Re: [PATCH] x86/uaccess: Fix missed zeroing of ia32 u64 get_user() range checking
From: David Gow
Date: Tue Jun 11 2024 - 02:14:29 EST
On Tue, 11 Jun 2024 at 05:02, Kees Cook <kees@xxxxxxxxxx> wrote:
>
> When reworking the range checking for get_user(), the get_user_8() case
> on 32-bit wasn't zeroing the high register. (The jump to bad_get_user_8
> was accidentally dropped.) Restore the correct error handling
> destination (and rename the jump to using the expected ".L" prefix).
>
> While here, switch to using a named argument ("size") for the call
> template ("%c4" to "%c[size]") as already used in the other call
> templates in this file.
>
> Found after moving the usercopy selftests to KUnit:
>
> # usercopy_test_invalid: EXPECTATION FAILED at
> lib/usercopy_kunit.c:278
> Expected val_u64 == 0, but
> val_u64 == -60129542144 (0xfffffff200000000)
>
> Reported-by: David Gow <davidgow@xxxxxxxxxx>
> Closes: https://lore.kernel.org/all/CABVgOSn=tb=Lj9SxHuT4_9MTjjKVxsq-ikdXC4kGHO4CfKVmGQ@xxxxxxxxxxxxxx
> Fixes: b19b74bc99b1 ("x86/mm: Rework address range check in get_user() and put_user()")
> Signed-off-by: Kees Cook <kees@xxxxxxxxxx>
> ---
> Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
> Cc: Ingo Molnar <mingo@xxxxxxxxxx>
> Cc: Borislav Petkov <bp@xxxxxxxxx>
> Cc: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
> Cc: x86@xxxxxxxxxx
> Cc: "H. Peter Anvin" <hpa@xxxxxxxxx>
> Cc: Sean Christopherson <seanjc@xxxxxxxxxx>
> Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
> Cc: Arnd Bergmann <arnd@xxxxxxxx>
> Cc: "Kirill A. Shutemov" <kirill.shutemov@xxxxxxxxxxxxxxx>
> Cc: Qiuxu Zhuo <qiuxu.zhuo@xxxxxxxxx>
> Cc: Nadav Amit <nadav.amit@xxxxxxxxx>
> Cc: Masahiro Yamada <masahiroy@xxxxxxxxxx>
> ---
Thanks: this fixes it here, both under qemu and on real hardware.
Tested-by: David Gow <davidgow@xxxxxxxxxx>
-- David
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature