Hi stable/arm/Willy,
1f65c13efef69b6dc908e588f91a133641d8475c is an important commit, because it involves evaluation of pointers from userspace. I'm running into issues with RNDADDTOENTCNT reading bogus values, because p is incremented twice as much as it should in this random.c block:
case RNDADDENTROPY: if (!capable(CAP_SYS_ADMIN)) return -EPERM; if (get_user(ent_count, p++)) return -EFAULT; if (ent_count < 0) return -EINVAL; if (get_user(size, p++)) return -EFAULT; retval = write_pool(&input_pool, (const char __user *)p, size);
That seems reasonable, but on aarch64, get_user is defined as:
#define get_user(x, ptr) \ ({ \ might_sleep(); \ access_ok(VERIFY_READ, (ptr), sizeof(*(ptr))) ? \ __get_user((x), (ptr)) : \ ((x) = 0, -EFAULT); \ })
Notice the multiple use of ptr.
I thought I had found something breathtakingly bad, until I realized that it was already fixed in 2013 by Takahiro. It just wasn't marked for stable.
Not sure if there's ever going to be another stable 3.10 release, but if so, this would be an important one to backport.
Regards, Jason
Hi Jason,
On Fri, Dec 01, 2017 at 04:57:26PM +0100, Jason A. Donenfeld wrote:
Not sure if there's ever going to be another stable 3.10 release, but if so, this would be an important one to backport.
Thanks for the heads up but unfortunately there's not going to be any more 3.10, it's been announced as EOL soon since last January or so, and definitely so with 3.10.108.
Your finding may interest distros still maintaining their own 3.10 though.
Thanks, Willy
linux-stable-mirror@lists.linaro.org