From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:43232 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933452AbdC3IMP (ORCPT ); Thu, 30 Mar 2017 04:12:15 -0400 Subject: Patch "h8300/ptrace: Fix incorrect register transfer count" has been added to the 4.4-stable tree To: Dave.Martin@arm.com, gregkh@linuxfoundation.org, torvalds@linux-foundation.org Cc: , From: Date: Thu, 30 Mar 2017 10:11:55 +0200 Message-ID: <14908615153832@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled h8300/ptrace: Fix incorrect register transfer count to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: h8300-ptrace-fix-incorrect-register-transfer-count.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From 502585c7555083d4a949c08350306b9ec196779e Mon Sep 17 00:00:00 2001 From: Dave Martin Date: Mon, 27 Mar 2017 15:10:54 +0100 Subject: h8300/ptrace: Fix incorrect register transfer count From: Dave Martin commit 502585c7555083d4a949c08350306b9ec196779e upstream. regs_set() and regs_get() are vulnerable to an off-by-1 buffer overrun if CONFIG_CPU_H8S is set, since this adds an extra entry to register_offset[] but not to user_regs_struct. So, iterate over user_regs_struct based on its actual size, not based on the length of register_offset[]. Signed-off-by: Dave Martin Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- arch/h8300/kernel/ptrace.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/arch/h8300/kernel/ptrace.c +++ b/arch/h8300/kernel/ptrace.c @@ -95,7 +95,8 @@ static int regs_get(struct task_struct * long *reg = (long *)®s; /* build user regs in buffer */ - for (r = 0; r < ARRAY_SIZE(register_offset); r++) + BUILD_BUG_ON(sizeof(regs) % sizeof(long) != 0); + for (r = 0; r < sizeof(regs) / sizeof(long); r++) *reg++ = h8300_get_reg(target, r); return user_regset_copyout(&pos, &count, &kbuf, &ubuf, @@ -113,7 +114,8 @@ static int regs_set(struct task_struct * long *reg; /* build user regs in buffer */ - for (reg = (long *)®s, r = 0; r < ARRAY_SIZE(register_offset); r++) + BUILD_BUG_ON(sizeof(regs) % sizeof(long) != 0); + for (reg = (long *)®s, r = 0; r < sizeof(regs) / sizeof(long); r++) *reg++ = h8300_get_reg(target, r); ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, @@ -122,7 +124,7 @@ static int regs_set(struct task_struct * return ret; /* write back to pt_regs */ - for (reg = (long *)®s, r = 0; r < ARRAY_SIZE(register_offset); r++) + for (reg = (long *)®s, r = 0; r < sizeof(regs) / sizeof(long); r++) h8300_put_reg(target, r, *reg++); return 0; } Patches currently in stable-queue which might be from Dave.Martin@arm.com are queue-4.4/metag-ptrace-reject-partial-nt_metag_rpipe-writes.patch queue-4.4/metag-ptrace-preserve-previous-registers-for-short-regset-write.patch queue-4.4/metag-ptrace-provide-default-txstatus-for-short-nt_prstatus.patch queue-4.4/c6x-ptrace-remove-useless-ptrace_setregset-implementation.patch queue-4.4/mips-ptrace-preserve-previous-registers-for-short-regset-write.patch queue-4.4/h8300-ptrace-fix-incorrect-register-transfer-count.patch queue-4.4/sparc-ptrace-preserve-previous-registers-for-short-regset-write.patch