DEBIAN-CVE-2023-53642

In the Linux kernel, the following vulnerability has been resolved: x86: fix clearuserrepgood() exception handling annotation This code no longer exists in mainline, because it was removed in commit d2c95f9d6802 ("x86: don't use REPGOOD or ERMS for user memory clearing") upstream. However, rather than backport the full range of x86 memory clearing and copying cleanups, fix the exception table annotation placement for the final 'rep movsb' in clearuserrepgood(): rather than pointing at the actual instruction that did the user space access, it pointed to the register move just before it. That made sense from a code flow standpoint, but not from an actual usage standpoint: it means that if user access takes an exception, the exception handler won't actually find the instruction in the exception tables. As a result, rather than fixing it up and returning -EFAULT, it would then turn it into a kernel oops report instead, something like: BUG: unable to handle page fault for address: 0000000020081000 #PF: supervisor write access in kernel mode #PF: errorcode(0x0002) - not-present page ... RIP: 0010:clearuserrepgood+0x1c/0x30 arch/x86/lib/clearpage_64.S:147 ... Call Trace: __clearuser arch/x86/include/asm/uaccess64.h:103 [inline] clearuser arch/x86/include/asm/uaccess64.h:124 [inline] ioviterzero+0x709/0x1290 lib/ioviter.c:800 iomapdioholeiter fs/iomap/direct-io.c:389 [inline] iomapdioiter fs/iomap/direct-io.c:440 [inline] __iomapdiorw+0xe3d/0x1cd0 fs/iomap/direct-io.c:601 iomap_diorw+0x40/0xa0 fs/iomap/direct-io.c:689 ext4dioreaditer fs/ext4/file.c:94 [inline] ext4filereaditer+0x4be/0x690 fs/ext4/file.c:145 callreaditer include/linux/fs.h:2183 [inline] doiterreadvwritev+0x2e0/0x3b0 fs/readwrite.c:733 doiterread+0x2f2/0x750 fs/readwrite.c:796 vfsreadv+0xe5/0x150 fs/readwrite.c:916 dopreadv+0x1b6/0x270 fs/readwrite.c:1008 __dosyspreadv2 fs/read_write.c:1070 [inline] __sesyspreadv2 fs/read_write.c:1061 [inline] __x64syspreadv2+0xef/0x150 fs/read_write.c:1061 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x39/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd which then looks like a filesystem bug rather than the incorrect exception annotation that it is. [ The alternative to this one-liner fix is to take the upstream series that cleans this all up: 68674f94ffc9 ("x86: don't use REPGOOD or ERMS for small memory copies") 20f3337d350c ("x86: don't use REPGOOD or ERMS for small memory clearing") adfcf4231b8c ("x86: don't use REPGOOD or ERMS for user memory copies") * d2c95f9d6802 ("x86: don't use REPGOOD or ERMS for user memory clearing") 3639a535587d ("x86: move stac/clac from user copy routines into callers") 577e6a7fd50d ("x86: inline the 'rep movs' in user copies for the FSRM case") 8c9b6a88b7e2 ("x86: improve on the non-rep 'clearuser' function") 427fda2c8a49 ("x86: improve on the non-rep 'copyuser' function") * e046fe5a36a9 ("x86: set FSRS automatically on AMD CPUs that have FSRM") e1f2750edc4a ("x86: remove 'zerorest' argument from __copyusernocache()") 034ff37d3407 ("x86: rewrite '__copyusernocache' function") with either the whole series or at a minimum the two marked commits being needed to fix this issue ]