arch/tile: don't allow user code to set the PL via ptrace or signal return

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The kernel was allowing any component of the pt_regs to be updated either
by signal handlers writing to the stack, or by processes writing via
PTRACE_POKEUSR or PTRACE_SETREGS, which meant they could set their PL
up from 0 to 1 and get access to kernel code and data (or, in practice,
cause a kernel panic). We now always reset the ex1 field, allowing the
user to set their ICS bit only.

Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>

Chris Metcalf 15 years ago 1deb9c5d 34a89d26

+24 -18

2 changed files

expand all

arch

tile

kernel

ptrace.c

signal.c

+21 -18

arch/tile/kernel/ptrace.c

··· 50 50 { 51 51 unsigned long __user *datap = (long __user __force *)data; 52 52 unsigned long tmp; 53 - int i; 54 53 long ret = -EIO; 55 - unsigned long *childregs; 56 54 char *childreg; 55 + struct pt_regs copyregs; 56 + int ex1_offset; 57 57 58 58 switch (request) { 59 59 ··· 80 80 if (addr >= PTREGS_SIZE) 81 81 break; 82 82 childreg = (char *)task_pt_regs(child) + addr; 83 + 84 + /* Guard against overwrites of the privilege level. */ 85 + ex1_offset = PTREGS_OFFSET_EX1; 86 + #if defined(CONFIG_COMPAT) && defined(__BIG_ENDIAN) 87 + if (is_compat_task()) /* point at low word */ 88 + ex1_offset += sizeof(compat_long_t); 89 + #endif 90 + if (addr == ex1_offset) 91 + data = PL_ICS_EX1(USER_PL, EX1_ICS(data)); 92 + 83 93 #ifdef CONFIG_COMPAT 84 94 if (is_compat_task()) { 85 95 if (addr & (sizeof(compat_long_t)-1)) ··· 106 96 break; 107 97 108 98 case PTRACE_GETREGS: /* Get all registers from the child. */ 109 - if (!access_ok(VERIFY_WRITE, datap, PTREGS_SIZE)) 110 - break; 111 - childregs = (long *)task_pt_regs(child); 112 - for (i = 0; i < sizeof(struct pt_regs)/sizeof(unsigned long); 113 - ++i) { 114 - ret = __put_user(childregs[i], &datap[i]); 115 - if (ret != 0) 116 - break; 99 + if (copy_to_user(datap, task_pt_regs(child), 100 + sizeof(struct pt_regs)) == 0) { 101 + ret = 0; 117 102 } 118 103 break; 119 104 120 105 case PTRACE_SETREGS: /* Set all registers in the child. */ 121 - if (!access_ok(VERIFY_READ, datap, PTREGS_SIZE)) 122 - break; 123 - childregs = (long *)task_pt_regs(child); 124 - for (i = 0; i < sizeof(struct pt_regs)/sizeof(unsigned long); 125 - ++i) { 126 - ret = __get_user(childregs[i], &datap[i]); 127 - if (ret != 0) 128 - break; 106 + if (copy_from_user(&copyregs, datap, 107 + sizeof(struct pt_regs)) == 0) { 108 + copyregs.ex1 = 109 + PL_ICS_EX1(USER_PL, EX1_ICS(copyregs.ex1)); 110 + *task_pt_regs(child) = copyregs; 111 + ret = 0; 129 112 } 130 113 break; 131 114

arch/tile/kernel/signal.c

··· 71 71 for (i = 0; i < sizeof(struct pt_regs)/sizeof(long); ++i) 72 72 err |= __get_user(regs->regs[i], &sc->gregs[i]); 73 73 74 + /* Ensure that the PL is always set to USER_PL. */ 75 + regs->ex1 = PL_ICS_EX1(USER_PL, EX1_ICS(regs->ex1)); 76 + 74 77 regs->faultnum = INT_SWINT_1_SIGRETURN; 75 78 76 79 err |= __get_user(*pr0, &sc->gregs[0]);