From: Dave Martin <Dave.Martin@arm.com>
To: linux-arm-kernel@lists.infradead.org
Cc: linux-arch@vger.kernel.org, Will Deacon <will.deacon@arm.com>,
Catalin Marinas <catalin.marinas@arm.com>
Subject: [RFC PATCH v2 5/6] arm64: signal: Parse extra_context during sigreturn
Date: Wed, 12 Apr 2017 18:01:14 +0100 [thread overview]
Message-ID: <1492016495-19689-5-git-send-email-Dave.Martin@arm.com> (raw)
In-Reply-To: <1492016495-19689-1-git-send-email-Dave.Martin@arm.com>
If extra_context is present, parse it.
To avoid abuse by userspace, this patch attempts to ensure that:
* no more than one extra_context is accepted;
* the extra_context is a sensible size;
* the extra context data is properly aligned.
The extra_context data is required to start immediately after
struct rt_sigframe (as during signal delivery). This serves as a
sanity-check that the signal frame has not been moved or copied
without taking the extra data into account.
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
---
arch/arm64/include/uapi/asm/sigcontext.h | 6 ++++-
arch/arm64/kernel/signal.c | 46 ++++++++++++++++++++++++++++++++
2 files changed, 51 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/include/uapi/asm/sigcontext.h b/arch/arm64/include/uapi/asm/sigcontext.h
index b5e2523..a2f7211 100644
--- a/arch/arm64/include/uapi/asm/sigcontext.h
+++ b/arch/arm64/include/uapi/asm/sigcontext.h
@@ -96,7 +96,11 @@ struct esr_context {
* extra_context must be the last record in sigcontext.__reserved[]
* except for the terminator).
*
- * 4) The extra space must itself be terminated with a null
+ * 4) The extra space to which data points must start at the first
+ * 16-byte aligned address immediately after the end of the sigcontext
+ * strucutre.
+ *
+ * 5) The extra space must itself be terminated with a null
* _aarch64_ctx.
*/
#define EXTRA_MAGIC 0x45585401
diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index 95547e1..983cddf 100644
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -223,6 +223,10 @@ static int parse_user_sigframe(struct user_ctxs *user,
char __user *base = (char __user *)&sc->__reserved;
size_t offset = 0;
size_t limit = sizeof(sc->__reserved);
+ bool have_extra_context = false;
+
+ /* Expected location of extra_data (if present): */
+ char __user *const extra_base = (char __user *)sf + BASE_SIGFRAME_SIZE;
user->fpsimd = NULL;
@@ -232,6 +236,9 @@ static int parse_user_sigframe(struct user_ctxs *user,
while (1) {
int err = 0;
u32 magic, size;
+ struct extra_context const __user *extra;
+ void __user *extra_data;
+ u32 extra_size;
if (limit - offset < sizeof(*head))
goto invalid;
@@ -269,6 +276,45 @@ static int parse_user_sigframe(struct user_ctxs *user,
/* ignore */
break;
+ case EXTRA_MAGIC:
+ if (have_extra_context)
+ goto invalid;
+
+ if (size < sizeof(*extra))
+ goto invalid;
+
+ extra = (struct extra_context const __user *)head;
+ __get_user_error(extra_data, &extra->data, err);
+ __get_user_error(extra_size, &extra->size, err);
+ if (err)
+ return err;
+
+ /* Prevent looping/repeated parsing of extra_conext */
+ have_extra_context = true;
+
+ /*
+ * Rely on the __user accessors to reject bogus
+ * pointers.
+ */
+ base = extra_data;
+ if (!IS_ALIGNED((unsigned long)base, 16))
+ goto invalid;
+
+ if (extra_data != extra_base)
+ goto invalid;
+
+ /* Reject "unreasonably large" frames: */
+ limit = extra_size;
+ if (limit > SIGFRAME_MAXSZ - sizeof(sc->__reserved))
+ goto invalid;
+
+ /*
+ * Ignore trailing terminator in __reserved[]
+ * and start parsing extra_data:
+ */
+ offset = 0;
+ continue;
+
default:
goto invalid;
}
--
2.1.4
WARNING: multiple messages have this Message-ID (diff)
From: Dave.Martin@arm.com (Dave Martin)
To: linux-arm-kernel@lists.infradead.org
Subject: [RFC PATCH v2 5/6] arm64: signal: Parse extra_context during sigreturn
Date: Wed, 12 Apr 2017 18:01:14 +0100 [thread overview]
Message-ID: <1492016495-19689-5-git-send-email-Dave.Martin@arm.com> (raw)
In-Reply-To: <1492016495-19689-1-git-send-email-Dave.Martin@arm.com>
If extra_context is present, parse it.
To avoid abuse by userspace, this patch attempts to ensure that:
* no more than one extra_context is accepted;
* the extra_context is a sensible size;
* the extra context data is properly aligned.
The extra_context data is required to start immediately after
struct rt_sigframe (as during signal delivery). This serves as a
sanity-check that the signal frame has not been moved or copied
without taking the extra data into account.
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
---
arch/arm64/include/uapi/asm/sigcontext.h | 6 ++++-
arch/arm64/kernel/signal.c | 46 ++++++++++++++++++++++++++++++++
2 files changed, 51 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/include/uapi/asm/sigcontext.h b/arch/arm64/include/uapi/asm/sigcontext.h
index b5e2523..a2f7211 100644
--- a/arch/arm64/include/uapi/asm/sigcontext.h
+++ b/arch/arm64/include/uapi/asm/sigcontext.h
@@ -96,7 +96,11 @@ struct esr_context {
* extra_context must be the last record in sigcontext.__reserved[]
* except for the terminator).
*
- * 4) The extra space must itself be terminated with a null
+ * 4) The extra space to which data points must start at the first
+ * 16-byte aligned address immediately after the end of the sigcontext
+ * strucutre.
+ *
+ * 5) The extra space must itself be terminated with a null
* _aarch64_ctx.
*/
#define EXTRA_MAGIC 0x45585401
diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index 95547e1..983cddf 100644
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -223,6 +223,10 @@ static int parse_user_sigframe(struct user_ctxs *user,
char __user *base = (char __user *)&sc->__reserved;
size_t offset = 0;
size_t limit = sizeof(sc->__reserved);
+ bool have_extra_context = false;
+
+ /* Expected location of extra_data (if present): */
+ char __user *const extra_base = (char __user *)sf + BASE_SIGFRAME_SIZE;
user->fpsimd = NULL;
@@ -232,6 +236,9 @@ static int parse_user_sigframe(struct user_ctxs *user,
while (1) {
int err = 0;
u32 magic, size;
+ struct extra_context const __user *extra;
+ void __user *extra_data;
+ u32 extra_size;
if (limit - offset < sizeof(*head))
goto invalid;
@@ -269,6 +276,45 @@ static int parse_user_sigframe(struct user_ctxs *user,
/* ignore */
break;
+ case EXTRA_MAGIC:
+ if (have_extra_context)
+ goto invalid;
+
+ if (size < sizeof(*extra))
+ goto invalid;
+
+ extra = (struct extra_context const __user *)head;
+ __get_user_error(extra_data, &extra->data, err);
+ __get_user_error(extra_size, &extra->size, err);
+ if (err)
+ return err;
+
+ /* Prevent looping/repeated parsing of extra_conext */
+ have_extra_context = true;
+
+ /*
+ * Rely on the __user accessors to reject bogus
+ * pointers.
+ */
+ base = extra_data;
+ if (!IS_ALIGNED((unsigned long)base, 16))
+ goto invalid;
+
+ if (extra_data != extra_base)
+ goto invalid;
+
+ /* Reject "unreasonably large" frames: */
+ limit = extra_size;
+ if (limit > SIGFRAME_MAXSZ - sizeof(sc->__reserved))
+ goto invalid;
+
+ /*
+ * Ignore trailing terminator in __reserved[]
+ * and start parsing extra_data:
+ */
+ offset = 0;
+ continue;
+
default:
goto invalid;
}
--
2.1.4
next prev parent reply other threads:[~2017-04-12 17:03 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-12 16:56 [RFC PATCH v2 0/6] Signal frame expansion support Dave Martin
2017-04-12 16:56 ` Dave Martin
2017-04-12 17:01 ` [RFC PATCH v2 1/6] arm64: signal: Refactor sigcontext parsing in rt_sigreturn Dave Martin
2017-04-12 17:01 ` Dave Martin
2017-04-12 17:01 ` [RFC PATCH v2 2/6] arm64: signal: factor frame layout and population into separate passes Dave Martin
2017-04-12 17:01 ` Dave Martin
2017-04-12 17:01 ` [RFC PATCH v2 3/6] arm64: signal: factor out signal frame record allocation Dave Martin
2017-04-12 17:01 ` Dave Martin
2017-04-12 17:01 ` [RFC PATCH v2 4/6] arm64: signal: Allocate extra sigcontext space as needed Dave Martin
2017-04-12 17:01 ` Dave Martin
2017-05-12 16:57 ` Catalin Marinas
2017-05-12 16:57 ` Catalin Marinas
2017-05-15 13:24 ` Dave Martin
2017-05-15 13:24 ` Dave Martin
2017-05-23 11:30 ` Catalin Marinas
2017-05-23 11:30 ` Catalin Marinas
2017-05-26 11:37 ` Dave Martin
2017-05-26 11:37 ` Dave Martin
2017-06-05 14:17 ` Catalin Marinas
2017-06-05 14:17 ` Catalin Marinas
2017-06-06 11:37 ` Dave Martin
2017-06-06 11:37 ` Dave Martin
2017-06-06 13:58 ` Dave Martin
2017-06-06 13:58 ` Dave Martin
2017-06-06 16:15 ` Catalin Marinas
2017-06-06 16:15 ` Catalin Marinas
2017-06-06 16:15 ` Catalin Marinas
2017-06-06 16:15 ` Catalin Marinas
2017-06-08 8:46 ` Dave Martin
2017-06-08 8:46 ` Dave Martin
2017-04-12 17:01 ` Dave Martin [this message]
2017-04-12 17:01 ` [RFC PATCH v2 5/6] arm64: signal: Parse extra_context during sigreturn Dave Martin
2017-04-12 17:01 ` [RFC PATCH v2 6/6] arm64: signal: Report signal frame size to userspace via auxv Dave Martin
2017-04-12 17:01 ` Dave Martin
2017-04-20 11:49 ` [RFC PATCH v2 0/6] Signal frame expansion support Michael Ellerman
2017-04-20 11:49 ` Michael Ellerman
2017-04-20 12:45 ` Dave Martin
2017-04-20 12:45 ` Dave Martin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1492016495-19689-5-git-send-email-Dave.Martin@arm.com \
--to=dave.martin@arm.com \
--cc=catalin.marinas@arm.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.