CVE-2024-26603

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/fpu: Stop relying on userspace for info to fault in xsave buffer<br /> <br /> Before this change, the expected size of the user space buffer was<br /> taken from fx_sw-&gt;xstate_size. fx_sw-&gt;xstate_size can be changed<br /> from user-space, so it is possible construct a sigreturn frame where:<br /> <br /> * fx_sw-&gt;xstate_size is smaller than the size required by valid bits in<br /> fx_sw-&gt;xfeatures.<br /> * user-space unmaps parts of the sigrame fpu buffer so that not all of<br /> the buffer required by xrstor is accessible.<br /> <br /> In this case, xrstor tries to restore and accesses the unmapped area<br /> which results in a fault. But fault_in_readable succeeds because buf +<br /> fx_sw-&gt;xstate_size is within the still mapped area, so it goes back and<br /> tries xrstor again. It will spin in this loop forever.<br /> <br /> Instead, fault in the maximum size which can be touched by XRSTOR (taken<br /> from fpstate-&gt;user_size).<br /> <br /> [ dhansen: tweak subject / changelog ]