| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 7 Mar 2022 11:56:42 -0800
From: Kees Cook <keescook@...omium.org>
To: Max Filippov <jcmvbkbc@...il.com>
Cc: linux-xtensa@...ux-xtensa.org, Chris Zankel <chris@...kel.net>,
linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH 2/2] xtensa: use XCHAL_NUM_AREGS as pt_regs::areg size
On Sat, Mar 05, 2022 at 10:44:35PM -0800, Max Filippov wrote:
> struct pt_regs is used to access both kernel and user exception frames.
> User exception frames may contain up to XCHAL_NUM_AREG registers that
> task creation and signal delivery code may access, but pt_regs::areg
> array has only 16 entries that cover only the kernel exception frame.
> This results in the following build error:
>
> arch/xtensa/kernel/process.c: In function 'copy_thread':
> arch/xtensa/kernel/process.c:262:52: error: array subscript 53 is above
> array bounds of 'long unsigned int[16]' [-Werror=array-bounds]
> 262 | put_user(regs->areg[caller_ars+1],
>
> Change struct pt_regs::areg size to XCHAL_NUM_AREGS so that it covers
> the whole user exception frame. Adjust task_pt_regs and drop additional
> register copying code from copy_thread now that the whole user exception
> stack frame is copied.
>
> Reported-by: Kees Cook <keescook@...omium.org>
> Signed-off-by: Max Filippov <jcmvbkbc@...il.com>
> ---
> arch/xtensa/include/asm/ptrace.h | 7 +++----
> arch/xtensa/kernel/process.c | 10 ----------
> 2 files changed, 3 insertions(+), 14 deletions(-)
^^^^^^^^^^^^
Well that's always nice to see in a fix. :) Thanks for digging into
this!
Reviewed-by: Kees Cook <keescook@...omium.org>
--
Kees Cook
Powered by blists - more mailing lists