• Dave Hansen's avatar
    x86/mpx: Do proper get_user() when running 32-bit binaries on 64-bit kernels · abaae23a
    Dave Hansen authored
    commit 46561c39 upstream.
    
    When you call get_user(foo, bar), you effectively do a
    
    	copy_from_user(&foo, bar, sizeof(*bar));
    
    Note that the sizeof() is implicit.
    
    When we reach out to userspace to try to zap an entire "bounds
    table" we need to go read a "bounds directory entry" in order to
    locate the table's address.  The size of a "directory entry"
    depends on the binary being run and is always the size of a
    pointer.
    
    But, when we have a 64-bit kernel and a 32-bit application, the
    directory entry is still only 32-bits long, but we fetch it with
    a 64-bit pointer which makes get_user() does a 64-bit fetch.
    Reading 4 extra bytes isn't harmful, unless we are at the end of
    and run off the table.  It might also cause the zero page to get
    faulted in unnecessarily even if you are not at the end.
    
    Fix it up by doing a special 32-bit get_user() via a cast when
    we have 32-bit userspace.
    Signed-off-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
    Cc: Andy Lutomirski <luto@amacapital.net>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Brian Gerst <brgerst@gmail.com>
    Cc: Dave Hansen <dave@sr71.net>
    Cc: Denys Vlasenko <dvlasenk@redhat.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Link: http://lkml.kernel.org/r/20151111181931.3ACF6822@viggo.jf.intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
    Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
    abaae23a
mpx.c 25.3 KB