[4.1 backport trouble] Re: BUGreport: fix minor infoleak in get_user_ex()

From: Al Viro
Date: Thu Oct 27 2016 - 22:02:17 EST


On Fri, Oct 28, 2016 at 01:03:55AM +0100, Al Viro wrote:

> On Thu, Oct 27, 2016 at 03:32:10PM -0400, Joe Korty wrote:
[oops in 4.1.35, bisected to 319fe1151940]
> > The following test program can be used to trigger the problem:
> >
> > /* gcc -m32 c.c -o c */
> > #define _GNU_SOURCE
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <unistd.h>
> > #include <errno.h>
> > #include <sys/syscall.h>
> >
> > #define rt_sigqueueinfo 178
> >
> > int main(int argc, char **argv) {
> > int stat = syscall(rt_sigqueueinfo, 0, 0, 0, 0, 0, 0);
> > printf("syscall(%d): stat: %d, errno: %d\n",
> > rt_sigqueueinfo, stat, errno);
> > return 0;
> > }
> >
> > This is under 4.1.35 on x86_64.
>
> AFAICS, it steps on _ASM_EXTABLE_EX being more brittle in 4.1 - it pretty
> much has to have the handler on the next insn after the faulting one, or
> the resulting extable entry won't be recognized. This
> "x86/mm: Expand the exception table logic to allow new handling options"
> in mainline is where that requirement has disappeared. I think we
> ought to use the plain _ASM_EXTABLE and just call something that would
> set current_thread_info()->uaccess_err directly from the fixup code there.
> That, or backport the commit switching to less brittle extables.

... and frankly, backporting 548acf19234d would be my preference. It's a bit
more intrusive than needed (_ASM_EXTABLE_FAULT is used only in memcpy_mcsafe(),
which is used only by pmem and it's the only reason for passing the trap
number to fixup_exception()), but AFAICS it's fairly safe. Objections?