From: Jiri Pirko <jpirko@redhat.com>
Date: Wed, 25 Jun 2008 10:05:17 +0200
Subject: [x86_64] zero the output of string inst on exception
Message-id: 4861FC3D.9080308@redhat.com
O-Subject: Re: [kernel team] [RHEL5.3 patch] BZ451276 CVE-2008-2729 kernel: [x86_64] The string instruction version didn't zero the output on exception. [rhel-5.3]
Bugzilla: 451276
RH-Acked-by: Anton Arapov <aarapov@redhat.com>
RH-Acked-by: Alan Cox <alan@redhat.com>

BZ451276
https://bugzilla.redhat.com/show_bug.cgi?id=451276

Description
- Don't zero for __copy_from_user_inatomic following i386.
This will prevent spurious zeros for parallel file system writers when
one does a exception
- The string instruction version didn't zero the output on
exception. Oops.

This issue discovered by Cai Qian in RH in process of RHSA-2008:0508
kernel QA testing.

Upstream status:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3022d734a54cbd2b65eea9a0245648211
01b4a9a;hp=f0f4c3432e5e1087b3a8c0e6bd4113d3c37497ff

Brew build:
http://brewweb.devel.redhat.com/brew/taskinfo?taskID=1358170

Test status:
booted and tested with Vitaly's reproducer attached to bz451271 on x86_64:

testing 'string', buggy: no

diff --git a/arch/x86_64/lib/copy_user.S b/arch/x86_64/lib/copy_user.S
index 8c1d271..15815d0 100644
--- a/arch/x86_64/lib/copy_user.S
+++ b/arch/x86_64/lib/copy_user.S
@@ -325,22 +325,32 @@ ENDPROC(copy_user_generic)
    */
 copy_user_generic_c:
 	CFI_STARTPROC
+	xorq %rax,%rax
 	movl %edx,%ecx
 	shrl $3,%ecx
-	andl $7,%edx	
-1:	rep 
+	andl $7,%edx
+.Lc1:	rep 
 	movsq 
 	movl %edx,%ecx
-2:	rep
+.Lc2:	rep
 	movsb
-4:	movl %ecx,%eax
 	ret
-3:	lea (%rdx,%rcx,8),%rax
+
+.Lc1e:	movq %rcx,%rsi
+.Lc3:	rep
+	stosq
+.Lc2e:	movl %edx,%ecx
+.Lc4:	rep
+	stosb
+.Lc3e:	leaq (%rdx,%rsi,8),%rax
 	ret
 	CFI_ENDPROC
 END(copy_user_generic_c)
 
 	.section __ex_table,"a"
-	.quad 1b,3b
-	.quad 2b,4b
+	.align 8
+	.quad .Lc1,.Lc1e
+	.quad .Lc2,.Lc2e
+	.quad .Lc3,.Lc3e
+	.quad .Lc4,.Lc3e
 	.previous