diff options
| author | Andy Lutomirski <luto@amacapital.net> | 2014-11-01 01:08:45 (GMT) |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-11-01 01:47:09 (GMT) |
| commit | 653bc77af60911ead1f423e588f54fc2547c4957 (patch) | |
| tree | c1e404d37868318063fcb6f57d40346b0c1a131d /drivers/acpi/sleep.c | |
| parent | 32e8fd2f8eac3262e7000d9a219d70ace10e0adf (diff) | |
| download | linux-653bc77af60911ead1f423e588f54fc2547c4957.tar.xz | |
x86_64, entry: Fix out of bounds read on sysenter
Rusty noticed a Really Bad Bug (tm) in my NT fix. The entry code
reads out of bounds, causing the NT fix to be unreliable. But, and
this is much, much worse, if your stack is somehow just below the
top of the direct map (or a hole), you read out of bounds and crash.
Excerpt from the crash:
[ 1.129513] RSP: 0018:ffff88001da4bf88 EFLAGS: 00010296
2b:* f7 84 24 90 00 00 00 testl $0x4000,0x90(%rsp)
That read is deterministically above the top of the stack. I
thought I even single-stepped through this code when I wrote it to
check the offset, but I clearly screwed it up.
Fixes: 8c7aa698baca ("x86_64, entry: Filter RFLAGS.NT on entry from userspace")
Reported-by: Rusty Russell <rusty@ozlabs.org>
Cc: stable@vger.kernel.org
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers/acpi/sleep.c')
0 files changed, 0 insertions, 0 deletions