Message-Id: <20210925051647.1162829-1-guoren@kernel.org>
Date:   Sat, 25 Sep 2021 13:16:46 +0800
From:   guoren@...nel.org
To:     guoren@...nel.org
Cc:     linux-kernel@...r.kernel.org, linux-csky@...r.kernel.org,
        Al Viro <viro@...iv.linux.org.uk>, stable@...r.kernel.org
Subject: [PATCH V2 1/2] csky: don't let sigreturn play with priveleged bits of status register

From: Al Viro <viro@...iv.linux.org.uk>

csky restore_sigcontext() blindly overwrites regs->sr with the value
it finds in sigcontext.  Attacker can store whatever they want in there,
which includes things like S-bit.  Userland shouldn't be able to set
that, or anything other than C flag (bit 0).

Do the same thing other architectures with protected bits in flags
register do - preserve everything that shouldn't be settable in
user mode, picking the rest from the value saved is sigcontext.

Signed-off-by: Al Viro <viro@...iv.linux.org.uk>
Signed-off-by: Guo Ren <guoren@...nel.org>
Cc: stable@...r.kernel.org
---
 arch/csky/kernel/signal.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/csky/kernel/signal.c b/arch/csky/kernel/signal.c
index 312f046d452d..6ba3969ec175 100644
--- a/arch/csky/kernel/signal.c
+++ b/arch/csky/kernel/signal.c
@@ -52,10 +52,14 @@ static long restore_sigcontext(struct pt_regs *regs,
 	struct sigcontext __user *sc)
 {
 	int err = 0;
+	unsigned long sr = regs->sr;
 
 	/* sc_pt_regs is structured the same as the start of pt_regs */
 	err |= __copy_from_user(regs, &sc->sc_pt_regs, sizeof(struct pt_regs));
 
+	/* BIT(0) of regs->sr is Condition Code/Carry bit */
+	regs->sr = (sr & ~1) | (regs->sr & 1);
+
 	/* Restore the floating-point state. */
 	err |= restore_fpu_state(sc);
 
-- 
2.25.1

Powered by blists - more mailing lists