dst), s_exc_p6u)
EXC( STORE t3, UNIT(-5)(dst), s_exc_p5u)
-EXC( LOAD t0, UNIT(-4)(src), l_exc_copy)
-EXC( LOAD t1, UNIT(-3)(src), l_exc_copy)
-EXC( LOAD t2, UNIT(-2)(src), l_exc_copy)
-EXC( LOAD t3, UNIT(-1)(src), l_exc_copy)
+EXC( LOAD t0, UNIT(-4)(src), l_exc_copy_rewind16)
+EXC( LOAD t1, UNIT(-3)(src), l_exc_copy_rewind16)
+EXC( LOAD t2, UNIT(-2)(src), l_exc_copy_rewind16)
+EXC( LOAD t3, UNIT(-1)(src), l_exc_copy_rewind16)
EXC( STORE t0, UNIT(-4)(dst), s_exc_p4u)
EXC( STORE t1, UNIT(-3)(dst), s_exc_p3u)
EXC( STORE t2, UNIT(-2)(dst), s_exc_p2u)
@@ -400,6 +400,10 @@ done:
nop
END(memcpy)
+l_exc_copy_rewind16:
+ /* Rewind src and dst by 16*NBYTES for l_exc_copy */
+ SUB src, src, 16*NBYTES
+ SUB dst, dst, 16*NBYTES
l_exc_copy:
/*
* Copy bytes from src until faulting load address (or until a
next prev parent reply other threads:[~2017-06-01 16:47 UTC|newest]
Thread overview: 105+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-01 15:40 [PATCH 3.2 000/101] 3.2.89-rc1 review Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 032/101] USB: serial: digi_acceleport: fix OOB-event processing Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 031/101] USB: serial: digi_acceleport: fix OOB data sanity check Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 049/101] powerpc/xmon: Fix data-breakpoint Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 043/101] KEYS: Fix an error code in request_master_key() Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 066/101] ALSA: timer: Reject user params with too small ticks Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 033/101] USB: serial: digi_acceleport: fix incomplete rx sanity check Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 039/101] serial: 8250_pci: Add MKS Tenta SCOM-0800 and SCOM-0801 cards Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 020/101] usb: dwc3: gadget: skip Set/Clear Halt when invalid Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 056/101] nfsd: special case truncates some more Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 023/101] USB: serial: ftdi_sio: fix extreme low-latency setting Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 029/101] bcma: use (get|put)_device when probing/removing device driver Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 024/101] drm/ttm: Make sure BOs being swapped out are cacheable Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 046/101] md linear: fix a race between linear_add() and linear_congested() Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 045/101] mmc: host: omap_hsmmc: avoid possible overflow of timeout value Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 074/101] xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 021/101] usb: gadget: f_hid: Use spinlock instead of mutex Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 060/101] net/dccp: fix use after free in tw_timer_handler() Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 079/101] net/packet: fix overflow in check for priv area size Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 093/101] nfsd: stricter decoding of write-like NFSv2/v3 ops Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 082/101] KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 061/101] scsi: aacraid: Fix memory leak in fib init path Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 075/101] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 055/101] nfsd: minor nfsd_setattr cleanup Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 092/101] nfsd4: minor NFSv2/v3 write decoding cleanup Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 014/101] USB: serial: mct_u232: fix modem-status error handling Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 051/101] MIPS: Fix special case in 64 bit IP checksumming Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 009/101] USB: serial: ark3116: fix open error handling Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 089/101] tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline() Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 080/101] net/packet: fix overflow in check for tp_frame_nr Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 018/101] perf script: Fix man page about --dump-raw-trace option Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 085/101] crypto: hash - Fix the pointer voodoo in unaligned ahash Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 016/101] USB: serial: ti_usb_3410_5052: fix control-message error handling Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 071/101] KEYS: Reinstate EPERM for a key type name beginning with a '.' Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 006/101] IB/ipoib: Change list_del to list_del_init in the tx object Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 040/101] USB: serial: cp210x: add new IDs for GE Bx50v3 boards Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 078/101] packet: handle too big packets for PACKET_V3 Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 003/101] ath5k: drop bogus warning on drv_set_key with unsupported cipher Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 026/101] ext4: trim allocation requests to group size Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 035/101] s390/qdio: clear DSCI prior to scanning multiple input queues Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 042/101] USB: serial: mos7840: fix another NULL-deref at open Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 070/101] KEYS: special dot prefixed keyring name bug fix Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 038/101] ext4: preserve the needs_recovery flag when the journal is aborted Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 001/101] adm80211: return an error if adm8211_alloc_rings() fails Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 012/101] USB: serial: io_edgeport: fix epic-descriptor handling Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 017/101] staging: rtl: fix possible NULL pointer dereference Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 095/101] USB: serial: io_ti: fix information leak in completion handler Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 076/101] drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl() Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 004/101] RDMA/core: Fix incorrect structure packing for booleans Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 057/101] NFSv4: Fix the underestimation of delegation XDR space reservation Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 096/101] USB: serial: omninet: fix reference leaks at open Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 067/101] ALSA: ctxfi: Fallback DMA mask to 32bit Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 050/101] Bluetooth: Add another AR3012 04ca:3018 device Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 044/101] drivers: hv: Turn off write permission on the hypercall page Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 037/101] jbd2: don't leak modified metadata buffers on an aborted journal Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 081/101] net/packet: fix overflow in check for tp_reserve Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 099/101] sctp: do not inherit ipv6_{mc|ac|fl}_list from parent Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 098/101] ipv6: Check ip6_find_1stfragopt() return value properly Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 058/101] fuse: add missing FR_FORCE Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 027/101] ext4: use private version of page_zero_new_buffers() for data=journal mode Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 041/101] USB: serial: ftdi_sio: fix line-status over-reporting Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 010/101] USB: serial: ftdi_sio: fix modem-status error handling Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 028/101] ext4: fix data corruption in data=journal mode Ben Hutchings
2017-06-01 15:40 ` Ben Hutchings [this message]
2017-06-01 15:40 ` [PATCH 3.2 063/101] NFSv4: Fix range checking in __nfs4_get_acl_uncached and __nfs4_proc_set_acl Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 083/101] mm/mempolicy.c: fix error handling in set_mempolicy and mbind Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 062/101] scsi: aacraid: Reorder Adapter status check Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 077/101] drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl() Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 002/101] tty: serial: msm: Fix module autoload Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 091/101] nfsd: check for oversized NFSv2/v3 arguments Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 084/101] crypto: ahash - Fully restore ahash request before completing Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 030/101] [media] media: fix dm1105.c build error Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 015/101] USB: serial: ssu100: fix control-message error handling Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 068/101] ALSA: seq: Fix link corruption by event " Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 086/101] crypto: hash - Pull out the functions to save/restore request Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 007/101] USB: serial: ch341: fix modem-status handling Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 072/101] KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 013/101] USB: serial: io_edgeport: fix descriptor error handling Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 069/101] USB: iowarrior: fix NULL-deref at probe Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 025/101] drm/radeon: handle vfct with multiple vbios images Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 048/101] nlm: Ensure callback code also checks that the files match Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 064/101] NFSv4: fix getacl ERANGE for some ACL buffer sizes Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 034/101] USB: serial: keyspan_pda: fix receive sanity checks Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 008/101] USB: serial: ark3116: fix register-accessor error handling Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 005/101] IB/ipoib: Set device connection mode only when needed Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 101/101] ipv6: fix out of bound writes in __ip6_append_data() Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 100/101] ipv6/dccp: do not inherit ipv6_mc_list from parent Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 011/101] USB: serial: ftdi_sio: fix latency-timer error handling Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 065/101] net sched actions: decrement module reference count after table flush Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 047/101] md: ensure md devices are freed before module is unloaded Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 087/101] crypto: hash - Simplify the ahash_finup implementation Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 059/101] rdma_cm: fail iwarp accepts w/o connection params Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 053/101] MIPS: ip27: Disable qlge driver in defconfig Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 036/101] x86/pci-calgary: Fix iommu_free() comparison of unsigned expression >= 0 Ben Hutchings
2017-06-01 15:40 ` Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 090/101] ipx: call ipxitf_put() in ioctl error path Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 094/101] dccp/tcp: do not inherit mc_list from parent Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 097/101] ipv6: Prevent overrun when parsing v6 header options Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 073/101] ping: implement proper locking Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 019/101] mwifiex: debugfs: Fix (sometimes) off-by-1 SSID print Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 088/101] crypto: ahash - Fix EINPROGRESS notification callback Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 022/101] MIPS: 'make -s' should be silent Ben Hutchings
2017-06-01 15:40 ` [PATCH 3.2 054/101] nfsd: update mtime on truncate Ben Hutchings
2017-06-01 21:41 ` [PATCH 3.2 000/101] 3.2.89-rc1 review Guenter Roeck
2017-06-01 21:59 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1496331655.950607252@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=James.Cowgill@imgtec.com \
--cc=akpm@linux-foundation.org \
--cc=david.daney@cavium.com \
--cc=james.hogan@imgtec.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=ralf@linux-mips.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.