* [parisc-linux] pa_memcpy kernel crashing testcase == "glibc +nptl +testsuite", and some tests.
@ 2005-08-01 15:15 Carlos O'Donell
2005-08-01 16:42 ` Carlos O'Donell
0 siblings, 1 reply; 4+ messages in thread
From: Carlos O'Donell @ 2005-08-01 15:15 UTC (permalink / raw)
To: parisc-linux
parisc,
Luckily I found an excellent testcase that crashes the kernel *every*
time, thus enabling me to test a patch from Randolph to see if the
recent stability issues could be fixed.
Kernel 2.6.13-rc3-pa0
gcc version 3.3.6 (Debian 1:3.3.6-7)
64-bit kernel, UP, on an a500 (PA8700) with 1.5GB of RAM.
Running the glibc testsuite with NPTL enabled causes the machine
to consistently HPMC.
---------------------------------------------------------------------
Backtrace:
[<000000001032d994>] copy_to_user+0x34/0x40
[<0000000010172284>] sys_timer_create+0x294/0x8c8
[<0000000010184d04>] compat_sys_timer_create+0x74/0xa8
[<0000000010107f8c>] syscall_exit+0x0/0x14
Kernel Fault: Code=15 regs=00000000484cc480 (Addr=00000000c064cb48)
YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
PSW: 00001000000001001111111100001111 Not tainted
r00-03 0000000000000000 0000000010677e28 000000001032d994 0000000000000000
r04-07 00000000106dfc00 0000000060e59e80 0000000000000000 00000000c064cb48
r08-11 00000000484cc190 0000000000000001 00000000000e8608 0000000000000000
r12-15 00000000000e8648 00000000000e88e8 00000000000aa000 00000000000eac08
r16-19 00000000000ecc08 00000000000e8648 0000000000000000 0000000000000000
r20-23 00000000484cc000 00000000484cc280 00000000484cc281 00000000c064cb48
r24-27 0000000000000004 00000000484cc280 00000000c064cb48 00000000106dfc00
r28-31 0000000000000000 00000000c064cb48 00000000484cc480 0000000000000004
sr0-3 0000000002014000 0000000000000000 0000000000000000 0000000002014000
sr4-7 0000000000000000 0000000000000000 0000000000000000 0000000000000000
VZOUICununcqcqcqcqcqcrmunTDVZOUI
FPSR: 00000000000000000000000000000000
FPER1: 00000000
fr00-03 0000000000000000 0000000000000000 0000000000000000 0000000000000000
fr04-07 00000000101f7be4 00000000000000fa 0000000012623c18 0000000000000000
fr08-11 00000000106dfc00 0000000000000002 00000000106dfc00 0000000000000802
fr12-15 000f41fa2f2149c0 0000000000000020 fffffffffffffc18 0000000000000000
fr16-19 000000001019baa0 00000000125c7000 00000000101cb07c 00000000125c7000
fr20-23 00000000125c7000 0000000000000000 0000000000000043 0000000000000228
fr24-27 000fb909ffe5cb9a 3fe0000000000000 412e848000000000 00000000125c7000
fr28-31 0000000000001000 00000000106dfc00 000000001077f240 0000000000000000
IASQ: 0000000000000000 0000000000000000 IAOQ: 000000001032d678 000000001032d67c
IIR: 0fb39222 ISR: 0000000000000000 IOR: 00000000c064cb48
CPU: 0 CR30: 00000000484cc000 CR31: 00000000106a0000
ORIG_R28: 00000000106dfc00
IAOQ[0]: pa_memcpy+0x178/0x32c
IAOQ[1]: pa_memcpy+0x17c/0x32c
RP(r2): copy_to_user+0x34/0x40
Kernel panic - not syncing: Kernel Fault
---------------------------------------------------------------------
Applying Randolph's patch to remove fpregs and the double word copies
using thos registers can be found at:
http://www.parisc-linux.org/~tausq/fpreg.diff
Same kernel with that patch applied still crash.
This can mean any number of things, but it could mean:
a. There is another path in the kernel code corrupting fp registers.
b. The optimal pa_memcpy is too optimal and exposes other bugs?
I think that 'a.' is the most plausible.
Any thoughts about catching the culprit?
Cheers,
Carlos.
NOTE:
Even with Randolph's patch the following functions use fpregs heavily:
__muldi3 : Heavy fpregs usage
__divdi3 : "
__moddi3 : "
__udivdi3 : "
__umoddi3 : "
The following functions save/restore fpregs:
linux_gateway_entry - Save fpregs
_switch_to - Save fpregs
_switch_to_ret - Restore fpregs
intr_restore - Restore fpregs
L4^B1 - Save fpregs?
L4^B2 - Save fpregs?
syscall_restore - Load fpregs
The following functions have a weird sequence involving fr31R?
schedule
1010e8c4: 68 d4 00 98 stw r20,4c(r6)
1010e8c8: 5c df 00 9a fldw 4c(r6),fr31R
1010e8cc: 00 13 18 60 mtsm r19
io_schedule
10110d14: 68 d3 24 88 stw r19,1244(r6)
10110d18: 5c df 24 8a fldw 1244(r6),fr31R
10110d1c: 00 14 18 60 mtsm r20
__down_read
__down_write
sys_ptrace
load_elf_binary
dev_ifname32
sched_setaffinity
get_task_mm
copy_mm
copy_fs_struct
copy_files
unshare_files
copy_process
profile_hit
release_task
daemonize
get_file_struct
...
And many more. This load to fr31R is discarded and never used.
_______________________________________________
parisc-linux mailing list
parisc-linux@lists.parisc-linux.org
http://lists.parisc-linux.org/mailman/listinfo/parisc-linux
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [parisc-linux] pa_memcpy kernel crashing testcase == "glibc +nptl +testsuite", and some tests.
2005-08-01 15:15 [parisc-linux] pa_memcpy kernel crashing testcase == "glibc +nptl +testsuite", and some tests Carlos O'Donell
@ 2005-08-01 16:42 ` Carlos O'Donell
2005-08-02 0:15 ` [parisc-linux] [RFC] Fix compat_sys_timer_create kernel security hole Carlos O'Donell
0 siblings, 1 reply; 4+ messages in thread
From: Carlos O'Donell @ 2005-08-01 16:42 UTC (permalink / raw)
To: parisc-linux
parisc,
Another crash. Remember in the compat case that the source and destination
addresses may have sr's both set to zero since you are copying into a
temporary kernel structure.
Backtrace:
[<0000000010325ef4>] copy_to_user+0x34/0x40
[<00000000101711dc>] sys_timer_create+0x294/0x8c8
[<00000000101836f4>] compat_sys_timer_create+0x74/0xa8
[<0000000010107f8c>] syscall_exit+0x0/0x14
Kernel Fault: Code=15 regs=0000000058fa0480 (Addr=00000000bffd6b48)
YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
PSW: 00001000000001001111111100001111 Not tainted
r00-03 0000000000000000 0000000010669a08 0000000010325ef4 0000000000000000
r04-07 00000000106d3ac0 0000000058f76e80 0000000000000000 00000000bffd6b48
r08-11 0000000058fa0190 0000000000000001 00000000000e8608 0000000000000000
r12-15 00000000000e8648 00000000000e88e8 00000000000aa000 00000000000eac08
r16-19 00000000000ecc08 00000000000e8648 0000000000000000 0000000000000000
r20-23 0000000058fa0000 0000000058fa0280 0000000058fa0281 00000000bffd6b48
r24-27 0000000000000004 0000000058fa0280 00000000bffd6b48 00000000106d3ac0
r28-31 0000000000000000 00000000bffd6b48 0000000058fa0480 0000000000000004
sr0-3 0000000000ae3800 0000000000000000 0000000000000000 0000000000ae3800
sr4-7 0000000000000000 0000000000000000 0000000000000000 0000000000000000
VZOUICununcqcqcqcqcqcrmunTDVZOUI
FPSR: 00000000000000000000000000000000
FPER1: 00000000
fr00-03 0000000000000000 0000000000000000 0000000000000000 0000000000000000
fr04-07 00000000101f3d2c 00000000107575f8 0000000012603c18 0000000000000000
fr08-11 00000000106d3ac0 0000000000000002 00000000106d3ac0 0000000000000802
fr12-15 0000000010199b48 0000000000000020 00000000101c7cd4 00000000125ae000
fr16-19 00000000125ae000 0000000000000000 00000000106d3ac0 000f41fa2f8c1980
fr20-23 0000000000000020 00000000101c7cd4 0000000065378f74 000dae5bffe932bc
fr24-27 00000000001fec2c 3fe0000000000000 412e848000000000 00000000106d3ac0
fr28-31 000000006f8b3dc8 000000000000000b 0000000000000020 0000000000000043
IASQ: 0000000000000000 0000000000000000 IAOQ: 0000000010325bd8 0000000010325bdc
IIR: 0fb39222 ISR: 0000000000000000 IOR: 00000000bffd6b48
CPU: 0 CR30: 0000000058fa0000 CR31: 0000000010694000
ORIG_R28: 00000000107733e0
IAOQ[0]: pa_memcpy+0x118/0x2d0
IAOQ[1]: pa_memcpy+0x11c/0x2d0
RP(r2): copy_to_user+0x34/0x40
Kernel panic - not syncing: Kernel Fault
<0>Rebooting in 180 seconds..
For the interested parties, here is a disassembly of pa_memcpy:
0000000010325ac0 <pa_memcpy>:
10325ac0: 0f c2 12 c1 std rp,-10(,sp)
10325ac4: 37 de 01 00 ldo 80(sp),sp
10325ac8: 73 c8 3f 41 std r8,-60(sp)
10325acc: 73 c6 3f 51 std r6,-58(sp)
10325ad0: 73 c5 3f 61 std r5,-50(sp)
10325ad4: 73 c4 3f 71 std r4,-48(sp)
10325ad8: 73 c3 3f 81 std r3,-40(sp)
10325adc: 08 18 02 5f copy r24,r31
10325ae0: 08 1a 02 57 copy r26,r23
10325ae4: 08 19 02 55 copy r25,r21
10325ae8: 08 19 02 56 copy r25,r22
10325aec: ef 1e 81 b0 cmpib,*>>= f,r24,10325bcc <pa_memcpy+0x10c>
10325af0: 08 1a 02 5d copy r26,ret1
10325af4: 0b 59 02 b4 xor r25,r26,r20
10325af8: da 93 0b fd extrd,u r20,63,3,r19
10325afc: ee 60 a2 72 cmpib,*<>,n 0,r19,10325c3c <pa_memcpy+0x17c>
10325b00: db 34 0b fd extrd,u r25,63,3,r20
10325b04: ee 80 a1 fa cmpib,*<>,n 0,r20,10325c08 <pa_memcpy+0x148>
10325b08: 08 16 02 57 copy r22,r23
10325b0c: 34 1a 00 3e ldi 1f,r26
10325b10: bf 1a 80 d8 cmpb,*>>= r26,r24,10325b84 <pa_memcpy+0xc4>
10325b14: 08 1d 02 59 copy ret1,r25
10325b18: 0e e8 50 b6 ldw,ma 4(sr1,r23),r22
10325b1c: da d6 0b e0 extrd,u r22,63,32,r22
10325b20: 0e e8 50 b5 ldw,ma 4(sr1,r23),r21
10325b24: da b5 0b e0 extrd,u r21,63,32,r21
10325b28: 0e e8 50 b4 ldw,ma 4(sr1,r23),r20
10325b2c: da 94 0b e0 extrd,u r20,63,32,r20
10325b30: 0e e8 50 b3 ldw,ma 4(sr1,r23),r19
10325b34: da 73 0b e0 extrd,u r19,63,32,r19
10325b38: 0f 36 92 a8 stw,ma r22,4(sr2,r25)
10325b3c: 0f 35 92 a8 stw,ma r21,4(sr2,r25)
10325b40: 0f 34 92 a8 stw,ma r20,4(sr2,r25)
10325b44: 0f 33 92 a8 stw,ma r19,4(sr2,r25)
10325b48: 0e e8 50 b6 ldw,ma 4(sr1,r23),r22
10325b4c: da d6 0b e0 extrd,u r22,63,32,r22
10325b50: 0e e8 50 b5 ldw,ma 4(sr1,r23),r21
10325b54: da b5 0b e0 extrd,u r21,63,32,r21
10325b58: 0e e8 50 b4 ldw,ma 4(sr1,r23),r20
10325b5c: da 94 0b e0 extrd,u r20,63,32,r20
10325b60: 0e e8 50 b3 ldw,ma 4(sr1,r23),r19
10325b64: da 73 0b e0 extrd,u r19,63,32,r19
10325b68: 0f 36 92 a8 stw,ma r22,4(sr2,r25)
10325b6c: 0f 35 92 a8 stw,ma r21,4(sr2,r25)
10325b70: 0f 34 92 a8 stw,ma r20,4(sr2,r25)
10325b74: 0f 33 92 a8 stw,ma r19,4(sr2,r25)
10325b78: 37 18 3f c1 ldo -20(r24),r24
10325b7c: 9f 1a 9f 2d cmpb,*<< r26,r24,10325b18 <pa_memcpy+0x58>
10325b80: 08 00 02 40 nop
10325b84: ef 1e 80 78 cmpib,*>>= f,r24,10325bc8 <pa_memcpy+0x108>
10325b88: 08 17 02 56 copy r23,r22
10325b8c: 0e e8 50 b6 ldw,ma 4(sr1,r23),r22
10325b90: da d6 0b e0 extrd,u r22,63,32,r22
10325b94: 0e e8 50 b5 ldw,ma 4(sr1,r23),r21
10325b98: da b5 0b e0 extrd,u r21,63,32,r21
10325b9c: 0e e8 50 b4 ldw,ma 4(sr1,r23),r20
10325ba0: da 94 0b e0 extrd,u r20,63,32,r20
10325ba4: 0e e8 50 b3 ldw,ma 4(sr1,r23),r19
10325ba8: da 73 0b e0 extrd,u r19,63,32,r19
10325bac: 0f 36 92 a8 stw,ma r22,4(sr2,r25)
10325bb0: 0f 35 92 a8 stw,ma r21,4(sr2,r25)
10325bb4: 0f 34 92 a8 stw,ma r20,4(sr2,r25)
10325bb8: 0f 33 92 a8 stw,ma r19,4(sr2,r25)
10325bbc: 37 18 3f e1 ldo -10(r24),r24
10325bc0: ef 1e 1f 8d cmpib,*<< f,r24,10325b8c <pa_memcpy+0xcc>
10325bc4: 08 17 02 56 copy r23,r22
10325bc8: 08 19 02 5d copy r25,ret1
10325bcc: ef 00 20 28 cmpib,*= 0,r24,10325be8 <pa_memcpy+0x128>
10325bd0: 34 1c 00 00 ldi 0,ret0
10325bd4: 0e c2 50 33 ldb,ma 1(sr1,r22),r19
10325bd8: 0f b3 92 22 stb,ma r19,1(sr2,ret1)
10325bdc: 37 18 3f ff ldo -1(r24),r24
10325be0: ef 00 bf dd cmpib,*<> 0,r24,10325bd4 <pa_memcpy+0x114>
10325be4: 34 1c 00 00 ldi 0,ret0
10325be8: 53 c2 3e e1 ldd -90(sp),rp
10325bec: 53 c8 3f 41 ldd -60(sp),r8
10325bf0: 53 c6 3f 51 ldd -58(sp),r6
10325bf4: 53 c5 3f 61 ldd -50(sp),r5
10325bf8: 53 c4 3f 71 ldd -48(sp),r4
10325bfc: 53 c3 3f 81 ldd -40(sp),r3
10325c00: e8 40 d0 00 bve (rp)
10325c04: 37 de 3f 01 ldo -80(sp),sp
10325c08: 96 94 00 10 subi 8,r20,r20
10325c0c: 0a 80 52 73 or,*>= r0,r20,r19
10325c10: 96 73 00 00 subi 0,r19,r19
10325c14: 0a 60 04 33 sub r0,r19,r19
10325c18: ef 00 3d d5 cmpib,*= 0,r24,10325b08 <pa_memcpy+0x48>
10325c1c: da 73 00 1f extrd,u r19,0,1,r19
10325c20: 86 60 3d cd cmpib,= 0,r19,10325b0c <pa_memcpy+0x4c>
10325c24: 08 16 02 57 copy r22,r23
10325c28: 0e c2 50 33 ldb,ma 1(sr1,r22),r19
10325c2c: 37 18 3f ff ldo -1(r24),r24
10325c30: 0f b3 92 22 stb,ma r19,1(sr2,ret1)
10325c34: e8 1f 1f a5 b,l 10325c0c <pa_memcpy+0x14c>,r0
10325c38: 36 94 3f ff ldo -1(r20),r20
10325c3c: da 93 0b fe extrd,u r20,63,2,r19
10325c40: ee 60 24 80 cmpib,*= 0,r19,10325e88 <cda_ldw_exc+0xa0>
10325c44: db 53 0b fe extrd,u r26,63,2,r19
10325c48: ee 60 a4 20 cmpib,*<> 0,r19,10325e60 <cda_ldw_exc+0x78>
10325c4c: 96 74 00 08 subi 4,r19,r20
10325c50: da b3 0b fe extrd,u r21,63,2,r19
10325c54: db 05 1b a2 extrd,u r24,61,62,r5
10325c58: f2 73 10 63 depd,z r19,60,61,r19
10325c5c: 08 17 02 5c copy r23,ret0
10325c60: 96 73 00 40 subi 20,r19,r19
10325c64: 34 04 00 00 ldi 0,r4
10325c68: da 62 0f e0 extrd,s r19,63,32,rp
10325c6c: 34 01 00 00 ldi 0,r1
10325c70: d8 b3 0b fe extrd,u r5,63,2,r19
10325c74: ee 66 00 e0 cmpib,*<< 3,r19,10325cec <pa_memcpy+0x22c>
10325c78: f6 a0 04 1e depdi 0,63,2,r21
10325c7c: 86 66 80 d2 cmpib,<<,n 3,r19,10325cec <pa_memcpy+0x22c>
10325c80: e8 13 40 00 blr r19,r0
10325c84: 08 00 02 40 nop
10325c88: e8 00 02 e8 b,l 10325e04 <cda_ldw_exc+0x1c>,r0
10325c8c: 08 00 02 40 nop
10325c90: e8 00 03 20 b,l 10325e28 <cda_ldw_exc+0x40>,r0
10325c94: 08 00 02 40 nop
10325c98: e8 00 00 10 b,l 10325ca8 <pa_memcpy+0x1e8>,r0
10325c9c: 08 00 02 40 nop
10325ca0: e8 00 03 38 b,l 10325e44 <cda_ldw_exc+0x5c>,r0
10325ca4: 08 00 02 40 nop
10325ca8: 0e a0 50 93 ldw 0(sr1,r21),r19
10325cac: da 66 0b e0 extrd,u r19,63,32,r6
10325cb0: 0e a8 50 94 ldw 4(sr1,r21),r20
10325cb4: 36 b5 3f f9 ldo -4(r21),r21
10325cb8: da 84 0b e0 extrd,u r20,63,32,r4
10325cbc: 34 a5 00 04 ldo 2(r5),r5
10325cc0: 36 fc 3f e9 ldo -c(r23),ret0
10325cc4: 0e b8 50 94 ldw c(sr1,r21),r20
10325cc8: da 81 0b e0 extrd,u r20,63,32,r1
10325ccc: 01 62 18 40 mtsar rp
10325cd0: d0 86 00 13 shrpw r6,r4,%sar,r19
10325cd4: da 73 0b e0 extrd,u r19,63,32,r19
10325cd8: 0f 93 92 98 stw r19,c(sr2,ret0)
10325cdc: 36 b5 00 20 ldo 10(r21),r21
10325ce0: 37 9c 00 20 ldo 10(ret0),ret0
10325ce4: 34 a5 3f f9 ldo -4(r5),r5
10325ce8: ec a0 20 92 cmpib,*=,n 0,r5,10325d38 <pa_memcpy+0x278>
10325cec: 0e a0 50 94 ldw 0(sr1,r21),r20
10325cf0: da 83 0b e0 extrd,u r20,63,32,r3
10325cf4: 01 62 18 40 mtsar rp
10325cf8: d0 24 00 13 shrpw r4,r1,%sar,r19
10325cfc: da 73 0b e0 extrd,u r19,63,32,r19
10325d00: 0f 93 92 80 stw r19,0(sr2,ret0)
10325d04: 0e a8 50 94 ldw 4(sr1,r21),r20
10325d08: da 86 0b e0 extrd,u r20,63,32,r6
10325d0c: 01 62 18 40 mtsar rp
10325d10: d0 61 00 13 shrpw r1,r3,%sar,r19
10325d14: da 73 0b e0 extrd,u r19,63,32,r19
10325d18: 0f 93 92 88 stw r19,4(sr2,ret0)
10325d1c: 0e b0 50 94 ldw 8(sr1,r21),r20
10325d20: da 84 0b e0 extrd,u r20,63,32,r4
10325d24: 01 62 18 40 mtsar rp
10325d28: d0 c3 00 13 shrpw r3,r6,%sar,r19
10325d2c: da 73 0b e0 extrd,u r19,63,32,r19
10325d30: 0f 93 92 90 stw r19,8(sr2,ret0)
10325d34: e8 1f 1f 17 b,l,n 10325cc4 <pa_memcpy+0x204>,r0
10325d38: 01 62 18 40 mtsar rp
10325d3c: d0 24 00 13 shrpw r4,r1,%sar,r19
10325d40: da 73 0b e0 extrd,u r19,63,32,r19
10325d44: 0f 93 92 80 stw r19,0(sr2,ret0)
10325d48: 4b d4 3f 21 ldw -70(sp),r20
10325d4c: 4b d3 3f 21 ldw -70(sp),r19
10325d50: 8a 93 21 22 cmpb,<>,n r19,r20,10325de8 <cda_ldw_exc>
10325d54: 4b d4 3f 21 ldw -70(sp),r20
10325d58: 4b d3 3f 21 ldw -70(sp),r19
10325d5c: 8a 93 20 b8 cmpb,<> r19,r20,10325dc0 <cda_stw_exc>
10325d60: 08 18 02 53 copy r24,r19
10325d64: 4b d5 3f 21 ldw -70(sp),r21
10325d68: db 18 0b fe extrd,u r24,63,2,r24
10325d6c: 4b d4 3f 21 ldw -70(sp),r20
10325d70: f6 60 04 1e depdi 0,63,2,r19
10325d74: 0a 76 0a 36 add,l r22,r19,r22
10325d78: 8a b4 20 50 cmpb,<> r20,r21,10325da8 <pmc_load_exc>
10325d7c: 0a 7d 0a 3d add,l ret1,r19,ret1
10325d80: 4b d4 3f 21 ldw -70(sp),r20
10325d84: 4b d3 3f 21 ldw -70(sp),r19
10325d88: 82 93 3c 7d cmpb,= r19,r20,10325bcc <pa_memcpy+0x10c>
10325d8c: 08 00 02 40 nop
c.
_______________________________________________
parisc-linux mailing list
parisc-linux@lists.parisc-linux.org
http://lists.parisc-linux.org/mailman/listinfo/parisc-linux
^ permalink raw reply [flat|nested] 4+ messages in thread
* [parisc-linux] [RFC] Fix compat_sys_timer_create kernel security hole.
2005-08-01 16:42 ` Carlos O'Donell
@ 2005-08-02 0:15 ` Carlos O'Donell
2005-08-02 3:42 ` Carlos O'Donell
0 siblings, 1 reply; 4+ messages in thread
From: Carlos O'Donell @ 2005-08-02 0:15 UTC (permalink / raw)
To: parisc-linux
On Mon, Aug 01, 2005 at 12:42:54PM -0400, Carlos O'Donell wrote:
> parisc,
>
> Another crash. Remember in the compat case that the source and destination
> addresses may have sr's both set to zero since you are copying into a
> temporary kernel structure.
>
> Backtrace:
> [<0000000010325ef4>] copy_to_user+0x34/0x40
> [<00000000101711dc>] sys_timer_create+0x294/0x8c8
> [<00000000101836f4>] compat_sys_timer_create+0x74/0xa8
> [<0000000010107f8c>] syscall_exit+0x0/0x14
Found my own bug. I tested this code but at the time the kernel address
dereference worked and it didn't crash. Oddly enough the timer tests
passed in glibc.
When you run the full testsuite in nptl it catches this bug. The value
of created_timer_id is a userspace address and requires a copy into the
kernel and a copy back out.
Could someone else review this patch for any thing else I might have
forgotten?
---
When using set_fs(KERNEL_DS) all the variables crossing the boundary
must be kernel addresses. Any user addresses would be treated as
kernel addresses and dereferences would cause an HPMC. This was the
case here. The value of created_timer_id must be read into the kernel
and later copied back out, the same for timer_event_spec.
2005-08-01 Carlos O'Donell <carlos@systemhalted.org>
* kernel/compat_signal.c (compat_copy_sigevent_to_user): New.
* kernel/compat.c (compat_sys_timer_create): Also copy
created_timer_id into kernel and use that.
* include/linux/compat_signal.h: Add prototypes.
Signed-of-by: Carlos O'Donell <carlos@systemhalted.org>
Index: kernel/compat_signal.c
===================================================================
RCS file: /var/cvs/linux-2.6/kernel/compat_signal.c,v
retrieving revision 1.7
diff -u -p -r1.7 compat_signal.c
--- kernel/compat_signal.c 3 Nov 2004 22:07:38 -0000 1.7
+++ kernel/compat_signal.c 2 Aug 2005 00:05:44 -0000
@@ -242,3 +242,39 @@ int compat_copy_sigevent_from_user(sigev
}
#endif
+#ifndef HAVE_ARCH_COPY_SIGEVENT_TO_USER
+int compat_copy_sigevent_to_user(compat_sigevent_t __user *to, sigevent_t *from)
+{
+ int err;
+ u32 scratch;
+
+ /* copy sigval_t sigev_value
+ int_t sival_int (same)
+ uptr_t sival_ptr (32 vs 64)*/
+ err = __put_user(from->sigev_value.sival_int,
+ &to->sigev_value.sival_int);
+ scratch = (u32 __force)from->sigev_value.sival_ptr & 0xffffffffUL;
+ err |= __put_user((compat_uptr_t)scratch, &to->sigev_value.sival_ptr);
+
+ /* copy int_t sigev_signo (same)*/
+ err |= __put_user(from->sigev_signo, &to->sigev_signo);
+
+ /* copy int_t sigev_notify (same)*/
+ err |= __put_user(from->sigev_notify, &to->sigev_notify);
+
+ /* never copy _sigev_un padding */
+
+ /* copy int_t _tid (same),
+ good_sigevent() uses this value of */
+ err |= __put_user(from->sigev_notify_thread_id, &to->sigev_notify_thread_id);
+
+ /* XXX: Do not copy these, they aren't used by
+ anyone. We would need to distinguish the uses of the union.
+ copy _sigev_thread
+ uptr_t _function (32 vs 64)
+ uptr_t _attribute (32 vs 64)*/
+
+ return err;
+}
+#endif
+
Index: kernel/compat.c
===================================================================
RCS file: /var/cvs/linux-2.6/kernel/compat.c,v
retrieving revision 1.27
diff -u -p -r1.27 compat.c
--- kernel/compat.c 22 Apr 2005 00:26:08 -0000 1.27
+++ kernel/compat.c 2 Aug 2005 00:05:46 -0000
@@ -663,17 +663,35 @@ long compat_sys_timer_create(clockid_t w
compat_timer_t __user * created_timer_id)
{
sigevent_t kevent;
+ timer_t ktimer;
mm_segment_t old_fs = get_fs();
long ret;
+ /* sigevent_t needs handling for 32-bit to 64-bit compat */
if (timer_event_spec != NULL)
if (compat_copy_sigevent_from_user(&kevent, timer_event_spec) != 0)
return -EFAULT;
+
+ /* Timer ID is assumed to be a non-struct simple value */
+ if (created_timer_id != NULL)
+ if (__get_user(ktimer, created_timer_id) != 0)
+ return -EFAULT;
set_fs(KERNEL_DS);
- ret = sys_timer_create(which_clock, timer_event_spec ? (sigevent_t __user *)&kevent : NULL, created_timer_id);
+ ret = sys_timer_create(which_clock,
+ timer_event_spec ? (sigevent_t __user *)&kevent : NULL,
+ created_timer_id ? (timer_t __user *)&ktimer : NULL);
set_fs(old_fs);
+
+ /* Copy back the results to userspace */
+ if (timer_event_spec != NULL)
+ if (compat_copy_sigevent_to_user(timer_event_spec, &kevent) != 0)
+ return -EFAULT;
+ if (created_timer_id != NULL)
+ if (__put_user(ktimer, created_timer_id) != 0)
+ return -EFAULT;
+
return ret;
}
Index: include/linux/compat_siginfo.h
===================================================================
RCS file: /var/cvs/linux-2.6/include/linux/compat_siginfo.h,v
retrieving revision 1.7
diff -u -p -r1.7 compat_siginfo.h
--- include/linux/compat_siginfo.h 18 Mar 2005 14:38:12 -0000 1.7
+++ include/linux/compat_siginfo.h 2 Aug 2005 00:05:46 -0000
@@ -175,6 +175,7 @@ extern int compat_copy_siginfo_to_user(c
extern int compat_copy_siginfo_from_user(struct siginfo *to, compat_siginfo_t __user *from);
extern int compat_copy_sigevent_from_user(struct sigevent *to, compat_sigevent_t __user *from);
+extern int compat_copy_sigevent_to_user(compat_sigevent_t __user *to, struct sigevent *from);
#endif /* CONFIG_COMPAT */
#endif /* _ASM_GENERIC_COMPAT_SIGINFO_H */
_______________________________________________
parisc-linux mailing list
parisc-linux@lists.parisc-linux.org
http://lists.parisc-linux.org/mailman/listinfo/parisc-linux
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [parisc-linux] [RFC] Fix compat_sys_timer_create kernel security hole.
2005-08-02 0:15 ` [parisc-linux] [RFC] Fix compat_sys_timer_create kernel security hole Carlos O'Donell
@ 2005-08-02 3:42 ` Carlos O'Donell
0 siblings, 0 replies; 4+ messages in thread
From: Carlos O'Donell @ 2005-08-02 3:42 UTC (permalink / raw)
To: parisc-linux; +Cc: James Bottomley
On Mon, Aug 01, 2005 at 08:15:09PM -0400, Carlos O'Donell wrote:
> On Mon, Aug 01, 2005 at 12:42:54PM -0400, Carlos O'Donell wrote:
> > parisc,
> >
> > Another crash. Remember in the compat case that the source and destination
> > addresses may have sr's both set to zero since you are copying into a
> > temporary kernel structure.
> >
> > Backtrace:
> > [<0000000010325ef4>] copy_to_user+0x34/0x40
> > [<00000000101711dc>] sys_timer_create+0x294/0x8c8
> > [<00000000101836f4>] compat_sys_timer_create+0x74/0xa8
> > [<0000000010107f8c>] syscall_exit+0x0/0x14
>
> Found my own bug.
James Bottomley deserves credit here :)
c.
_______________________________________________
parisc-linux mailing list
parisc-linux@lists.parisc-linux.org
http://lists.parisc-linux.org/mailman/listinfo/parisc-linux
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-08-02 3:42 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-08-01 15:15 [parisc-linux] pa_memcpy kernel crashing testcase == "glibc +nptl +testsuite", and some tests Carlos O'Donell
2005-08-01 16:42 ` Carlos O'Donell
2005-08-02 0:15 ` [parisc-linux] [RFC] Fix compat_sys_timer_create kernel security hole Carlos O'Donell
2005-08-02 3:42 ` Carlos O'Donell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.