← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1632462] Re: [Trusty->Yakkety] powerpc/64: Fix incorrect return value from __copy_tofrom_user

 

This bug was fixed in the package linux - 4.8.0-30.32

---------------
linux (4.8.0-30.32) yakkety; urgency=low

  * CVE-2016-8655 (LP: #1646318)
    - packet: fix race condition in packet_set_ring

 -- Brad Figg <brad.figg@xxxxxxxxxxxxx>  Thu, 01 Dec 2016 08:02:53 -0800

** Changed in: linux (Ubuntu)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-8655

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1632462

Title:
  [Trusty->Yakkety] powerpc/64: Fix incorrect return value from
  __copy_tofrom_user

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Yakkety:
  Fix Released

Bug description:
  == SRU Justification ==
  Impacts all releases from Trusty through Yakkety

  http://paste.ubuntu.com/23309548/

  From ca47910e3b549501b6a3ff786174d2f0d4748ccf Mon Sep 17 00:00:00 2001
  From: Paul Mackerras <paulus@xxxxxxxxxx>
  Date: Tue, 11 Oct 2016 22:18:58 +1100
  Subject: [PATCH] powerpc/64: Fix incorrect return value from__copy_tofrom_user

  Debugging a data corruption issue with virtio-net/vhost-net led to
  the observation that __copy_tofrom_user was occasionally returning
  a value 16 larger than it should.  Since the return value from
  __copy_tofrom_user is the number of bytes not copied, this means
  that __copy_tofrom_user can occasionally return a value larger
  than the number of bytes it was asked to copy.  In turn this can
  cause higher-level copy functions such as copy_page_to_iter_iovec
  to corrupt memory by copying data into the wrong memory locations.

  It turns out that the failing case involves a fault on the store
  at label 79, and at that point the first unmodified byte of the
  destination is at R3 + 16.  Consequently the exception handler
  for that store needs to add 16 to R3 before using it to work out
  how many bytes were not copied, but in this one case it was not
  adding the offset to R3.  To fix it, this moves the label 179 to
  the point where we add 16 to R3.  I have checked manually all the
  exception handlers for the loads and stores in this code and the
  rest of them are correct (it would be excellent to have an
  automated test of all the exception cases).

  Signed-off-by: Paul Mackerras <paulus@xxxxxxxxxx>
  ---
   arch/powerpc/lib/copyuser_64.S | 2 +-
   1 file changed, 1 insertion(+), 1 deletion(-)

  diff --git a/arch/powerpc/lib/copyuser_64.S b/arch/powerpc/lib/copyuser_64.S
  index f09899e..7b22624 100644
  --- a/arch/powerpc/lib/copyuser_64.S
  +++ b/arch/powerpc/lib/copyuser_64.S
  @@ -359,6 +359,7 @@ END_FTR_SECTION_IFCLR(CPU_FTR_UNALIGNED_LD_STD)
   	addi	r3,r3,8
   171:
   177:
  +179:
   	addi	r3,r3,8
   370:
   372:
  @@ -373,7 +374,6 @@ END_FTR_SECTION_IFCLR(CPU_FTR_UNALIGNED_LD_STD)
   173:
   174:
   175:
  -179:
   181:
   184:
   186:
  -- 
  2.7.4

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1632462/+subscriptions