[tip:core/objtool] x86/uaccess: Dont leak the AC flag into __put_user() argument evaluation

Wed, 24 Apr 2019 04:11:13 -0700 

Commit-ID:  6ae865615fc43d014da2fd1f1bba7e81ee622d1b
Gitweb:     https://git.kernel.org/tip/6ae865615fc43d014da2fd1f1bba7e81ee622d1b
Author:     Peter Zijlstra <pet...@infradead.org>
AuthorDate: Wed, 24 Apr 2019 09:19:24 +0200
Committer:  Ingo Molnar <mi...@kernel.org>
CommitDate: Wed, 24 Apr 2019 12:19:45 +0200

x86/uaccess: Dont leak the AC flag into __put_user() argument evaluation

The __put_user() macro evaluates it's @ptr argument inside the
__uaccess_begin() / __uaccess_end() region. While this would normally
not be expected to be an issue, an UBSAN bug (it ignored -fwrapv,
fixed in GCC 8+) would transform the @ptr evaluation for:

  drivers/gpu/drm/i915/i915_gem_execbuffer.c: if (unlikely(__put_user(offset, 
&urelocs[r-stack].presumed_offset))) {

into a signed-overflow-UB check and trigger the objtool AC validation.

Finish this commit:

  2a418cf3f5f1 ("x86/uaccess: Don't leak the AC flag into __put_user() value 
evaluation")

and explicitly evaluate all 3 arguments early.

Reported-by: Randy Dunlap <rdun...@infradead.org>
Signed-off-by: Peter Zijlstra (Intel) <pet...@infradead.org>
Acked-by: Randy Dunlap <rdun...@infradead.org> # build-tested
Acked-by: Linus Torvalds <torva...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <t...@linutronix.de>
Cc: l...@kernel.org
Fixes: 2a418cf3f5f1 ("x86/uaccess: Don't leak the AC flag into __put_user() 
value evaluation")
Link: http://lkml.kernel.org/r/20190424072208.695962...@infradead.org
Signed-off-by: Ingo Molnar <mi...@kernel.org>
---
 arch/x86/include/asm/uaccess.h | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index 5ca7b91faf67..bb21913885a3 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -427,10 +427,11 @@ do {                                                      
                \
 ({                                                             \
        __label__ __pu_label;                                   \
        int __pu_err = -EFAULT;                                 \
-       __typeof__(*(ptr)) __pu_val;                            \
-       __pu_val = x;                                           \
+       __typeof__(*(ptr)) __pu_val = (x);                      \
+       __typeof__(ptr) __pu_ptr = (ptr);                       \
+       __typeof__(size) __pu_size = (size);                    \
        __uaccess_begin();                                      \
-       __put_user_size(__pu_val, (ptr), (size), __pu_label);   \
+       __put_user_size(__pu_val, __pu_ptr, __pu_size, __pu_label);     \
        __pu_err = 0;                                           \
 __pu_label:                                                    \
        __uaccess_end();                                        \

Reply via email to