Linux Kernel Copy User Memory Exception Handling Vulnerability on UltraSPARC III

A vulnerability in the Linux kernel's handling of user-space memory copying has been identified in the stable branch. This issue affects the UltraSPARC III architecture, where the exception reporting in the copy_from_user and copy_to_user functions was inaccurate. The problem arose because these functions returned excessively large values, leading to a BUG_ON condition in the ext4 file system when large folios were enabled. The vulnerability was traced back to a commit that introduced exception handlers for user-space memory references. These handlers, which are supposed to calculate the remaining bytes to copy based on the current register contents, relied on the assumption that a specific register had been properly masked before the bulk copy operation. However, the masking was applied afterward, causing the incorrect return values. The issue has been resolved by adjusting the exception handling to ensure accurate reporting, particularly in fault scenarios, without altering the behavior of the standard memory copy functions.

Impact

The vulnerability could lead to incorrect memory copying operations, potentially causing data corruption or unexpected behavior in applications that rely on accurate user-space memory access. This was demonstrated by the introduction of a BUG_ON condition in ext4 with large folios enabled.

Reproduction

The vulnerability can be reproduced on an UltraSPARC III system by enabling large folios in the ext4 file system. This will trigger the BUG_ON condition, indicating that the copy_from_user function is returning invalidly large values, which can be traced back to the inaccurate exception handling in the user-space memory copying functions.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the patched version are available on the official Linux kernel website.