* [PATCH V2 1/2] csky: don't let sigreturn play with priveleged bits of status register
@ 2021-09-25 5:16 guoren
2021-09-25 5:16 ` [PATCH V2 2/2] csky: Fixup regs.sr broken in ptrace guoren
0 siblings, 1 reply; 2+ messages in thread
From: guoren @ 2021-09-25 5:16 UTC (permalink / raw)
To: guoren; +Cc: linux-kernel, linux-csky, Al Viro, stable
From: Al Viro <viro@zeniv.linux.org.uk>
csky restore_sigcontext() blindly overwrites regs->sr with the value
it finds in sigcontext. Attacker can store whatever they want in there,
which includes things like S-bit. Userland shouldn't be able to set
that, or anything other than C flag (bit 0).
Do the same thing other architectures with protected bits in flags
register do - preserve everything that shouldn't be settable in
user mode, picking the rest from the value saved is sigcontext.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Guo Ren <guoren@kernel.org>
Cc: stable@vger.kernel.org
---
arch/csky/kernel/signal.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/csky/kernel/signal.c b/arch/csky/kernel/signal.c
index 312f046d452d..6ba3969ec175 100644
--- a/arch/csky/kernel/signal.c
+++ b/arch/csky/kernel/signal.c
@@ -52,10 +52,14 @@ static long restore_sigcontext(struct pt_regs *regs,
struct sigcontext __user *sc)
{
int err = 0;
+ unsigned long sr = regs->sr;
/* sc_pt_regs is structured the same as the start of pt_regs */
err |= __copy_from_user(regs, &sc->sc_pt_regs, sizeof(struct pt_regs));
+ /* BIT(0) of regs->sr is Condition Code/Carry bit */
+ regs->sr = (sr & ~1) | (regs->sr & 1);
+
/* Restore the floating-point state. */
err |= restore_fpu_state(sc);
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH V2 2/2] csky: Fixup regs.sr broken in ptrace
2021-09-25 5:16 [PATCH V2 1/2] csky: don't let sigreturn play with priveleged bits of status register guoren
@ 2021-09-25 5:16 ` guoren
0 siblings, 0 replies; 2+ messages in thread
From: guoren @ 2021-09-25 5:16 UTC (permalink / raw)
To: guoren; +Cc: linux-kernel, linux-csky, Guo Ren, Al Viro, stable
From: Guo Ren <guoren@linux.alibaba.com>
gpr_get() return the entire pt_regs (include sr) to userspace, if we
don't restore the C bit in gpr_set, it may break the ALU result in
that context. So the C flag bit is part of gpr context, that's why
riscv totally remove the C bit in the ISA. That makes sr reg clear
from userspace to supervisor privilege.
Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: stable@vger.kernel.org
---
arch/csky/kernel/ptrace.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/csky/kernel/ptrace.c b/arch/csky/kernel/ptrace.c
index 0105ac81b432..1a5f54e0d272 100644
--- a/arch/csky/kernel/ptrace.c
+++ b/arch/csky/kernel/ptrace.c
@@ -99,7 +99,8 @@ static int gpr_set(struct task_struct *target,
if (ret)
return ret;
- regs.sr = task_pt_regs(target)->sr;
+ /* BIT(0) of regs.sr is Condition Code/Carry bit */
+ regs.sr = (regs.sr & BIT(0)) | (task_pt_regs(target)->sr & ~BIT(0));
#ifdef CONFIG_CPU_HAS_HILO
regs.dcsr = task_pt_regs(target)->dcsr;
#endif
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-09-25 5:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-25 5:16 [PATCH V2 1/2] csky: don't let sigreturn play with priveleged bits of status register guoren
2021-09-25 5:16 ` [PATCH V2 2/2] csky: Fixup regs.sr broken in ptrace guoren
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.