• D
    x86/mpx: Do proper get_user() when running 32-bit binaries on 64-bit kernels · 46561c39
    Dave Hansen 提交于
    When you call get_user(foo, bar), you effectively do a
    
    	copy_from_user(&foo, bar, sizeof(*bar));
    
    Note that the sizeof() is implicit.
    
    When we reach out to userspace to try to zap an entire "bounds
    table" we need to go read a "bounds directory entry" in order to
    locate the table's address.  The size of a "directory entry"
    depends on the binary being run and is always the size of a
    pointer.
    
    But, when we have a 64-bit kernel and a 32-bit application, the
    directory entry is still only 32-bits long, but we fetch it with
    a 64-bit pointer which makes get_user() does a 64-bit fetch.
    Reading 4 extra bytes isn't harmful, unless we are at the end of
    and run off the table.  It might also cause the zero page to get
    faulted in unnecessarily even if you are not at the end.
    
    Fix it up by doing a special 32-bit get_user() via a cast when
    we have 32-bit userspace.
    Signed-off-by: NDave Hansen <dave.hansen@linux.intel.com>
    Cc: <stable@vger.kernel.org>
    Cc: Andy Lutomirski <luto@amacapital.net>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Brian Gerst <brgerst@gmail.com>
    Cc: Dave Hansen <dave@sr71.net>
    Cc: Denys Vlasenko <dvlasenk@redhat.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Link: http://lkml.kernel.org/r/20151111181931.3ACF6822@viggo.jf.intel.comSigned-off-by: NIngo Molnar <mingo@kernel.org>
    46561c39
mpx.c 27.7 KB