[PATCH] i386 stack frame security fix

This fixes a potential security issue on i386. FXRSTOR raises an #GP
when the MXCSR field in the FXSAVE frame contains illegal values. By
putting an signal frame just at a border to an unmapped page a malicious
user could potentially cause an exception in the context switch using this.
When the EFAULT occurs in the last bytes of the signal frame the MXCSR
check would be skipped in the old code, but the rogue value would be already
in task_struct, causing problems later.

Here is the minimal fix for this.

Originally discovered by Andrea while doing x86-64 work. It was fixed in
a different way a bit more intrusive way on x86-64 - all FXRSTOR in the
kernel are guarded by exception handlers.

arch/i386/kernel/i387.c

@@ -357,14 +357,14 @@ static inline int restore_i387_fsave( struct _fpstate *buf )
 
 static inline int restore_i387_fxsave( struct _fpstate *buf )
 {
+	int err;
 	struct task_struct *tsk = current;
 	clear_fpu( tsk );
-	if ( __copy_from_user( &tsk->thread.i387.fxsave, &buf->_fxsr_env[0],
-			       sizeof(struct i387_fxsave_struct) ) )
-		return 1;
+	err = __copy_from_user( &tsk->thread.i387.fxsave, &buf->_fxsr_env[0],
+				sizeof(struct i387_fxsave_struct) );
 	/* mxcsr bit 6 and 31-16 must be zero for security reasons */
 	tsk->thread.i387.fxsave.mxcsr &= 0xffbf;
-	return convert_fxsr_from_user( &tsk->thread.i387.fxsave, buf );
+	return err ? 1 : convert_fxsr_from_user( &tsk->thread.i387.fxsave, buf );
 }
 
 int restore_i387( struct _fpstate *buf )