From: Dave Martin <Dave.Martin@arm.com> To: linux-arm-kernel@lists.infradead.org Cc: linux-arch@vger.kernel.org, Will Deacon <will.deacon@arm.com>, Catalin Marinas <catalin.marinas@arm.com> Subject: [RFC PATCH v2 5/6] arm64: signal: Parse extra_context during sigreturn Date: Wed, 12 Apr 2017 18:01:14 +0100 [thread overview] Message-ID: <1492016495-19689-5-git-send-email-Dave.Martin@arm.com> (raw) In-Reply-To: <1492016495-19689-1-git-send-email-Dave.Martin@arm.com> If extra_context is present, parse it. To avoid abuse by userspace, this patch attempts to ensure that: * no more than one extra_context is accepted; * the extra_context is a sensible size; * the extra context data is properly aligned. The extra_context data is required to start immediately after struct rt_sigframe (as during signal delivery). This serves as a sanity-check that the signal frame has not been moved or copied without taking the extra data into account. Signed-off-by: Dave Martin <Dave.Martin@arm.com> --- arch/arm64/include/uapi/asm/sigcontext.h | 6 ++++- arch/arm64/kernel/signal.c | 46 ++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 1 deletion(-) diff --git a/arch/arm64/include/uapi/asm/sigcontext.h b/arch/arm64/include/uapi/asm/sigcontext.h index b5e2523..a2f7211 100644 --- a/arch/arm64/include/uapi/asm/sigcontext.h +++ b/arch/arm64/include/uapi/asm/sigcontext.h @@ -96,7 +96,11 @@ struct esr_context { * extra_context must be the last record in sigcontext.__reserved[] * except for the terminator). * - * 4) The extra space must itself be terminated with a null + * 4) The extra space to which data points must start at the first + * 16-byte aligned address immediately after the end of the sigcontext + * strucutre. + * + * 5) The extra space must itself be terminated with a null * _aarch64_ctx. */ #define EXTRA_MAGIC 0x45585401 diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c index 95547e1..983cddf 100644 --- a/arch/arm64/kernel/signal.c +++ b/arch/arm64/kernel/signal.c @@ -223,6 +223,10 @@ static int parse_user_sigframe(struct user_ctxs *user, char __user *base = (char __user *)&sc->__reserved; size_t offset = 0; size_t limit = sizeof(sc->__reserved); + bool have_extra_context = false; + + /* Expected location of extra_data (if present): */ + char __user *const extra_base = (char __user *)sf + BASE_SIGFRAME_SIZE; user->fpsimd = NULL; @@ -232,6 +236,9 @@ static int parse_user_sigframe(struct user_ctxs *user, while (1) { int err = 0; u32 magic, size; + struct extra_context const __user *extra; + void __user *extra_data; + u32 extra_size; if (limit - offset < sizeof(*head)) goto invalid; @@ -269,6 +276,45 @@ static int parse_user_sigframe(struct user_ctxs *user, /* ignore */ break; + case EXTRA_MAGIC: + if (have_extra_context) + goto invalid; + + if (size < sizeof(*extra)) + goto invalid; + + extra = (struct extra_context const __user *)head; + __get_user_error(extra_data, &extra->data, err); + __get_user_error(extra_size, &extra->size, err); + if (err) + return err; + + /* Prevent looping/repeated parsing of extra_conext */ + have_extra_context = true; + + /* + * Rely on the __user accessors to reject bogus + * pointers. + */ + base = extra_data; + if (!IS_ALIGNED((unsigned long)base, 16)) + goto invalid; + + if (extra_data != extra_base) + goto invalid; + + /* Reject "unreasonably large" frames: */ + limit = extra_size; + if (limit > SIGFRAME_MAXSZ - sizeof(sc->__reserved)) + goto invalid; + + /* + * Ignore trailing terminator in __reserved[] + * and start parsing extra_data: + */ + offset = 0; + continue; + default: goto invalid; } -- 2.1.4
WARNING: multiple messages have this Message-ID (diff)
From: Dave.Martin@arm.com (Dave Martin) To: linux-arm-kernel@lists.infradead.org Subject: [RFC PATCH v2 5/6] arm64: signal: Parse extra_context during sigreturn Date: Wed, 12 Apr 2017 18:01:14 +0100 [thread overview] Message-ID: <1492016495-19689-5-git-send-email-Dave.Martin@arm.com> (raw) In-Reply-To: <1492016495-19689-1-git-send-email-Dave.Martin@arm.com> If extra_context is present, parse it. To avoid abuse by userspace, this patch attempts to ensure that: * no more than one extra_context is accepted; * the extra_context is a sensible size; * the extra context data is properly aligned. The extra_context data is required to start immediately after struct rt_sigframe (as during signal delivery). This serves as a sanity-check that the signal frame has not been moved or copied without taking the extra data into account. Signed-off-by: Dave Martin <Dave.Martin@arm.com> --- arch/arm64/include/uapi/asm/sigcontext.h | 6 ++++- arch/arm64/kernel/signal.c | 46 ++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 1 deletion(-) diff --git a/arch/arm64/include/uapi/asm/sigcontext.h b/arch/arm64/include/uapi/asm/sigcontext.h index b5e2523..a2f7211 100644 --- a/arch/arm64/include/uapi/asm/sigcontext.h +++ b/arch/arm64/include/uapi/asm/sigcontext.h @@ -96,7 +96,11 @@ struct esr_context { * extra_context must be the last record in sigcontext.__reserved[] * except for the terminator). * - * 4) The extra space must itself be terminated with a null + * 4) The extra space to which data points must start at the first + * 16-byte aligned address immediately after the end of the sigcontext + * strucutre. + * + * 5) The extra space must itself be terminated with a null * _aarch64_ctx. */ #define EXTRA_MAGIC 0x45585401 diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c index 95547e1..983cddf 100644 --- a/arch/arm64/kernel/signal.c +++ b/arch/arm64/kernel/signal.c @@ -223,6 +223,10 @@ static int parse_user_sigframe(struct user_ctxs *user, char __user *base = (char __user *)&sc->__reserved; size_t offset = 0; size_t limit = sizeof(sc->__reserved); + bool have_extra_context = false; + + /* Expected location of extra_data (if present): */ + char __user *const extra_base = (char __user *)sf + BASE_SIGFRAME_SIZE; user->fpsimd = NULL; @@ -232,6 +236,9 @@ static int parse_user_sigframe(struct user_ctxs *user, while (1) { int err = 0; u32 magic, size; + struct extra_context const __user *extra; + void __user *extra_data; + u32 extra_size; if (limit - offset < sizeof(*head)) goto invalid; @@ -269,6 +276,45 @@ static int parse_user_sigframe(struct user_ctxs *user, /* ignore */ break; + case EXTRA_MAGIC: + if (have_extra_context) + goto invalid; + + if (size < sizeof(*extra)) + goto invalid; + + extra = (struct extra_context const __user *)head; + __get_user_error(extra_data, &extra->data, err); + __get_user_error(extra_size, &extra->size, err); + if (err) + return err; + + /* Prevent looping/repeated parsing of extra_conext */ + have_extra_context = true; + + /* + * Rely on the __user accessors to reject bogus + * pointers. + */ + base = extra_data; + if (!IS_ALIGNED((unsigned long)base, 16)) + goto invalid; + + if (extra_data != extra_base) + goto invalid; + + /* Reject "unreasonably large" frames: */ + limit = extra_size; + if (limit > SIGFRAME_MAXSZ - sizeof(sc->__reserved)) + goto invalid; + + /* + * Ignore trailing terminator in __reserved[] + * and start parsing extra_data: + */ + offset = 0; + continue; + default: goto invalid; } -- 2.1.4
next prev parent reply other threads:[~2017-04-12 17:03 UTC|newest] Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-04-12 16:56 [RFC PATCH v2 0/6] Signal frame expansion support Dave Martin 2017-04-12 16:56 ` Dave Martin 2017-04-12 17:01 ` [RFC PATCH v2 1/6] arm64: signal: Refactor sigcontext parsing in rt_sigreturn Dave Martin 2017-04-12 17:01 ` Dave Martin 2017-04-12 17:01 ` [RFC PATCH v2 2/6] arm64: signal: factor frame layout and population into separate passes Dave Martin 2017-04-12 17:01 ` Dave Martin 2017-04-12 17:01 ` [RFC PATCH v2 3/6] arm64: signal: factor out signal frame record allocation Dave Martin 2017-04-12 17:01 ` Dave Martin 2017-04-12 17:01 ` [RFC PATCH v2 4/6] arm64: signal: Allocate extra sigcontext space as needed Dave Martin 2017-04-12 17:01 ` Dave Martin 2017-05-12 16:57 ` Catalin Marinas 2017-05-12 16:57 ` Catalin Marinas 2017-05-15 13:24 ` Dave Martin 2017-05-15 13:24 ` Dave Martin 2017-05-23 11:30 ` Catalin Marinas 2017-05-23 11:30 ` Catalin Marinas 2017-05-26 11:37 ` Dave Martin 2017-05-26 11:37 ` Dave Martin 2017-06-05 14:17 ` Catalin Marinas 2017-06-05 14:17 ` Catalin Marinas 2017-06-06 11:37 ` Dave Martin 2017-06-06 11:37 ` Dave Martin 2017-06-06 13:58 ` Dave Martin 2017-06-06 13:58 ` Dave Martin 2017-06-06 16:15 ` Catalin Marinas 2017-06-06 16:15 ` Catalin Marinas 2017-06-06 16:15 ` Catalin Marinas 2017-06-06 16:15 ` Catalin Marinas 2017-06-08 8:46 ` Dave Martin 2017-06-08 8:46 ` Dave Martin 2017-04-12 17:01 ` Dave Martin [this message] 2017-04-12 17:01 ` [RFC PATCH v2 5/6] arm64: signal: Parse extra_context during sigreturn Dave Martin 2017-04-12 17:01 ` [RFC PATCH v2 6/6] arm64: signal: Report signal frame size to userspace via auxv Dave Martin 2017-04-12 17:01 ` Dave Martin 2017-04-20 11:49 ` [RFC PATCH v2 0/6] Signal frame expansion support Michael Ellerman 2017-04-20 11:49 ` Michael Ellerman 2017-04-20 12:45 ` Dave Martin 2017-04-20 12:45 ` Dave Martin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1492016495-19689-5-git-send-email-Dave.Martin@arm.com \ --to=dave.martin@arm.com \ --cc=catalin.marinas@arm.com \ --cc=linux-arch@vger.kernel.org \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=will.deacon@arm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.