From: Kris Van Hees <kris.van.hees@oracle.com>
Date: Wed, 18 Apr 2018 12:58:27 +0000 (+0300)
Subject: x86/kernel/traps.c: fix trace_die_notifier return value
X-Git-Tag: v4.1.12-124.31.3~830
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=a6afcaf329bbacc9bcd1e0324621fa2f05745dc3;p=users%2Fjedix%2Flinux-maple.git

x86/kernel/traps.c: fix trace_die_notifier return value

When triggering a int3 directly, the trace_die_notifier() actually returns 1
(whereas all other notifiers return 0), and that 1 value was being interpreted
as an indicator that DTrace handled the trap and that emulation is needed.  The
codei, from that point on, took a branch that is only to be used when the trap
occurs in kernel code, which is not good when it was actually triggered from
userspace.

OraBug: 27895315
CVE: CVE-2018-8897

Signed-off-by: Kris Van Hees <kris.van.hees@oracle.com>

Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Mihai Carabas <mihai.carabas@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>
---

diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index 1f9b81082cc6..4ee9eb65276c 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -547,7 +547,8 @@ dotraplinkage int notrace do_int3(struct pt_regs *regs, long error_code)
 	if ((ret & NOTIFY_STOP_MASK) == NOTIFY_STOP_MASK) {
 		ret = notifier_to_errno(ret);
 		goto exit;
-	}
+	} else
+		ret = 0;
 
 	preempt_conditional_sti(regs);
 	do_trap(X86_TRAP_BP, SIGTRAP, "int3", regs, error_code, NULL);