[Trusty->Yakkety] powerpc/64: Fix incorrect return value from __copy_tofrom_user

Bug #1632462 reported by Leann Ogasawara on 2016-10-11
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Seth Forshee
Trusty
High
Seth Forshee
Xenial
High
Seth Forshee
Yakkety
High
Seth Forshee

Bug Description

== SRU Justification ==
Impacts all releases from Trusty through Yakkety

http://paste.ubuntu.com/23309548/

From ca47910e3b549501b6a3ff786174d2f0d4748ccf Mon Sep 17 00:00:00 2001
From: Paul Mackerras <email address hidden>
Date: Tue, 11 Oct 2016 22:18:58 +1100
Subject: [PATCH] powerpc/64: Fix incorrect return value from__copy_tofrom_user

Debugging a data corruption issue with virtio-net/vhost-net led to
the observation that __copy_tofrom_user was occasionally returning
a value 16 larger than it should. Since the return value from
__copy_tofrom_user is the number of bytes not copied, this means
that __copy_tofrom_user can occasionally return a value larger
than the number of bytes it was asked to copy. In turn this can
cause higher-level copy functions such as copy_page_to_iter_iovec
to corrupt memory by copying data into the wrong memory locations.

It turns out that the failing case involves a fault on the store
at label 79, and at that point the first unmodified byte of the
destination is at R3 + 16. Consequently the exception handler
for that store needs to add 16 to R3 before using it to work out
how many bytes were not copied, but in this one case it was not
adding the offset to R3. To fix it, this moves the label 179 to
the point where we add 16 to R3. I have checked manually all the
exception handlers for the loads and stores in this code and the
rest of them are correct (it would be excellent to have an
automated test of all the exception cases).

Signed-off-by: Paul Mackerras <email address hidden>
---
 arch/powerpc/lib/copyuser_64.S | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/lib/copyuser_64.S b/arch/powerpc/lib/copyuser_64.S
index f09899e..7b22624 100644
--- a/arch/powerpc/lib/copyuser_64.S
+++ b/arch/powerpc/lib/copyuser_64.S
@@ -359,6 +359,7 @@ END_FTR_SECTION_IFCLR(CPU_FTR_UNALIGNED_LD_STD)
  addi r3,r3,8
 171:
 177:
+179:
  addi r3,r3,8
 370:
 372:
@@ -373,7 +374,6 @@ END_FTR_SECTION_IFCLR(CPU_FTR_UNALIGNED_LD_STD)
 173:
 174:
 175:
-179:
 181:
 184:
 186:
--
2.7.4

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1632462

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: trusty
tags: added: bot-stop-nagging kernel-da-key
Seth Forshee (sforshee) on 2016-10-11
Changed in linux (Ubuntu Yakkety):
assignee: nobody → Seth Forshee (sforshee)
importance: Undecided → High
status: Incomplete → Fix Committed
Changed in linux (Ubuntu Xenial):
assignee: nobody → Seth Forshee (sforshee)
importance: Undecided → High
status: New → Fix Committed
Changed in linux (Ubuntu Trusty):
assignee: nobody → Seth Forshee (sforshee)
importance: Undecided → High
status: New → Fix Committed
Seth Forshee (sforshee) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty
tags: added: verification-needed-xenial
Seth Forshee (sforshee) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-yakkety
Seth Forshee (sforshee) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-yakkety' to 'verification-done-yakkety'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Brad Figg (brad-figg) on 2016-11-07
tags: added: verification-done-xenial verification-done-yakkety
removed: verification-needed-xenial verification-needed-yakkety
Brad Figg (brad-figg) on 2016-11-07
tags: added: verification-done-trusty
removed: verification-needed-trusty
Launchpad Janitor (janitor) wrote :
Download full text (12.7 KiB)

This bug was fixed in the package linux - 3.13.0-101.148

---------------
linux (3.13.0-101.148) trusty; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1635430

  * [arm64] nova instances can't boot with 3.13.0-92 (LP: #1608854)
    - Revert "efi: Disable interrupts around EFI calls, not in the epilog/prolog
      calls"
    - Revert "x86/efi: Use all 64 bit of efi_memmap in setup_e820()"
    - Revert "x86/efi: Store upper bits of command line buffer address in
      ext_cmd_line_ptr"
    - Revert "efivarfs: Ensure VariableName is NUL-terminated"
    - Revert "efi/libstub: Fix boundary checking in efi_high_alloc()"
    - Revert "arm64: efi: only attempt efi map setup if booting via EFI"
    - Revert "UBUNTU: arm64: Implement efi_enabled()"
    - Revert "efi/arm64: ignore dtb= when UEFI SecureBoot is enabled"
    - Revert "doc: arm64: add description of EFI stub support"
    - Revert "UBUNTU: Move get_dram_base to arm private file"
    - Revert "arm64: efi: add EFI stub"
    - Revert "arm64: add EFI runtime services"
    - Revert "efi: Add shared FDT related functions for ARM/ARM64"
    - Revert "efi: add helper function to get UEFI params from FDT"
    - Revert "doc: efi-stub.txt updates for ARM"
    - Revert "efi: Add get_dram_base() helper function"
    - Revert "efi: create memory map iteration helper"
    - Revert "x86, ia64: Move EFI_FB vga_default_device() initialization to
      pci_vga_fixup()"
    - Revert "firmware: Do not use WARN_ON(!spin_is_locked())"
    - Revert "efi-pstore: Fix an overflow on 32-bit builds"
    - Revert "x86/efi: Fix 32-bit fallout"
    - Revert "x86/efi: Check krealloc return value"
    - Revert "x86/efi: Runtime services virtual mapping"
    - Revert "x86/efi: Fix off-by-one bug in EFI Boot Services reservation"
    - x86/efi: Simplify EFI_DEBUG
    - x86/efi: Runtime services virtual mapping
    - x86/efi: Check krealloc return value
    - SAUCE: Merge tag 'efi-next' of
      git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi into x86/efi
    - doc: Fix trivial spelling mistake in efi-stub.txt
    - x86/efi: Remove unused variables in __map_region()
    - x86/efi: Add a wrapper function efi_map_region_fixed()
    - x86/efi: Fix off-by-one bug in EFI Boot Services reservation
    - x86/efi: Cleanup efi_enter_virtual_mode() function
    - efi: Export more EFI table variables to sysfs
    - [Config] CONFIG_EFI_RUNTIME_MAP=y
    - efi: Export EFI runtime memory mapping to sysfs
    - x86/efi: Pass necessary EFI data for kexec via setup_data
    - x86/efi: Delete superfluous global variables
    - x86/efi: parse_efi_setup() build fix
    - SAUCE: Merge tag 'v3.13-rc7' into x86/efi-kexec to resolve conflicts
    - x86/efi: Allow mapping BGRT on x86-32
    - x86/efi: Fix 32-bit fallout
    - x86/efi: Check status field to validate BGRT header
    - x86/efi: Quirk out SGI UV
    - v3.14 - Bacported EFI up to v3.14
    - efi: Move facility flags to struct efi
    - efi: Set feature flags inside feature init functions
    - efivarfs: 'efivarfs_file_write' function reorganization
    - x86/efi: Delete out-of-date comments of efi_query_variable_store
    - x86/efi: Style neatening
    - x8...

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.4.0-47.68

---------------
linux (4.4.0-47.68) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1636941

  * Add a driver for Amazon Elastic Network Adapters (ENA) (LP: #1635721)
    - lib/bitmap.c: conversion routines to/from u32 array
    - net: ethtool: add new ETHTOOL_xLINKSETTINGS API
    - net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)
    - [config] enable CONFIG_ENA_ETHERNET=m (Amazon ENA driver)

  * unexpectedly large memory usage of mounted snaps (LP: #1636847)
    - [Config] switch squashfs to single threaded decode

 -- Kamal Mostafa <email address hidden> Wed, 26 Oct 2016 10:47:55 -0700

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (3.4 KiB)

This bug was fixed in the package linux - 4.8.0-27.29

---------------
linux (4.8.0-27.29) yakkety; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1635377

  * proc_keys_show crash when reading /proc/keys (LP: #1634496)
    - SAUCE: KEYS: ensure xbuf is large enough to fix buffer overflow in
      proc_keys_show (LP: #1634496)

  * Revert "If zone is so small that watermarks are the same, stop zone balance"
    in yakkety (LP: #1632894)
    - Revert "UBUNTU: SAUCE: (no-up) If zone is so small that watermarks are the
      same, stop zone balance."

  * lts-yakkety 4.8 cannot mount lvm raid1 (LP: #1631298)
    - SAUCE: (no-up) dm raid: fix compat_features validation

  * kswapd0 100% CPU usage (LP: #1518457)
    - SAUCE: (no-up) If zone is so small that watermarks are the same, stop zone
      balance.

  * [Trusty->Yakkety] powerpc/64: Fix incorrect return value from
    __copy_tofrom_user (LP: #1632462)
    - SAUCE: (no-up) powerpc/64: Fix incorrect return value from
      __copy_tofrom_user

  * Ubuntu 16.10: Oops panic in move_page_tables/page_remove_rmap after running
    memory_stress_ng. (LP: #1628976)
    - SAUCE: (no-up) powerpc/pseries: Fix stack corruption in htpe code

  * Paths not failed properly when unmapping virtual FC ports in VIOS (using
    ibmvfc) (LP: #1632116)
    - scsi: ibmvfc: Fix I/O hang when port is not mapped

  * [Ubuntu16.10]KV4.8: kernel livepatch config options are not set
    (LP: #1626983)
    - [Config] Enable live patching on powerpc/ppc64el

  * CONFIG_AUFS_XATTR is not set (LP: #1557776)
    - [Config] CONFIG_AUFS_XATTR=y

  * Yakkety update to 4.8.1 stable release (LP: #1632445)
    - arm64: debug: avoid resetting stepping state machine when TIF_SINGLESTEP
    - Using BUG_ON() as an assert() is _never_ acceptable
    - usb: misc: legousbtower: Fix NULL pointer deference
    - Staging: fbtft: Fix bug in fbtft-core
    - usb: usbip: vudc: fix left shift overflow
    - USB: serial: cp210x: Add ID for a Juniper console
    - Revert "usbtmc: convert to devm_kzalloc"
    - ALSA: hda - Adding one more ALC255 pin definition for headset problem
    - ALSA: hda - Fix headset mic detection problem for several Dell laptops
    - ALSA: hda - Add the top speaker pin config for HP Spectre x360
    - Linux 4.8.1

  * PSL data cache should be flushed before resetting CAPI adapter
    (LP: #1632049)
    - cxl: Flush PSL cache before resetting the adapter

  * thunder nic: avoid link delays due to RX_PACKET_DIS (LP: #1630038)
    - net: thunderx: Don't set RX_PACKET_DIS while initializing

  * crypto/vmx/p8_ghash memory corruption (LP: #1630970)
    - crypto: ghash-generic - move common definitions to a new header file
    - crypto: vmx - Fix memory corruption caused by p8_ghash
    - crypto: vmx - Ensure ghash-generic is enabled

  * arm64: SPCR console not autodetected (LP: #1630311)
    - of/serial: move earlycon early_param handling to serial
    - [Config] CONFIG_ACPI_SPCR_TABLE=y
    - ACPI: parse SPCR and enable matching console
    - ARM64: ACPI: enable ACPI_SPCR_TABLE
    - serial: pl011: add console matching function

  * include/linux/security.h header syntax error with !CONFIG_SECURITYFS
...

Read more...

Changed in linux (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.8.0-30.32

---------------
linux (4.8.0-30.32) yakkety; urgency=low

  * CVE-2016-8655 (LP: #1646318)
    - packet: fix race condition in packet_set_ring

 -- Brad Figg <email address hidden> Thu, 01 Dec 2016 08:02:53 -0800

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers