x86: fix off-by-one in access_ok() · tjh.dev/kernel@573f45a

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

x86: fix off-by-one in access_ok()

When the size isn't a small constant, __access_ok() will call
valid_user_address() with the address after the last byte of the user
buffer.

It is valid for a buffer to end with the last valid user address so
valid_user_address() must allow accesses to the base of the guard page.

[ This introduces an off-by-one in the other direction for the plain
non-sized accesses, but since we have that guard region that is a
whole page, those checks "allowing" accesses to that guard region
don't really matter. The access will fault anyway, whether to the
guard page or if the address has been masked to all ones - Linus ]

Fixes: 86e6b1547b3d0 ("x86: fix user address masking non-canonical speculation issue")
Signed-off-by: David Laight <david.laight@aculab.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

David Laight and committed by

Linus Torvalds 2 years ago 573f45a9 43a43faf

+2 -2

1 changed file

expand all

arch

x86

kernel

cpu

common.c

+2 -2

arch/x86/kernel/cpu/common.c

··· 2389 2389 alternative_instructions(); 2390 2390 2391 2391 if (IS_ENABLED(CONFIG_X86_64)) { 2392 - unsigned long USER_PTR_MAX = TASK_SIZE_MAX-1; 2392 + unsigned long USER_PTR_MAX = TASK_SIZE_MAX; 2393 2393 2394 2394 /* 2395 2395 * Enable this when LAM is gated on LASS support 2396 2396 if (cpu_feature_enabled(X86_FEATURE_LAM)) 2397 - USER_PTR_MAX = (1ul << 63) - PAGE_SIZE - 1; 2397 + USER_PTR_MAX = (1ul << 63) - PAGE_SIZE; 2398 2398 */ 2399 2399 runtime_const_init(ptr, USER_PTR_MAX); 2400 2400

Configure Feed

Configure Feed