On Tue, Nov 14, 2017 at 01:52:14PM +0000, Catalin Marinas wrote:
On Mon, Nov 13, 2017 at 07:05:12PM +0000, Ben Hutchings wrote:
On Mon, 2017-11-06 at 10:44 +0100, Greg Kroah-Hartman wrote:
4.4-stable review patch. If anyone has any objections, please let me know.
From: Mark Rutland mark.rutland@arm.com
commit 7a7003b1da010d2b0d1dc8bf21c10f5c73b389f1 upstream.
It's possible for a user to deliberately trigger __dump_instr with a chosen kernel address.
Let's avoid problems resulting from this by using get_user() rather than __get_user(), ensuring that we don't erroneously access kernel memory.
Where we use __dump_instr() on kernel text, we already switch to KERNEL_DS, so this shouldn't adversely affect those cases.
Fixes: 60ffc30d5652810d ("arm64: Exception handling")
[...]
This seems harmless, but I don't think it will fix the bug in 4.4 unless you also cherry-pick:
commit c5cea06be060f38e5400d796e61cfc8c36e52924 Author: Mark Rutland mark.rutland@arm.com Date: Mon Jun 13 11:15:14 2016 +0100
arm64: fix dump_instr when PAN and UAO are in use
I agree. In 4.4 dump_instr() doesn't do any checks, just set_fs(KERNEL_DS) and __get_user(). While commit c5cea06b was added to fix 57f4959bad0a154a ("arm64: kernel: Add support for User Access Override"; merged in 4.6), it also makes sense on its own as a security improvement for 4.4.
Mark is currently on holiday but he'll follow up next week if any patches need back-porting.
I accidentally glanced at my gmail filter this morning; so I can reply today. ;)
I agree that we need both patches. On its own (in the absence of PAN/UAO), 57f4959bad0a154a wouldn't have any effect, but it is critical to ensure that we can dump kernel instructions when we intend to, with 7a7003b1da010d2b backported.
Backporting 57f4959bad0a154a as a prerequisite makes sense to me.
I hadn't realised you could list prerequisites in a stable Cc -- I'll try to do that in future.
Thanks, Mark.