x86: fix off-by-one in access_ok()
[ Upstream commit 573f45a9f9a47fed4c7957609689b772121b33d7 ]
When the size isn't a small constant, __access_ok() will call
valid_user_address() with the address after the last byte of the user
buffer.
It is valid for a buffer to end with the last valid user address so
valid_user_address() must allow accesses to the base of the guard page.
[ This introduces an off-by-one in the other direction for the plain
non-sized accesses, but since we have that guard region that is a
whole page, those checks "allowing" accesses to that guard region
don't really matter. The access will fault anyway, whether to the
guard page or if the address has been masked to all ones - Linus ]
Fixes: 86e6b1547b ("x86: fix user address masking non-canonical speculation issue")
Signed-off-by: David Laight <david.laight@aculab.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
David Laight
committed by
Greg Kroah-Hartman
Greg Kroah-Hartman
parent
f32869876e
commit
964b522a25
@@ -2392,12 +2392,12 @@ void __init arch_cpu_finalize_init(void)
|
||||
alternative_instructions();
|
||||
|
||||
if (IS_ENABLED(CONFIG_X86_64)) {
|
||||
unsigned long USER_PTR_MAX = TASK_SIZE_MAX-1;
|
||||
unsigned long USER_PTR_MAX = TASK_SIZE_MAX;
|
||||
|
||||
/*
|
||||
* Enable this when LAM is gated on LASS support
|
||||
if (cpu_feature_enabled(X86_FEATURE_LAM))
|
||||
USER_PTR_MAX = (1ul << 63) - PAGE_SIZE - 1;
|
||||
USER_PTR_MAX = (1ul << 63) - PAGE_SIZE;
|
||||
*/
|
||||
runtime_const_init(ptr, USER_PTR_MAX);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user