linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Al Viro <viro@ZenIV.linux.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Joe Korty <joe.korty@ccur.com>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Sasha Levin <alexander.levin@verizon.com>,
	stable <stable@vger.kernel.org>
Subject: Re: [4.1 backport trouble] Re: BUGreport: fix minor infoleak in get_user_ex()
Date: Fri, 28 Oct 2016 20:49:58 +0100	[thread overview]
Message-ID: <20161028194958.GP19539@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CA+55aFy=k-3LEJStj=nrujefJp3BEcJBG3yESS5=SemWTQ5hnA@mail.gmail.com>

On Fri, Oct 28, 2016 at 11:21:24AM -0700, Linus Torvalds wrote:

> End result: either commit 1c109fabbd51 shouldn't be backported (it's
> really not that important - if people properly check the exception
> error results it shouldn't matter), or you need to also backport
> 548acf19234d as Al suggested.
> 
> I'd be inclined to say "don't backport 1c109fabbd51", but it's really
> a judgment call.

*nod*

FWIW, that infoleak _does_ allow to leak an uninitialized word into
coredump (in sigreturn the value from uninitialized local variable is
copied into pt_regs of process and when we eventually check that error
has happened and hit the sucker with SIGSEGV, that value gets stored into
the coredump), but in the worst case that's 64 bits leaked from fixed depth
in the kernel stack of attacker's process, with fixed call chain.

I very much doubt that it's escalatable to anything practically interesting.
If spender et.al. can come up with a usable way to escalate that, I would be
quite surprised (and would love to see the details), but hey, it might be
possible.  More likely possibility is that the bug is harmless in practice.

  reply	other threads:[~2016-10-28 19:50 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20161027193210.GA23006@zipoli.ccur.com>
2016-10-28  0:03 ` BUGreport: fix minor infoleak in get_user_ex() Al Viro
2016-10-28  2:02   ` [4.1 backport trouble] " Al Viro
     [not found]     ` <20161028164033.GA29952@zipoli.ccur.com>
2016-10-28 18:21       ` Linus Torvalds
2016-10-28 19:49         ` Al Viro [this message]
2016-10-28 21:29           ` Greg KH
2016-10-28 19:34       ` Al Viro
2016-10-30 18:16     ` Levin, Alexander

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161028194958.GP19539@ZenIV.linux.org.uk \
    --to=viro@zeniv.linux.org.uk \
    --cc=alexander.levin@verizon.com \
    --cc=joe.korty@ccur.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).