CVE-2021-47227

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/fpu: Prevent state corruption in __fpu__restore_sig()<br /> <br /> The non-compacted slowpath uses __copy_from_user() and copies the entire<br /> user buffer into the kernel buffer, verbatim. This means that the kernel<br /> buffer may now contain entirely invalid state on which XRSTOR will #GP.<br /> validate_user_xstate_header() can detect some of that corruption, but that<br /> leaves the onus on callers to clear the buffer.<br /> <br /> Prior to XSAVES support, it was possible just to reinitialize the buffer,<br /> completely, but with supervisor states that is not longer possible as the<br /> buffer clearing code split got it backwards. Fixing that is possible but<br /> not corrupting the state in the first place is more robust.<br /> <br /> Avoid corruption of the kernel XSAVE buffer by using copy_user_to_xstate()<br /> which validates the XSAVE header contents before copying the actual states<br /> to the kernel. copy_user_to_xstate() was previously only called for<br /> compacted-format kernel buffers, but it works for both compacted and<br /> non-compacted forms.<br /> <br /> Using it for the non-compacted form is slower because of multiple<br /> __copy_from_user() operations, but that cost is less important than robust<br /> code in an already slow path.<br /> <br /> [ Changelog polished by Dave Hansen ]