x86/uaccess: Dont leak the AC flag into __put_user() argument evaluation

mainline inclusion from mainline-5.1 commit 6ae865615fc4 category: bugfix bugzilla: 14433 CVE: NA ------------------------------------------------- The __put_user() macro evaluates it's @ptr argument inside the __uaccess_begin() / __uaccess_end() region. While this would normally not be expected to be an issue, an UBSAN bug (it ignored -fwrapv, fixed in GCC 8+) would transform the @ptr evaluation for: drivers/gpu/drm/i915/i915_gem_execbuffer.c: if (unlikely(__put_user(offset, &urelocs[r-stack].presumed_offset))) { into a signed-overflow-UB check and trigger the objtool AC validation. Finish this commit: 2a418cf3f5f1 ("x86/uaccess: Don't leak the AC flag into __put_user() value evaluation") and explicitly evaluate all 3 arguments early. Reported-by: N Randy Dunlap <rdunlap@infradead.org> Signed-off-by: N Peter Zijlstra (Intel) <peterz@infradead.org> Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested Acked-by: N Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: luto@kernel.org Fixes: 2a418cf3f5f1 ("x86/uaccess: Don't leak the AC flag into __put_user() value evaluation") Link: http://lkml.kernel.org/r/20190424072208.695962771@infradead.orgSigned-off-by: N Ingo Molnar <mingo@kernel.org> Signed-off-by: N Hongbo Yao <yaohongbo@huawei.com> ---- [conflicts] arch/x86/include/asm/uaccess.h Reviewed-by: N Xuefeng Wang <wxf.wang@hisilicon.com> Reviewed-by: N Chen Zhou <chenzhou10@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

x86/uaccess: Dont leak the AC flag into __put_user() argument evaluation
mainline inclusion from mainline-5.1 commit 6ae865615fc4 category: bugfix bugzilla: 14433 CVE: NA ------------------------------------------------- The __put_user() macro evaluates it's @ptr argument inside the __uaccess_begin() / __uaccess_end() region. While this would normally not be expected to be an issue, an UBSAN bug (it ignored -fwrapv, fixed in GCC 8+) would transform the @ptr evaluation for: drivers/gpu/drm/i915/i915_gem_execbuffer.c: if (unlikely(__put_user(offset, &urelocs[r-stack].presumed_offset))) { into a signed-overflow-UB check and trigger the objtool AC validation. Finish this commit: 2a418cf3f5f1 ("x86/uaccess: Don't leak the AC flag into __put_user() value evaluation") and explicitly evaluate all 3 arguments early. Reported-by: N Randy Dunlap <rdunlap@infradead.org> Signed-off-by: N Peter Zijlstra (Intel) <peterz@infradead.org> Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested Acked-by: N Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: luto@kernel.org Fixes: 2a418cf3f5f1 ("x86/uaccess: Don't leak the AC flag into __put_user() value evaluation") Link: http://lkml.kernel.org/r/20190424072208.695962771@infradead.orgSigned-off-by: N Ingo Molnar <mingo@kernel.org> Signed-off-by: N Hongbo Yao <yaohongbo@huawei.com> ---- [conflicts] arch/x86/include/asm/uaccess.h Reviewed-by: N Xuefeng Wang <wxf.wang@hisilicon.com> Reviewed-by: N Chen Zhou <chenzhou10@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
ca67230a · Peter Zijlstra · Xie XiuQi · 77a1fb31 · ca67230a
隐藏空白更改
内联并排

Showing with 4 addition and 3 deletion

arch/x86/include/asm/uaccess.h arch/x86/include/asm/uaccess.h +4 -3

未找到文件。
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -436,10 +436,11 @@ do {									\
 #define __put_user_nocheck(x, ptr, size)			\
 ({								\
 	int __pu_err;						\
-	__typeof__(*(ptr)) __pu_val;				\
+	__typeof__(*(ptr)) __pu_val = (x);			\
-	__pu_val = x;						\
+	__typeof__(ptr) __pu_ptr = (ptr);			\
+	__typeof__(size) __pu_size = (size);			\
 	__uaccess_begin();					\
-	__put_user_size(__pu_val, (ptr), (size), __pu_err, -EFAULT);\
+	__put_user_size(__pu_val, __pu_ptr, __pu_size, __pu_err, -EFAULT);\
 	__uaccess_end();					\
 	__builtin_expect(__pu_err, 0);				\
 })