Essential get_user fix missing from 3.10 aarch64

From: Jason A. Donenfeld
Date: Fri Dec 01 2017 - 10:57:37 EST

Next message: Mark Brown: "Re: [PATCH v2 16/19] ASoC: tlv320aic31xx: Add short circuit detection support"
Previous message: Steven Rostedt: "[PATCH RT 00/15] Linux"
Next in thread: Willy Tarreau: "Re: Essential get_user fix missing from 3.10 aarch64"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi stable/arm/Willy,

1f65c13efef69b6dc908e588f91a133641d8475c is an important commit,
because it involves evaluation of pointers from userspace. I'm running
into issues with RNDADDTOENTCNT reading bogus values, because p is
incremented twice as much as it should in this random.c block:

case RNDADDENTROPY:
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
if (get_user(ent_count, p++))
return -EFAULT;
if (ent_count < 0)
return -EINVAL;
if (get_user(size, p++))
return -EFAULT;
retval = write_pool(&input_pool, (const char __user *)p,
size);

That seems reasonable, but on aarch64, get_user is defined as:

#define get_user(x, ptr) \
({ \
might_sleep(); \
access_ok(VERIFY_READ, (ptr), sizeof(*(ptr))) ? \
__get_user((x), (ptr)) : \
((x) = 0, -EFAULT); \
})

Notice the multiple use of ptr.

I thought I had found something breathtakingly bad, until I realized
that it was already fixed in 2013 by Takahiro. It just wasn't marked
for stable.

Not sure if there's ever going to be another stable 3.10 release, but
if so, this would be an important one to backport.

Regards,
Jason

Next message: Mark Brown: "Re: [PATCH v2 16/19] ASoC: tlv320aic31xx: Add short circuit detection support"
Previous message: Steven Rostedt: "[PATCH RT 00/15] Linux"
Next in thread: Willy Tarreau: "Re: Essential get_user fix missing from 3.10 aarch64"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]