March 2019 - Linux-stable-mirror

Re: [PATCH v4.4] x86/uaccess: Don't leak the AC flag into __put_user() value evaluation

by Greg Kroah-Hartman

On Sun, Mar 03, 2019 at 08:28:01PM +0300, Maxim Zhukov wrote: > Whoops, this patch generated on old tree, sorry. I regenerate patch from > new 4.4 tree. And test for all kernels (its work). Resend one patch for all > stable branches? If that is what works and is needed, yes.

5 years, 9 months

1
0
0 0

[PATCH v4.4] x86/uaccess: Don't leak the AC flag into __put_user() value evaluation

by Maxim Zhukov

From: Andy Lutomirski <luto(a)kernel.org> commit 2a418cf3f5f1caf911af288e978d61c9844b0695 upstream. When calling __put_user(foo(), ptr), the __put_user() macro would call foo() in between __uaccess_begin() and __uaccess_end(). If that code were buggy, then those bugs would be run without SMAP protection. Fortunately, there seem to be few instances of the problem in the kernel. Nevertheless, __put_user() should be fixed to avoid doing this. Therefore, evaluate __put_user()'s argument before setting AC. This issue was noticed when an objtool hack by Peter Zijlstra complained about genregs_get() and I compared the assembly output to the C source. [ bp: Massage commit message and fixed up whitespace. ] Fixes: 11f1a4b9755f ("x86: reorganize SMAP handling in user space accesses") Signed-off-by: Andy Lutomirski <luto(a)kernel.org> Signed-off-by: Borislav Petkov <bp(a)suse.de> Acked-by: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Brian Gerst <brgerst(a)gmail.com> Cc: Josh Poimboeuf <jpoimboe(a)redhat.com> Cc: Denys Vlasenko <dvlasenk(a)redhat.com> Cc: stable(a)vger.kernel.org Link: http://lkml.kernel.org/r/20190225125231.845656645@infradead.org Signed-off-by: Maxim Zhukov <mussitantesmortem(a)gmail.com> --- arch/x86/include/asm/uaccess.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index d788b0cdc0ad..4f4a9fa61b8a 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -306,7 +306,7 @@ do { \ __put_user_asm(x, ptr, retval, "l", "k", "ir", errret); \ break; \ case 8: \ - __put_user_asm_u64((__typeof__(*ptr))(x), ptr, retval, \ + __put_user_asm_u64(x, ptr, retval, \ errret); \ break; \ default: \ @@ -410,7 +410,9 @@ do { \ #define __put_user_nocheck(x, ptr, size) \ ({ \ int __pu_err; \ - __put_user_size((x), (ptr), (size), __pu_err, -EFAULT); \ + __typeof__(*(ptr)) __pu_val; \ + __pu_val = x; \ + __put_user_size(__pu_val, (ptr), (size), __pu_err, -EFAULT); \ __builtin_expect(__pu_err, 0); \ }) -- 2.21.0

5 years, 9 months

2
1
0 0

[PATCH v4.9] x86/uaccess: Don't leak the AC flag into __put_user() value evaluation

by Maxim Zhukov

From: Andy Lutomirski <luto(a)kernel.org> When calling __put_user(foo(), ptr), the __put_user() macro would call foo() in between __uaccess_begin() and __uaccess_end(). If that code were buggy, then those bugs would be run without SMAP protection. Fortunately, there seem to be few instances of the problem in the kernel. Nevertheless, __put_user() should be fixed to avoid doing this. Therefore, evaluate __put_user()'s argument before setting AC. This issue was noticed when an objtool hack by Peter Zijlstra complained about genregs_get() and I compared the assembly output to the C source. [ bp: Massage commit message and fixed up whitespace. ] Fixes: 11f1a4b9755f ("x86: reorganize SMAP handling in user space accesses") Signed-off-by: Andy Lutomirski <luto(a)kernel.org> Signed-off-by: Borislav Petkov <bp(a)suse.de> Acked-by: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Brian Gerst <brgerst(a)gmail.com> Cc: Josh Poimboeuf <jpoimboe(a)redhat.com> Cc: Denys Vlasenko <dvlasenk(a)redhat.com> Cc: stable(a)vger.kernel.org Link: http://lkml.kernel.org/r/20190225125231.845656645@infradead.org --- arch/x86/include/asm/uaccess.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index a8d85a687cf4..39bbc225558c 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -292,7 +292,7 @@ do { \ __put_user_asm(x, ptr, retval, "l", "k", "ir", errret); \ break; \ case 8: \ - __put_user_asm_u64((__typeof__(*ptr))(x), ptr, retval, \ + __put_user_asm_u64(x, ptr, retval, \ errret); \ break; \ default: \ @@ -427,8 +427,10 @@ do { \ #define __put_user_nocheck(x, ptr, size) \ ({ \ int __pu_err; \ + __typeof__(*(ptr)) __pu_val; \ __uaccess_begin(); \ - __put_user_size((x), (ptr), (size), __pu_err, -EFAULT); \ + __pu_val = x; \ + __put_user_size(__pu_val, (ptr), (size), __pu_err, -EFAULT); \ __uaccess_end(); \ __builtin_expect(__pu_err, 0); \ }) -- 2.21.0

5 years, 9 months

2
1
0 0

Stable queue: queue-4.20

by CKI

Hello, We ran automated tests on a patchset that was proposed for merging into this kernel tree. The patches were applied to: Repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Commit: 0f7c162c1df5 Linux 4.20.13 The results of these automated tests are provided below. Overall result: PASSED Merge: OK Compile: OK Tests: OK Please reply to this email if you have any questions about the tests that we ran or if you have any suggestions on how to make future tests more effective. ,-. ,-. ( C ) ( K ) Continuous `-',-.`-' Kernel ( I ) Integration `-' ______________________________________________________________________________ Merge ----- We cloned this repository and checked out a ref: Repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Ref: 0f7c162c1df5 Linux 4.20.13 We then merged the following patches with `git am`: genirq-matrix-improve-target-cpu-selection-for-manag.patch scsi-libsas-fix-rphy-phy_identifier-for-phys-with-end-devices-attached.patch drm-msm-unblock-writer-if-reader-closes-file.patch asoc-intel-haswell-broadwell-fix-setting-for-.dynami.patch alsa-compress-prevent-potential-divide-by-zero-bugs.patch asoc-rt5682-fix-recording-no-sound-issue.patch asoc-variable-val-in-function-rt274_i2c_probe-could-.patch clk-tegra-dfll-fix-a-potential-oop-in-remove.patch clk-sysfs-fix-invalid-json-in-clk_dump.patch clk-vc5-abort-clock-configuration-without-upstream-c.patch thermal-int340x_thermal-fix-a-null-vs-is_err-check.patch usb-dwc3-gadget-synchronize_irq-dwc-irq-in-suspend.patch usb-dwc3-gadget-fix-the-uninitialized-link_state-whe.patch usb-gadget-potential-null-dereference-on-allocation-.patch hid-i2c-hid-disable-runtime-pm-on-goodix-touchpad.patch asoc-core-make-snd_soc_find_component-more-robust.patch selftests-rtc-rtctest-fix-alarm-tests.patch selftests-rtc-rtctest-add-alarm-test-on-minute-bound.patch genirq-make-sure-the-initial-affinity-is-not-empty.patch x86-mm-mem_encrypt-fix-erroneous-sizeof.patch asoc-rt5682-fix-pll-source-register-definitions.patch asoc-dapm-change-snprintf-to-scnprintf-for-possible-.patch asoc-imx-audmux-change-snprintf-to-scnprintf-for-pos.patch selftests-vm-gup_benchmark.c-match-gup-struct-to-ker.patch phy-ath79-usb-fix-the-power-on-error-path.patch phy-ath79-usb-fix-the-main-reset-name-to-match-the-d.patch selftests-seccomp-use-ldlibs-instead-of-ldflags.patch selftests-gpio-mockup-chardev-check-asprintf-for-err.patch irqchip-gic-v3-mbi-fix-uninitialized-mbi_lock.patch arc-fix-__ffs-return-value-to-avoid-build-warnings.patch arc-show_regs-lockdep-avoid-page-allocator.patch drivers-thermal-int340x_thermal-fix-sysfs-race-condi.patch staging-rtl8723bs-fix-build-error-with-clang-when-in.patch mac80211-fix-miscounting-of-ttl-dropped-frames.patch sched-wait-fix-rcuwait_wake_up-ordering.patch sched-wake_q-fix-wakeup-ordering-for-wake_q.patch futex-fix-possible-missed-wakeup.patch locking-rwsem-fix-possible-missed-wakeup.patch drm-amd-powerplay-od-setting-fix-on-vega10.patch tty-serial-qcom_geni_serial-allow-mctrl-when-flow-co.patch serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch drm-sun4i-hdmi-fix-usage-of-tmds-clock.patch staging-android-ion-support-cpu-access-during-dma_bu.patch direct-io-allow-direct-writes-to-empty-inodes.patch writeback-synchronize-sync-2-against-cgroup-writebac.patch scsi-lpfc-nvme-avoid-hang-use-after-free-when-destro.patch scsi-lpfc-nvmet-avoid-hang-use-after-free-when-destr.patch scsi-csiostor-fix-null-pointer-dereference-in-csio_v.patch net-altera_tse-fix-connect_local_phy-error-path.patch hv_netvsc-fix-ethtool-change-hash-key-error.patch hv_netvsc-refactor-assignments-of-struct-netvsc_devi.patch hv_netvsc-fix-hash-key-value-reset-after-other-ops.patch nvme-rdma-fix-timeout-handler.patch nvme-multipath-drop-optimization-for-static-ana-grou.patch cifs-fix-memory-leak-of-an-allocated-cifs_ntsd-struc.patch drm-msm-fix-a6xx-support-for-opp-level.patch drm-msm-avoid-unused-function-warning.patch net-usb-asix-ax88772_bind-return-error-when-hw_reset.patch net-dev_is_mac_header_xmit-true-for-arphrd_rawip.patch ibmveth-do-not-process-frames-after-calling-napi_res.patch mac80211-don-t-initiate-tdls-connection-if-station-i.patch mac80211-add-attribute-aligned-2-to-struct-action.patch cfg80211-extend-range-deviation-for-dmg.patch svm-fix-avic-incomplete-ipi-emulation.patch kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch kvm-selftests-fix-region-overlap-check-in-kvm_util.patch kvm-selftests-check-returned-evmcs-version-range.patch mmc-spi-fix-card-detection-during-probe.patch mmc-tmio_mmc_core-don-t-claim-spurious-interrupts.patch mmc-tmio-fix-access-width-of-block-count-register.patch mmc-core-fix-null-ptr-crash-from-mmc_should_fail_request.patch mmc-cqhci-fix-space-allocated-for-transfer-descriptor.patch mmc-cqhci-fix-a-tiny-potential-memory-leak-on-error-condition.patch mmc-sdhci-esdhc-imx-correct-the-fix-of-err004536.patch mm-enforce-min-addr-even-if-capable-in-expand_downwards.patch drm-block-fb-changes-for-async-plane-updates.patch hugetlbfs-fix-races-and-page-leaks-during-migration.patch crypto-ccree-add-missing-inline-qualifier.patch mips-fix-truncation-in-__cmpxchg_small-for-short-values.patch mips-bcm63xx-provide-dma-masks-for-ethernet-devices.patch mips-fix-memory-setup-for-platforms-with-phys_offset-0.patch scsi-3w-sas-fix-calls-to-dma_set_mask_and_coherent.patch scsi-csiostor-fix-calls-to-dma_set_mask_and_coherent.patch scsi-3w-9xxx-fix-calls-to-dma_set_mask_and_coherent.patch scsi-aic94xx-fix-calls-to-dma_set_mask_and_coherent.patch arm64-dts-qcom-msm8998-extend-tz-reserved-memory-area.patch mips-ebpf-fix-icache-flush-end-address.patch Compile ------- We compiled the kernel for 3 architectures: powerpc64le: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/ppc64le/3d507a67724e94e733c6c8a084… aarch64: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/aarch64/bc078a8d363d7b6f16626cdfac… x86_64: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/x86_64/0253a8e2ea487b64b52fbc4c983… Tests ----- We booted each kernel and ran the following tests: powerpc: PASSED: Boot test - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… PASSED: LTP lite - release 20190115 - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… PASSED: Loopdev Sanity - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#filesystems/… PASSED: xfstests: ext4 - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#/filesystems… PASSED: xfstests: xfs - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#/filesystems… PASSED: AMTU (Abstract Machine Test Utility) - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#misc/amtu PASSED: Ethernet drivers sanity - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#/networking/… WAIVED: PASSED: httpd: php sanity - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/htt… WAIVED: PASSED: tuned: tune-processes-through-perf - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/tun… PASSED: Usex - version 1.9-29 - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#standards/us… arm64: PASSED: Boot test - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… PASSED: LTP lite - release 20190115 - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… PASSED: Loopdev Sanity - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#filesystems/… PASSED: xfstests: ext4 - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#/filesystems… PASSED: xfstests: xfs - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#/filesystems… PASSED: AMTU (Abstract Machine Test Utility) - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#misc/amtu PASSED: Ethernet drivers sanity - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#/networking/… WAIVED: PASSED: httpd: php sanity - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/htt… WAIVED: PASSED: tuned: tune-processes-through-perf - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/tun… PASSED: Usex - version 1.9-29 - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#standards/us… x86_64: PASSED: Boot test - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… PASSED: LTP lite - release 20190115 - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… PASSED: Loopdev Sanity - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#filesystems/… PASSED: xfstests: ext4 - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#/filesystems… PASSED: xfstests: xfs - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#/filesystems… PASSED: AMTU (Abstract Machine Test Utility) - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#misc/amtu PASSED: Ethernet drivers sanity - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#/networking/… WAIVED: PASSED: httpd: php sanity - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/htt… WAIVED: PASSED: tuned: tune-processes-through-perf - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/tun… PASSED: Usex - version 1.9-29 - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#standards/us…

5 years, 9 months

1
0
0 0

FAILED: patch "[PATCH] x86/uaccess: Don't leak the AC flag into __put_user() value" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 2a418cf3f5f1caf911af288e978d61c9844b0695 Mon Sep 17 00:00:00 2001 From: Andy Lutomirski <luto(a)kernel.org> Date: Fri, 22 Feb 2019 17:17:04 -0800 Subject: [PATCH] x86/uaccess: Don't leak the AC flag into __put_user() value evaluation When calling __put_user(foo(), ptr), the __put_user() macro would call foo() in between __uaccess_begin() and __uaccess_end(). If that code were buggy, then those bugs would be run without SMAP protection. Fortunately, there seem to be few instances of the problem in the kernel. Nevertheless, __put_user() should be fixed to avoid doing this. Therefore, evaluate __put_user()'s argument before setting AC. This issue was noticed when an objtool hack by Peter Zijlstra complained about genregs_get() and I compared the assembly output to the C source. [ bp: Massage commit message and fixed up whitespace. ] Fixes: 11f1a4b9755f ("x86: reorganize SMAP handling in user space accesses") Signed-off-by: Andy Lutomirski <luto(a)kernel.org> Signed-off-by: Borislav Petkov <bp(a)suse.de> Acked-by: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Brian Gerst <brgerst(a)gmail.com> Cc: Josh Poimboeuf <jpoimboe(a)redhat.com> Cc: Denys Vlasenko <dvlasenk(a)redhat.com> Cc: stable(a)vger.kernel.org Link: http://lkml.kernel.org/r/20190225125231.845656645@infradead.org diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index a77445d1b034..28376aa2d053 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -284,7 +284,7 @@ do { \ __put_user_goto(x, ptr, "l", "k", "ir", label); \ break; \ case 8: \ - __put_user_goto_u64((__typeof__(*ptr))(x), ptr, label); \ + __put_user_goto_u64(x, ptr, label); \ break; \ default: \ __put_user_bad(); \ @@ -431,8 +431,10 @@ do { \ ({ \ __label__ __pu_label; \ int __pu_err = -EFAULT; \ + __typeof__(*(ptr)) __pu_val; \ + __pu_val = x; \ __uaccess_begin(); \ - __put_user_size((x), (ptr), (size), __pu_label); \ + __put_user_size(__pu_val, (ptr), (size), __pu_label); \ __pu_err = 0; \ __pu_label: \ __uaccess_end(); \

5 years, 9 months

1
0
0 0

FAILED: patch "[PATCH] x86/uaccess: Don't leak the AC flag into __put_user() value" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 2a418cf3f5f1caf911af288e978d61c9844b0695 Mon Sep 17 00:00:00 2001 From: Andy Lutomirski <luto(a)kernel.org> Date: Fri, 22 Feb 2019 17:17:04 -0800 Subject: [PATCH] x86/uaccess: Don't leak the AC flag into __put_user() value evaluation When calling __put_user(foo(), ptr), the __put_user() macro would call foo() in between __uaccess_begin() and __uaccess_end(). If that code were buggy, then those bugs would be run without SMAP protection. Fortunately, there seem to be few instances of the problem in the kernel. Nevertheless, __put_user() should be fixed to avoid doing this. Therefore, evaluate __put_user()'s argument before setting AC. This issue was noticed when an objtool hack by Peter Zijlstra complained about genregs_get() and I compared the assembly output to the C source. [ bp: Massage commit message and fixed up whitespace. ] Fixes: 11f1a4b9755f ("x86: reorganize SMAP handling in user space accesses") Signed-off-by: Andy Lutomirski <luto(a)kernel.org> Signed-off-by: Borislav Petkov <bp(a)suse.de> Acked-by: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Brian Gerst <brgerst(a)gmail.com> Cc: Josh Poimboeuf <jpoimboe(a)redhat.com> Cc: Denys Vlasenko <dvlasenk(a)redhat.com> Cc: stable(a)vger.kernel.org Link: http://lkml.kernel.org/r/20190225125231.845656645@infradead.org diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index a77445d1b034..28376aa2d053 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -284,7 +284,7 @@ do { \ __put_user_goto(x, ptr, "l", "k", "ir", label); \ break; \ case 8: \ - __put_user_goto_u64((__typeof__(*ptr))(x), ptr, label); \ + __put_user_goto_u64(x, ptr, label); \ break; \ default: \ __put_user_bad(); \ @@ -431,8 +431,10 @@ do { \ ({ \ __label__ __pu_label; \ int __pu_err = -EFAULT; \ + __typeof__(*(ptr)) __pu_val; \ + __pu_val = x; \ __uaccess_begin(); \ - __put_user_size((x), (ptr), (size), __pu_label); \ + __put_user_size(__pu_val, (ptr), (size), __pu_label); \ __pu_err = 0; \ __pu_label: \ __uaccess_end(); \

5 years, 9 months

1
0
0 0

FAILED: patch "[PATCH] x86/uaccess: Don't leak the AC flag into __put_user() value" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 2a418cf3f5f1caf911af288e978d61c9844b0695 Mon Sep 17 00:00:00 2001 From: Andy Lutomirski <luto(a)kernel.org> Date: Fri, 22 Feb 2019 17:17:04 -0800 Subject: [PATCH] x86/uaccess: Don't leak the AC flag into __put_user() value evaluation When calling __put_user(foo(), ptr), the __put_user() macro would call foo() in between __uaccess_begin() and __uaccess_end(). If that code were buggy, then those bugs would be run without SMAP protection. Fortunately, there seem to be few instances of the problem in the kernel. Nevertheless, __put_user() should be fixed to avoid doing this. Therefore, evaluate __put_user()'s argument before setting AC. This issue was noticed when an objtool hack by Peter Zijlstra complained about genregs_get() and I compared the assembly output to the C source. [ bp: Massage commit message and fixed up whitespace. ] Fixes: 11f1a4b9755f ("x86: reorganize SMAP handling in user space accesses") Signed-off-by: Andy Lutomirski <luto(a)kernel.org> Signed-off-by: Borislav Petkov <bp(a)suse.de> Acked-by: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Brian Gerst <brgerst(a)gmail.com> Cc: Josh Poimboeuf <jpoimboe(a)redhat.com> Cc: Denys Vlasenko <dvlasenk(a)redhat.com> Cc: stable(a)vger.kernel.org Link: http://lkml.kernel.org/r/20190225125231.845656645@infradead.org diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index a77445d1b034..28376aa2d053 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -284,7 +284,7 @@ do { \ __put_user_goto(x, ptr, "l", "k", "ir", label); \ break; \ case 8: \ - __put_user_goto_u64((__typeof__(*ptr))(x), ptr, label); \ + __put_user_goto_u64(x, ptr, label); \ break; \ default: \ __put_user_bad(); \ @@ -431,8 +431,10 @@ do { \ ({ \ __label__ __pu_label; \ int __pu_err = -EFAULT; \ + __typeof__(*(ptr)) __pu_val; \ + __pu_val = x; \ __uaccess_begin(); \ - __put_user_size((x), (ptr), (size), __pu_label); \ + __put_user_size(__pu_val, (ptr), (size), __pu_label); \ __pu_err = 0; \ __pu_label: \ __uaccess_end(); \

5 years, 9 months

1
0
0 0

FAILED: patch "[PATCH] x86/uaccess: Don't leak the AC flag into __put_user() value" failed to apply to 4.20-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.20-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 2a418cf3f5f1caf911af288e978d61c9844b0695 Mon Sep 17 00:00:00 2001 From: Andy Lutomirski <luto(a)kernel.org> Date: Fri, 22 Feb 2019 17:17:04 -0800 Subject: [PATCH] x86/uaccess: Don't leak the AC flag into __put_user() value evaluation When calling __put_user(foo(), ptr), the __put_user() macro would call foo() in between __uaccess_begin() and __uaccess_end(). If that code were buggy, then those bugs would be run without SMAP protection. Fortunately, there seem to be few instances of the problem in the kernel. Nevertheless, __put_user() should be fixed to avoid doing this. Therefore, evaluate __put_user()'s argument before setting AC. This issue was noticed when an objtool hack by Peter Zijlstra complained about genregs_get() and I compared the assembly output to the C source. [ bp: Massage commit message and fixed up whitespace. ] Fixes: 11f1a4b9755f ("x86: reorganize SMAP handling in user space accesses") Signed-off-by: Andy Lutomirski <luto(a)kernel.org> Signed-off-by: Borislav Petkov <bp(a)suse.de> Acked-by: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Brian Gerst <brgerst(a)gmail.com> Cc: Josh Poimboeuf <jpoimboe(a)redhat.com> Cc: Denys Vlasenko <dvlasenk(a)redhat.com> Cc: stable(a)vger.kernel.org Link: http://lkml.kernel.org/r/20190225125231.845656645@infradead.org diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index a77445d1b034..28376aa2d053 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -284,7 +284,7 @@ do { \ __put_user_goto(x, ptr, "l", "k", "ir", label); \ break; \ case 8: \ - __put_user_goto_u64((__typeof__(*ptr))(x), ptr, label); \ + __put_user_goto_u64(x, ptr, label); \ break; \ default: \ __put_user_bad(); \ @@ -431,8 +431,10 @@ do { \ ({ \ __label__ __pu_label; \ int __pu_err = -EFAULT; \ + __typeof__(*(ptr)) __pu_val; \ + __pu_val = x; \ __uaccess_begin(); \ - __put_user_size((x), (ptr), (size), __pu_label); \ + __put_user_size(__pu_val, (ptr), (size), __pu_label); \ __pu_err = 0; \ __pu_label: \ __uaccess_end(); \

5 years, 9 months

1
0
0 0

FAILED: patch "[PATCH] x86/uaccess: Don't leak the AC flag into __put_user() value" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 2a418cf3f5f1caf911af288e978d61c9844b0695 Mon Sep 17 00:00:00 2001 From: Andy Lutomirski <luto(a)kernel.org> Date: Fri, 22 Feb 2019 17:17:04 -0800 Subject: [PATCH] x86/uaccess: Don't leak the AC flag into __put_user() value evaluation When calling __put_user(foo(), ptr), the __put_user() macro would call foo() in between __uaccess_begin() and __uaccess_end(). If that code were buggy, then those bugs would be run without SMAP protection. Fortunately, there seem to be few instances of the problem in the kernel. Nevertheless, __put_user() should be fixed to avoid doing this. Therefore, evaluate __put_user()'s argument before setting AC. This issue was noticed when an objtool hack by Peter Zijlstra complained about genregs_get() and I compared the assembly output to the C source. [ bp: Massage commit message and fixed up whitespace. ] Fixes: 11f1a4b9755f ("x86: reorganize SMAP handling in user space accesses") Signed-off-by: Andy Lutomirski <luto(a)kernel.org> Signed-off-by: Borislav Petkov <bp(a)suse.de> Acked-by: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Brian Gerst <brgerst(a)gmail.com> Cc: Josh Poimboeuf <jpoimboe(a)redhat.com> Cc: Denys Vlasenko <dvlasenk(a)redhat.com> Cc: stable(a)vger.kernel.org Link: http://lkml.kernel.org/r/20190225125231.845656645@infradead.org diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index a77445d1b034..28376aa2d053 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -284,7 +284,7 @@ do { \ __put_user_goto(x, ptr, "l", "k", "ir", label); \ break; \ case 8: \ - __put_user_goto_u64((__typeof__(*ptr))(x), ptr, label); \ + __put_user_goto_u64(x, ptr, label); \ break; \ default: \ __put_user_bad(); \ @@ -431,8 +431,10 @@ do { \ ({ \ __label__ __pu_label; \ int __pu_err = -EFAULT; \ + __typeof__(*(ptr)) __pu_val; \ + __pu_val = x; \ __uaccess_begin(); \ - __put_user_size((x), (ptr), (size), __pu_label); \ + __put_user_size(__pu_val, (ptr), (size), __pu_label); \ __pu_err = 0; \ __pu_label: \ __uaccess_end(); \

5 years, 9 months

1
0
0 0

Stable queue: queue-4.20

by CKI

Hello, We ran automated tests on a patchset that was proposed for merging into this kernel tree. The patches were applied to: Repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Commit: 0f7c162c1df5 Linux 4.20.13 The results of these automated tests are provided below. Overall result: PASSED Merge: OK Compile: OK Tests: OK Please reply to this email if you have any questions about the tests that we ran or if you have any suggestions on how to make future tests more effective. ,-. ,-. ( C ) ( K ) Continuous `-',-.`-' Kernel ( I ) Integration `-' ______________________________________________________________________________ Merge ----- We cloned this repository and checked out a ref: Repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Ref: 0f7c162c1df5 Linux 4.20.13 We then merged the following patches with `git am`: genirq-matrix-improve-target-cpu-selection-for-manag.patch scsi-libsas-fix-rphy-phy_identifier-for-phys-with-end-devices-attached.patch drm-msm-unblock-writer-if-reader-closes-file.patch asoc-intel-haswell-broadwell-fix-setting-for-.dynami.patch alsa-compress-prevent-potential-divide-by-zero-bugs.patch asoc-rt5682-fix-recording-no-sound-issue.patch asoc-variable-val-in-function-rt274_i2c_probe-could-.patch clk-tegra-dfll-fix-a-potential-oop-in-remove.patch clk-sysfs-fix-invalid-json-in-clk_dump.patch clk-vc5-abort-clock-configuration-without-upstream-c.patch thermal-int340x_thermal-fix-a-null-vs-is_err-check.patch usb-dwc3-gadget-synchronize_irq-dwc-irq-in-suspend.patch usb-dwc3-gadget-fix-the-uninitialized-link_state-whe.patch usb-gadget-potential-null-dereference-on-allocation-.patch hid-i2c-hid-disable-runtime-pm-on-goodix-touchpad.patch asoc-core-make-snd_soc_find_component-more-robust.patch selftests-rtc-rtctest-fix-alarm-tests.patch selftests-rtc-rtctest-add-alarm-test-on-minute-bound.patch genirq-make-sure-the-initial-affinity-is-not-empty.patch x86-mm-mem_encrypt-fix-erroneous-sizeof.patch asoc-rt5682-fix-pll-source-register-definitions.patch asoc-dapm-change-snprintf-to-scnprintf-for-possible-.patch asoc-imx-audmux-change-snprintf-to-scnprintf-for-pos.patch selftests-vm-gup_benchmark.c-match-gup-struct-to-ker.patch phy-ath79-usb-fix-the-power-on-error-path.patch phy-ath79-usb-fix-the-main-reset-name-to-match-the-d.patch selftests-seccomp-use-ldlibs-instead-of-ldflags.patch selftests-gpio-mockup-chardev-check-asprintf-for-err.patch irqchip-gic-v3-mbi-fix-uninitialized-mbi_lock.patch arc-fix-__ffs-return-value-to-avoid-build-warnings.patch arc-show_regs-lockdep-avoid-page-allocator.patch drivers-thermal-int340x_thermal-fix-sysfs-race-condi.patch staging-rtl8723bs-fix-build-error-with-clang-when-in.patch mac80211-fix-miscounting-of-ttl-dropped-frames.patch sched-wait-fix-rcuwait_wake_up-ordering.patch sched-wake_q-fix-wakeup-ordering-for-wake_q.patch futex-fix-possible-missed-wakeup.patch locking-rwsem-fix-possible-missed-wakeup.patch drm-amd-powerplay-od-setting-fix-on-vega10.patch tty-serial-qcom_geni_serial-allow-mctrl-when-flow-co.patch serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch drm-sun4i-hdmi-fix-usage-of-tmds-clock.patch staging-android-ion-support-cpu-access-during-dma_bu.patch direct-io-allow-direct-writes-to-empty-inodes.patch writeback-synchronize-sync-2-against-cgroup-writebac.patch scsi-lpfc-nvme-avoid-hang-use-after-free-when-destro.patch scsi-lpfc-nvmet-avoid-hang-use-after-free-when-destr.patch scsi-csiostor-fix-null-pointer-dereference-in-csio_v.patch net-altera_tse-fix-connect_local_phy-error-path.patch hv_netvsc-fix-ethtool-change-hash-key-error.patch hv_netvsc-refactor-assignments-of-struct-netvsc_devi.patch hv_netvsc-fix-hash-key-value-reset-after-other-ops.patch nvme-rdma-fix-timeout-handler.patch nvme-multipath-drop-optimization-for-static-ana-grou.patch cifs-fix-memory-leak-of-an-allocated-cifs_ntsd-struc.patch drm-msm-fix-a6xx-support-for-opp-level.patch drm-msm-avoid-unused-function-warning.patch net-usb-asix-ax88772_bind-return-error-when-hw_reset.patch net-dev_is_mac_header_xmit-true-for-arphrd_rawip.patch ibmveth-do-not-process-frames-after-calling-napi_res.patch mac80211-don-t-initiate-tdls-connection-if-station-i.patch mac80211-add-attribute-aligned-2-to-struct-action.patch cfg80211-extend-range-deviation-for-dmg.patch svm-fix-avic-incomplete-ipi-emulation.patch kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch kvm-selftests-fix-region-overlap-check-in-kvm_util.patch kvm-selftests-check-returned-evmcs-version-range.patch mmc-spi-fix-card-detection-during-probe.patch mmc-tmio_mmc_core-don-t-claim-spurious-interrupts.patch mmc-tmio-fix-access-width-of-block-count-register.patch mmc-core-fix-null-ptr-crash-from-mmc_should_fail_request.patch mmc-cqhci-fix-space-allocated-for-transfer-descriptor.patch mmc-cqhci-fix-a-tiny-potential-memory-leak-on-error-condition.patch mmc-sdhci-esdhc-imx-correct-the-fix-of-err004536.patch mm-enforce-min-addr-even-if-capable-in-expand_downwards.patch drm-block-fb-changes-for-async-plane-updates.patch hugetlbfs-fix-races-and-page-leaks-during-migration.patch crypto-ccree-add-missing-inline-qualifier.patch mips-fix-truncation-in-__cmpxchg_small-for-short-values.patch mips-bcm63xx-provide-dma-masks-for-ethernet-devices.patch mips-fix-memory-setup-for-platforms-with-phys_offset-0.patch Compile ------- We compiled the kernel for 3 architectures: powerpc64le: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/ppc64le/6c7b4abd5b74e5047f0ab2cdc9… aarch64: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/aarch64/0b15d69c47d579e2ea7a84dd60… x86_64: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/x86_64/4e38c1b6dd5589211e209d177da… Tests ----- We booted each kernel and ran the following tests: powerpc: PASSED: Boot test - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… PASSED: LTP lite - release 20190115 - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… PASSED: Loopdev Sanity - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#filesystems/… PASSED: xfstests: xfs - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#/filesystems… PASSED: AMTU (Abstract Machine Test Utility) - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#misc/amtu PASSED: Ethernet drivers sanity - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#/networking/… WAIVED: PASSED: httpd: php sanity - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/htt… WAIVED: PASSED: tuned: tune-processes-through-perf - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/tun… PASSED: Usex - version 1.9-29 - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#standards/us… arm64: PASSED: Boot test - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… PASSED: LTP lite - release 20190115 - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… PASSED: Loopdev Sanity - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#filesystems/… PASSED: xfstests: xfs - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#/filesystems… PASSED: AMTU (Abstract Machine Test Utility) - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#misc/amtu PASSED: Ethernet drivers sanity - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#/networking/… WAIVED: PASSED: httpd: php sanity - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/htt… WAIVED: PASSED: tuned: tune-processes-through-perf - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/tun… PASSED: Usex - version 1.9-29 - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#standards/us… x86_64: PASSED: Boot test - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… PASSED: LTP lite - release 20190115 - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… PASSED: Loopdev Sanity - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#filesystems/… PASSED: xfstests: xfs - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#/filesystems… PASSED: AMTU (Abstract Machine Test Utility) - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#misc/amtu PASSED: Ethernet drivers sanity - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#/networking/… WAIVED: PASSED: httpd: php sanity - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/htt… WAIVED: PASSED: tuned: tune-processes-through-perf - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/tun… PASSED: Usex - version 1.9-29 - URL: https://github.com/CKI-project/tests-beaker/archive/master.zip#standards/us…

5 years, 9 months

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror March 2019