Received: by 2002:ab2:7855:0:b0:1f9:5764:f03e with SMTP id m21csp999536lqp; Thu, 23 May 2024 06:31:14 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXbiIZ5f/dKeV+7HKuXrpJkOw2EpW5LrDjzgGFXSbssmRyEX0uA75Ygvn+xHFP/96ZzJwPvFT55Ob12PB1N4ljGQKhPXo1Cyda/37MWgw== X-Google-Smtp-Source: AGHT+IE74yHFSfIo/gt+HbcnOOyDoOuxvnm0uNGclU7x80WSf8pZGjoMjCt8Uz2Or/ocqmF6fhfG X-Received: by 2002:a05:6122:549:b0:4d4:21cc:5f4f with SMTP id 71dfb90a1353d-4e2185b0fbamr4799026e0c.11.1716471074239; Thu, 23 May 2024 06:31:14 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716471074; cv=pass; d=google.com; s=arc-20160816; b=J4eBRj9Gp2MlaUxGjTzPBj692rPvu0k0DqTu1OjMExHNrlepDccBOXEI2bWf7WZ5i0 +h8D5k6dBlAF270V2rHrwIfEYqxNNstQ7AU3EmX5u/8yKAE8MUn9mnbQ5aE0+uVYMePE dOHiWAXTI0Ybkt5FoWQdyvu9bAbF8dtlxFGcmePOpmLXAeo7Ovw7f+yvVQn3fMKpkJxz 43KXDSxp8bKb5Ch5Y8PWgRsvAT9fFuKGkIUF/UPEP30q5MMQwRJGtbKPMcH+Zuhup5AL VRwRHZnKYEVhlIrdAmXBd7FNHbmW+mE6qHSMnVFjheOfJmQUvig4cqRUeAGf7kUafRIj rXZg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=6aLptCun//1vqBlkwzlEk0ko0fTNXpe1NW3NNyhP4hw=; fh=4ZpR/sa9h86XPi9ylYExnSpkN97OVFy9ZvjsZNLvXmA=; b=0eI21PJ6PJqu617ktUADF8RVTKMkoC9LP4b8v9YCvhSqyvR0/xmugZeSe3iqATllSi dcCr0dxldDfDERiFuCVAZ1ruiG2uOcJypPlAyorjvHDONWzxk+veGvVgAJQmoJVTRMa2 1qtL++f4zM/cev+xL757/+IAX7QFTQkACet6aZ6Hi6IqhS7oEfPVOj92eChabVSGZevT ZeZfarnxtbq1NchJYsCgd1c7r5zBGTfcwzdxLeXCHPZRgTgo69M1UEYWqmi3JfpXSPW7 owSCm5epZ6HUYE2WWUB77T/Uwl6a96TwR8DtNgPECgVtAgyynd7GxhgPEhCJA1/p2w4m YGxg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="lP/xqI9e"; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-187577-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-187577-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id ada2fe7eead31-4806cc911e3si5751325137.578.2024.05.23.06.31.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 May 2024 06:31:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-187577-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="lP/xqI9e"; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-187577-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-187577-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 8647B1C2029A for ; Thu, 23 May 2024 13:31:11 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 189C414A4D9; Thu, 23 May 2024 13:31:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="lP/xqI9e" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 38833224FA; Thu, 23 May 2024 13:31:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716471066; cv=none; b=OLMfVLOW93dsH3t6yww9AdcKXfKiQw2IMat+0LoJZHBuG/ETwKuhZxQluDrPWOLosrnZatcUq01Q3NXPFTVAMzdkAg6QSuWWURNOo+TApvBwlqHVo0rtHzd1XOaU0KRKo+VuyiON8SC/3yEY+jRiBLK9kWlh3SJrf3ULsG+pmNI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716471066; c=relaxed/simple; bh=sAJj67FsAJsaSk4s8mN5GuG+0++iDgcYQY2HCWnVDzM=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=r19XCNlu7Nd4Ftrd0wXA6HiTLsiLtgt1McA7uA8zGCb5c1UWmCezYKT3tyfPrmRj1EztE0pdxvztS662CieJV0g6Wa7f+4s7j4HmydpWut9Y8zxOG05tAmIh/e5Tn1le1ZttKqo4HQFIaAVfn7aY7Uq5lvXd+VerxhUrXyjUi7c= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=lP/xqI9e; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7CCD6C2BD10; Thu, 23 May 2024 13:31:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1716471065; bh=sAJj67FsAJsaSk4s8mN5GuG+0++iDgcYQY2HCWnVDzM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=lP/xqI9eVD56TTz4HOGPicH5FJAyHRDjZD0s7dD3Jgi0LUTPxRnRGEED0zWe1I1eU XWvcxzQrx/N3x6bew1UWaV8QUJg/mituKS0s6ngrfUSfEeIhHenecDx38GHDssSDSW peN3FA7Xr/OVjp9s69H+q99ow1+zNDifPMvhaUyg= Date: Thu, 23 May 2024 15:31:03 +0200 From: Greg Kroah-Hartman To: Nikolay Borisov Cc: cve@kernel.org, linux-kernel@vger.kernel.org, linux-cve-announce@vger.kernel.org Subject: Re: CVE-2021-47326: x86/signal: Detect and prevent an alternate signal stack overflow Message-ID: <2024052322-outage-grit-a4fe@gregkh> References: <2024052133-CVE-2021-47326-fd53@gregkh> <06570587-dc49-4885-83da-7a386f012106@suse.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <06570587-dc49-4885-83da-7a386f012106@suse.com> On Thu, May 23, 2024 at 01:19:17PM +0300, Nikolay Borisov wrote: > > > On 21.05.24 г. 17:36 ч., Greg Kroah-Hartman wrote: > > Description > > =========== > > > > In the Linux kernel, the following vulnerability has been resolved: > > > > x86/signal: Detect and prevent an alternate signal stack overflow > > > > The kernel pushes context on to the userspace stack to prepare for the > > user's signal handler. When the user has supplied an alternate signal > > stack, via sigaltstack(2), it is easy for the kernel to verify that the > > stack size is sufficient for the current hardware context. > > > > Check if writing the hardware context to the alternate stack will exceed > > it's size. If yes, then instead of corrupting user-data and proceeding with > > the original signal handler, an immediate SIGSEGV signal is delivered. > > > > Refactor the stack pointer check code from on_sig_stack() and use the new > > helper. > > > > While the kernel allows new source code to discover and use a sufficient > > alternate signal stack size, this check is still necessary to protect > > binaries with insufficient alternate signal stack size from data > > corruption. > > > > The Linux kernel CVE team has assigned CVE-2021-47326 to this issue. > > > I'd like to dispute this CVE. Basically a process can pass in a > wrongly-sized stack which will cause its own stack to be corrupted. If > anything this affects the process rather than the kernel. Ah, good catch, thanks, I'll go revoke this CVE now. Thanks for the review, much appreciated! greg k-h