)]}'
{
  "commit": "f12f42acdbb577a12eecfcebbbec41c81505c4dc",
  "tree": "73e54eb397bc343616268435daaf4960f2a55a78",
  "parents": [
    "9c3a815f471a84811cf8021cf64aae3b8081dfde"
  ],
  "author": {
    "name": "Meng Xu",
    "email": "mengxu.gatech@gmail.com",
    "time": "Wed Aug 23 17:07:50 2017 -0400"
  },
  "committer": {
    "name": "Ingo Molnar",
    "email": "mingo@kernel.org",
    "time": "Tue Aug 29 13:26:22 2017 +0200"
  },
  "message": "perf/core: Fix potential double-fetch bug\n\nWhile examining the kernel source code, I found a dangerous operation that\ncould turn into a double-fetch situation (a race condition bug) where the same\nuserspace memory region are fetched twice into kernel with sanity checks after\nthe first fetch while missing checks after the second fetch.\n\n  1. The first fetch happens in line 9573 get_user(size, \u0026uattr-\u003esize).\n\n  2. Subsequently the \u0027size\u0027 variable undergoes a few sanity checks and\n     transformations (line 9577 to 9584).\n\n  3. The second fetch happens in line 9610 copy_from_user(attr, uattr, size)\n\n  4. Given that \u0027uattr\u0027 can be fully controlled in userspace, an attacker can\n     race condition to override \u0027uattr-\u003esize\u0027 to arbitrary value (say, 0xFFFFFFFF)\n     after the first fetch but before the second fetch. The changed value will be\n     copied to \u0027attr-\u003esize\u0027.\n\n  5. There is no further checks on \u0027attr-\u003esize\u0027 until the end of this function,\n     and once the function returns, we lose the context to verify that \u0027attr-\u003esize\u0027\n     conforms to the sanity checks performed in step 2 (line 9577 to 9584).\n\n  6. My manual analysis shows that \u0027attr-\u003esize\u0027 is not used elsewhere later,\n     so, there is no working exploit against it right now. However, this could\n     easily turns to an exploitable one if careless developers start to use\n     \u0027attr-\u003esize\u0027 later.\n\nTo fix this, override \u0027attr-\u003esize\u0027 from the second fetch to the one from the\nfirst fetch, regardless of what is actually copied in.\n\nIn this way, it is assured that \u0027attr-\u003esize\u0027 is consistent with the checks\nperformed after the first fetch.\n\nSigned-off-by: Meng Xu \u003cmengxu.gatech@gmail.com\u003e\nAcked-by: Peter Zijlstra \u003cpeterz@infradead.org\u003e\nCc: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: acme@kernel.org\nCc: alexander.shishkin@linux.intel.com\nCc: meng.xu@gatech.edu\nCc: sanidhya@gatech.edu\nCc: taesoo@gatech.edu\nLink: http://lkml.kernel.org/r/1503522470-35531-1-git-send-email-meng.xu@gatech.edu\nSigned-off-by: Ingo Molnar \u003cmingo@kernel.org\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "3504125871d2f058fa717638e785b9c85220213a",
      "old_mode": 33188,
      "old_path": "kernel/events/core.c",
      "new_id": "ce131d25622a759c158475e1b07aae37a44246f1",
      "new_mode": 33188,
      "new_path": "kernel/events/core.c"
    }
  ]
}