x86/kernel/traps.c: fix trace_die_notifier return value

When triggering a int3 directly, the trace_die_notifier() actually returns 1
(whereas all other notifiers return 0), and that 1 value was being interpreted
as an indicator that DTrace handled the trap and that emulation is needed.  The
codei, from that point on, took a branch that is only to be used when the trap
occurs in kernel code, which is not good when it was actually triggered from
userspace.

OraBug: 27895315
CVE: CVE-2018-8897

Signed-off-by: Kris Van Hees <kris.van.hees@oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Mihai Carabas <mihai.carabas@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>

diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index 1f9b81082cc67d695db095a11f13f3928f01b190..4ee9eb65276c1b411450a63526cb0ab7d3747171 100644 (file)
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -547,7 +547,8 @@ dotraplinkage int notrace do_int3(struct pt_regs *regs, long error_code)
        if ((ret & NOTIFY_STOP_MASK) == NOTIFY_STOP_MASK) {
                ret = notifier_to_errno(ret);
                goto exit;
-       }
+       } else
+               ret = 0;
 
        preempt_conditional_sti(regs);
        do_trap(X86_TRAP_BP, SIGTRAP, "int3", regs, error_code, NULL);