From: Jeroen Roovers <jer@gentoo.org>
To: Helge Deller <deller@gmx.de>
Cc: linux-parisc@vger.kernel.org,
James Bottomley <James.Bottomley@hansenpartnership.com>,
John David Anglin <dave.anglin@bell.net>,
Rolf Eike Beer <eike-kernel@sf-tec.de>
Subject: Re: [PATCH] parisc: Fix kernel panic due invalid values of IAOQ0 or IAOQ1
Date: Thu, 4 Jul 2019 21:23:21 +0200 [thread overview]
Message-ID: <20190704212321.42a00ebb@wim.jer> (raw)
In-Reply-To: <20190703063524.GA27797@ls3530.dellerweb.de>
On Wed, 3 Jul 2019 08:35:24 +0200
Helge Deller <deller@gmx.de> wrote:
> On parisc the privilege level of a process is stored in the lowest
> two bits of the instruction pointers (IAOQ0 and IAOQ1). On Linux we
> use privilege level 0 for the kernel and privilege level 3 for
> user-space. So userspace should not be allowed to modify IAOQ0 or
> IAOQ1 of a ptraced process to change it's privilege level to e.g. 0
> to try to gain kernel privileges.
>
> This patch prevents such modifications by always setting the two
> lowest bits to one (which relates to privilege level 3 for
> user-space) if IAOQ0 or IAOQ1 are modified via ptrace calls.
>
> Fixes: https://bugs.gentoo.org/481768
> Reported-by: Jeroen Roovers <jer@gentoo.org>
> Cc: <stable@vger.kernel.org>
>
> diff --git a/arch/parisc/kernel/ptrace.c b/arch/parisc/kernel/ptrace.c
> index a3d2fb4e6dd2..8ecd41938709 100644
> --- a/arch/parisc/kernel/ptrace.c
> +++ b/arch/parisc/kernel/ptrace.c
> @@ -167,6 +175,9 @@ long arch_ptrace(struct task_struct *child, long
> request, if ((addr & (sizeof(unsigned long)-1)) ||
> addr >= sizeof(struct pt_regs))
> break;
> + if (addr == PT_IAOQ0 || addr == PT_IAOQ1) {
> + data |= 3; /* ensure userspace privilege */
> + }
> if ((addr >= PT_GR1 && addr <= PT_GR31) ||
> addr == PT_IAOQ0 || addr == PT_IAOQ1
> || (addr >= PT_FR0 && addr <= PT_FR31 + 4) ||
> @@ -281,6 +292,9 @@ long compat_arch_ptrace(struct task_struct
> *child, compat_long_t request, addr = translate_usr_offset(addr);
> if (addr >= sizeof(struct pt_regs))
> break;
> + if (addr == PT_IAOQ0 || addr == PT_IAOQ1) {
> + data |= 3; /* ensure userspace
> privilege */
> + }
> if (addr >= PT_FR0 && addr <= PT_FR31 + 4) {
> /* Special case, fp regs are 64 bits
> anyway */ *(__u64 *) ((char *) task_regs(child) + addr) = data;
That may fix some problem, but it sadly does not fix the problem
reported in https://bugs.gentoo.org/481768 . Both root and unprivileged
users can still trigger the same kernel panic with a kernel patches
thusly. How can we help you reproduce the issue?
Kind regards,
jer
next prev parent reply other threads:[~2019-07-04 19:23 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-03 6:35 [PATCH] parisc: Fix kernel panic due invalid values of IAOQ0 or IAOQ1 Helge Deller
2019-07-04 19:23 ` Jeroen Roovers [this message]
2019-07-04 19:54 ` Helge Deller
2019-07-04 19:58 ` Helge Deller
2019-07-04 20:36 ` Helge Deller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190704212321.42a00ebb@wim.jer \
--to=jer@gentoo.org \
--cc=James.Bottomley@hansenpartnership.com \
--cc=dave.anglin@bell.net \
--cc=deller@gmx.de \
--cc=eike-kernel@sf-tec.de \
--cc=linux-parisc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).