review.tizen.org Git - platform/kernel/linux-rpi.git/commit

author	Thomas Gleixner <tglx@linutronix.de>
	Wed, 23 Jun 2021 12:01:36 +0000 (14:01 +0200)
committer	Borislav Petkov <bp@suse.de>
	Wed, 23 Jun 2021 15:49:46 +0000 (17:49 +0200)
commit	43be46e89698a41dbf4fff81a322f4c2ae21b5e2
tree	f5db3fd5782445fb0a61d4bf78634789e10fa393	tree \| snapshot
parent	07d6688b22e09be465652cf2da0da6bf86154df6	commit \| diff

x86/fpu: Sanitize xstateregs_set()

xstateregs_set() operates on a stopped task and tries to copy the provided
buffer into the task's fpu.state.xsave buffer.

Any error while copying or invalid state detected after copying results in
wiping the target task's FPU state completely including supervisor states.

That's just wrong. The caller supplied invalid data or has a problem with
unmapped memory, so there is absolutely no justification to corrupt the
target state.

Fix this with the following modifications:

1) If data has to be copied from userspace, allocate a buffer and copy from
user first.

2) Use copy_kernel_to_xstate() unconditionally so that header checking
works correctly.

3) Return on error without corrupting the target state.

This prevents corrupting states and lets the caller deal with the problem
it caused in the first place.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Borislav Petkov <bp@suse.de>
Link: https://lkml.kernel.org/r/20210623121452.214903673@linutronix.de

arch/x86/include/asm/fpu/xstate.h		diff \| blob \| history
arch/x86/kernel/fpu/regset.c		diff \| blob \| history
arch/x86/kernel/fpu/xstate.c		diff \| blob \| history