# Sorry, I misspelled the e-mail address of [email protected]. From: Al Viro <[email protected]> Subject: Re: [m32r] apparent roothole via PTRACE_SETREGS (kernel mode, even) Date: Fri, 30 Nov 2012 14:54:35 +0000 > IOW, ptrace_write_user() is right - only ->psw.BC should be possible to > modify and ->spi should not be modifiable at all. The same logics applies > to ptrace_setregs() and to restore_sigcontext(); thus the patch I've sent... > Anyway, below it is, with s-o-b and saner commit message. If you are OK > with it, please say so - the hole is bad enough to need a fix in -final > and in stable branches.
It is OK to me. Could you please apply the following patch? (Reviewed and build-checked) -- Takata m32r: get ptrace_setregs and restore_sigcontext in sync with ptrace_write_user neither should be able to set regs->spi or bits in regs->psw other than M32R_PSW_BC. Cc: [email protected] Signed-off-by: Al Viro <[email protected]> Signed-off-by: Hirokazu Takata <[email protected]> -- include/asm/assembler.h | 3 +-- kernel/ptrace.c | 2 ++ kernel/signal.c | 5 +++-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/arch/m32r/include/asm/assembler.h b/arch/m32r/include/asm/assembler.h index 728799f..54c7406 100644 --- a/arch/m32r/include/asm/assembler.h +++ b/arch/m32r/include/asm/assembler.h @@ -177,8 +177,7 @@ mvtc r14, cr3 ; spu pop r13 pop lr ; r14 - pop sp ; spi (r15) - addi sp, #4 ; Skip orig_r0 + addi sp, #8 ; Skip spi, orig_r0 .fillinsn 1: rte .section .fixup,"ax" diff --git a/arch/m32r/kernel/ptrace.c b/arch/m32r/kernel/ptrace.c index 51f5e9a..d1ad152 100644 --- a/arch/m32r/kernel/ptrace.c +++ b/arch/m32r/kernel/ptrace.c @@ -204,6 +204,8 @@ static int ptrace_setregs(struct task_struct *tsk, void __user *uregs) ret = -EFAULT; if (copy_from_user(&newregs, uregs, sizeof(struct pt_regs)) == 0) { struct pt_regs *regs = task_pt_regs(tsk); + newregs.psw &= M32R_PSW_BC; + newregs.psw |= regs->psw & ~M32R_PSW_BC; *regs = newregs; ret = 0; } diff --git a/arch/m32r/kernel/signal.c b/arch/m32r/kernel/signal.c index 6e3c26a..3ae6b48 100644 --- a/arch/m32r/kernel/signal.c +++ b/arch/m32r/kernel/signal.c @@ -55,6 +55,7 @@ restore_sigcontext(struct pt_regs *regs, struct sigcontext __user *sc, int *r0_p) { unsigned int err = 0; + unsigned long psw; /* Always make any pending restarted system calls return -EINTR */ current_thread_info()->restart_block.fn = do_no_restart_syscall; @@ -78,15 +79,15 @@ restore_sigcontext(struct pt_regs *regs, struct sigcontext __user *sc, COPY(acc0l); COPY(acc1h); /* ISA_DSP_LEVEL2 only */ COPY(acc1l); /* ISA_DSP_LEVEL2 only */ - COPY(psw); COPY(bpc); COPY(bbpsw); COPY(bbpc); COPY(spu); COPY(fp); COPY(lr); - COPY(spi); #undef COPY + err |= __get_user(psw, &sc->sc_psw); + regs->psw = (regs->psw & ~M32R_PSW_BC) | (psw & M32R_PSW_BC); regs->syscall_nr = -1; /* disable syscall checks */ err |= __get_user(*r0_p, &sc->sc_r0); -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
