This is a note to let you know that I've just added the patch titled
/dev/mem: Avoid overwriting "err" in read_mem()
to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git%3Ba=su...
The filename of the patch is: dev-mem-avoid-overwriting-err-in-read_mem.patch and it can be found in the queue-4.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree, please let stable@vger.kernel.org know about it.
From b5b38200ebe54879a7264cb6f33821f61c586a7e Mon Sep 17 00:00:00 2001
From: Kees Cook keescook@chromium.org Date: Tue, 27 Mar 2018 14:06:14 -0700 Subject: /dev/mem: Avoid overwriting "err" in read_mem()
From: Kees Cook keescook@chromium.org
commit b5b38200ebe54879a7264cb6f33821f61c586a7e upstream.
Successes in probe_kernel_read() would mask failures in copy_to_user() during read_mem().
Reported-by: Brad Spengler spender@grsecurity.net Fixes: 22ec1a2aea73 ("/dev/mem: Add bounce buffer for copy-out") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook keescook@chromium.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/char/mem.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -137,7 +137,7 @@ static ssize_t read_mem(struct file *fil
while (count > 0) { unsigned long remaining; - int allowed; + int allowed, probe;
sz = size_inside_page(p, count);
@@ -160,9 +160,9 @@ static ssize_t read_mem(struct file *fil if (!ptr) goto failed;
- err = probe_kernel_read(bounce, ptr, sz); + probe = probe_kernel_read(bounce, ptr, sz); unxlate_dev_mem_ptr(p, ptr); - if (err) + if (probe) goto failed;
remaining = copy_to_user(buf, bounce, sz);
Patches currently in stable-queue which might be from keescook@chromium.org are
queue-4.15/dev-mem-avoid-overwriting-err-in-read_mem.patch