[PATCH 3.16 044/132] x86/uaccess: Dont leak the AC flag into __put_user() argument evaluation

Fri, 20 Sep 2019 07:36:35 -0700 

3.16.74-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Zijlstra <pet...@infradead.org>

commit 6ae865615fc43d014da2fd1f1bba7e81ee622d1b upstream.

The __put_user() macro evaluates it's @ptr argument inside the
__uaccess_begin() / __uaccess_end() region. While this would normally
not be expected to be an issue, an UBSAN bug (it ignored -fwrapv,
fixed in GCC 8+) would transform the @ptr evaluation for:

  drivers/gpu/drm/i915/i915_gem_execbuffer.c: if (unlikely(__put_user(offset, 
&urelocs[r-stack].presumed_offset))) {

into a signed-overflow-UB check and trigger the objtool AC validation.

Finish this commit:

  2a418cf3f5f1 ("x86/uaccess: Don't leak the AC flag into __put_user() value 
evaluation")

and explicitly evaluate all 3 arguments early.

Reported-by: Randy Dunlap <rdun...@infradead.org>
Signed-off-by: Peter Zijlstra (Intel) <pet...@infradead.org>
Acked-by: Randy Dunlap <rdun...@infradead.org> # build-tested
Acked-by: Linus Torvalds <torva...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <t...@linutronix.de>
Cc: l...@kernel.org
Fixes: 2a418cf3f5f1 ("x86/uaccess: Don't leak the AC flag into __put_user() 
value evaluation")
Link: http://lkml.kernel.org/r/20190424072208.695962...@infradead.org
Signed-off-by: Ingo Molnar <mi...@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
 arch/x86/include/asm/uaccess.h | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -422,10 +422,11 @@ do {                                                      
                \
 #define __put_user_nocheck(x, ptr, size)                       \
 ({                                                             \
        int __pu_err;                                           \
-       __typeof__(*(ptr)) __pu_val;                            \
-       __pu_val = x;                                           \
+       __typeof__(*(ptr)) __pu_val = (x);                      \
+       __typeof__(ptr) __pu_ptr = (ptr);                       \
+       __typeof__(size) __pu_size = (size);                    \
        __uaccess_begin();                                      \
-       __put_user_size(__pu_val, (ptr), (size), __pu_err, -EFAULT); \
+       __put_user_size(__pu_val, __pu_ptr, __pu_size, __pu_err, -EFAULT); \
        __uaccess_end();                                        \
        __pu_err;                                               \
 })

Reply via email to