| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20171130172839.GQ22781@e103592.cambridge.arm.com>
Date: Thu, 30 Nov 2017 17:28:40 +0000
From: Dave Martin <Dave.Martin@....com>
To: "Maciej W. Rozycki" <macro@...s.com>
Cc: Ralf Baechle <ralf@...ux-mips.org>,
James Hogan <james.hogan@...s.com>,
Paul Burton <Paul.Burton@...s.com>,
Alex Smith <alex@...x-smith.me.uk>,
"linux-mips@...ux-mips.org" <linux-mips@...ux-mips.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: Re: [PATCH 4/5] MIPS: Execute any partial write of the last register
with PTRACE_SETREGSET
On Wed, Nov 29, 2017 at 03:21:14PM +0000, Maciej W. Rozycki wrote:
> Fix a commit d614fd58a283 ("mips/ptrace: Preserve previous registers for
> short regset write") bug and allow the last register requested with a
> ptrace(2) PTRACE_SETREGSET call to be partially written if supplied this
> way by the caller, like with other register sets.
>
> Cc: stable@...r.kernel.org # v4.11+
> Fixes: d614fd58a283 ("mips/ptrace: Preserve previous registers for short regset write")
> Signed-off-by: Maciej W. Rozycki <macro@...s.com>
> ---
> arch/mips/kernel/ptrace.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> linux-mips-nt-prfpreg-count.diff
> Index: linux-sfr-test/arch/mips/kernel/ptrace.c
> ===================================================================
> --- linux-sfr-test.orig/arch/mips/kernel/ptrace.c 2017-11-21 22:12:00.000000000 +0000
> +++ linux-sfr-test/arch/mips/kernel/ptrace.c 2017-11-21 22:13:13.471970000 +0000
> @@ -484,7 +484,7 @@ static int fpr_set_msa(struct task_struc
> int err;
>
> BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t));
> - for (i = 0; i < NUM_FPU_REGS && *count >= sizeof(elf_fpreg_t); i++) {
> + for (i = 0; i < NUM_FPU_REGS && *count > 0; i++) {
>
> err = user_regset_copyin(pos, count, kbuf, ubuf,
> &fpr_val, i * sizeof(elf_fpreg_t),
> (i + 1) * sizeof(elf_fpreg_t));
But mips*_regsets[REGSET_FPR].size == sizeof(elf_fpreg_t),
linux/kernel/regset.c:ptrace_regset() polices
iov_len % regset->size == 0, and each user_regset_copyout() call here
transfers sizeof(elf_fpreg_t) bytes, decrementing *count by that
amount unless something goest wrong in which case we return.
So how do we end up with *count > 0 && *count < sizeof(elf_fpreg_t)
here?
If we can't end up with that, then this patch doesn't change ABI-
observable behaviour, unless I've missed something.
If we can end up with that somehow, then this patch reintroduces the
issue d614fd58a283 aims to fix, whereby fpr_val can contain
uninitialised kernel stack which userspace can then obtain via
PTRACE_GETREGSET.
Cheers
---Dave
Powered by blists - more mailing lists