* [parisc-linux] pa_memcpy kernel crashing testcase == "glibc +nptl +testsuite", and some tests.
@ 2005-08-01 15:15 Carlos O'Donell
2005-08-01 16:42 ` Carlos O'Donell
0 siblings, 1 reply; 4+ messages in thread
From: Carlos O'Donell @ 2005-08-01 15:15 UTC (permalink / raw)
To: parisc-linux
parisc,
Luckily I found an excellent testcase that crashes the kernel *every*
time, thus enabling me to test a patch from Randolph to see if the
recent stability issues could be fixed.
Kernel 2.6.13-rc3-pa0
gcc version 3.3.6 (Debian 1:3.3.6-7)
64-bit kernel, UP, on an a500 (PA8700) with 1.5GB of RAM.
Running the glibc testsuite with NPTL enabled causes the machine
to consistently HPMC.
---------------------------------------------------------------------
Backtrace:
[<000000001032d994>] copy_to_user+0x34/0x40
[<0000000010172284>] sys_timer_create+0x294/0x8c8
[<0000000010184d04>] compat_sys_timer_create+0x74/0xa8
[<0000000010107f8c>] syscall_exit+0x0/0x14
Kernel Fault: Code=15 regs=00000000484cc480 (Addr=00000000c064cb48)
YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
PSW: 00001000000001001111111100001111 Not tainted
r00-03 0000000000000000 0000000010677e28 000000001032d994 0000000000000000
r04-07 00000000106dfc00 0000000060e59e80 0000000000000000 00000000c064cb48
r08-11 00000000484cc190 0000000000000001 00000000000e8608 0000000000000000
r12-15 00000000000e8648 00000000000e88e8 00000000000aa000 00000000000eac08
r16-19 00000000000ecc08 00000000000e8648 0000000000000000 0000000000000000
r20-23 00000000484cc000 00000000484cc280 00000000484cc281 00000000c064cb48
r24-27 0000000000000004 00000000484cc280 00000000c064cb48 00000000106dfc00
r28-31 0000000000000000 00000000c064cb48 00000000484cc480 0000000000000004
sr0-3 0000000002014000 0000000000000000 0000000000000000 0000000002014000
sr4-7 0000000000000000 0000000000000000 0000000000000000 0000000000000000
VZOUICununcqcqcqcqcqcrmunTDVZOUI
FPSR: 00000000000000000000000000000000
FPER1: 00000000
fr00-03 0000000000000000 0000000000000000 0000000000000000 0000000000000000
fr04-07 00000000101f7be4 00000000000000fa 0000000012623c18 0000000000000000
fr08-11 00000000106dfc00 0000000000000002 00000000106dfc00 0000000000000802
fr12-15 000f41fa2f2149c0 0000000000000020 fffffffffffffc18 0000000000000000
fr16-19 000000001019baa0 00000000125c7000 00000000101cb07c 00000000125c7000
fr20-23 00000000125c7000 0000000000000000 0000000000000043 0000000000000228
fr24-27 000fb909ffe5cb9a 3fe0000000000000 412e848000000000 00000000125c7000
fr28-31 0000000000001000 00000000106dfc00 000000001077f240 0000000000000000
IASQ: 0000000000000000 0000000000000000 IAOQ: 000000001032d678 000000001032d67c
IIR: 0fb39222 ISR: 0000000000000000 IOR: 00000000c064cb48
CPU: 0 CR30: 00000000484cc000 CR31: 00000000106a0000
ORIG_R28: 00000000106dfc00
IAOQ[0]: pa_memcpy+0x178/0x32c
IAOQ[1]: pa_memcpy+0x17c/0x32c
RP(r2): copy_to_user+0x34/0x40
Kernel panic - not syncing: Kernel Fault
---------------------------------------------------------------------
Applying Randolph's patch to remove fpregs and the double word copies
using thos registers can be found at:
http://www.parisc-linux.org/~tausq/fpreg.diff
Same kernel with that patch applied still crash.
This can mean any number of things, but it could mean:
a. There is another path in the kernel code corrupting fp registers.
b. The optimal pa_memcpy is too optimal and exposes other bugs?
I think that 'a.' is the most plausible.
Any thoughts about catching the culprit?
Cheers,
Carlos.
NOTE:
Even with Randolph's patch the following functions use fpregs heavily:
__muldi3 : Heavy fpregs usage
__divdi3 : "
__moddi3 : "
__udivdi3 : "
__umoddi3 : "
The following functions save/restore fpregs:
linux_gateway_entry - Save fpregs
_switch_to - Save fpregs
_switch_to_ret - Restore fpregs
intr_restore - Restore fpregs
L4^B1 - Save fpregs?
L4^B2 - Save fpregs?
syscall_restore - Load fpregs
The following functions have a weird sequence involving fr31R?
schedule
1010e8c4: 68 d4 00 98 stw r20,4c(r6)
1010e8c8: 5c df 00 9a fldw 4c(r6),fr31R
1010e8cc: 00 13 18 60 mtsm r19
io_schedule
10110d14: 68 d3 24 88 stw r19,1244(r6)
10110d18: 5c df 24 8a fldw 1244(r6),fr31R
10110d1c: 00 14 18 60 mtsm r20
__down_read
__down_write
sys_ptrace
load_elf_binary
dev_ifname32
sched_setaffinity
get_task_mm
copy_mm
copy_fs_struct
copy_files
unshare_files
copy_process
profile_hit
release_task
daemonize
get_file_struct
...
And many more. This load to fr31R is discarded and never used.
_______________________________________________
parisc-linux mailing list
parisc-linux@lists.parisc-linux.org
http://lists.parisc-linux.org/mailman/listinfo/parisc-linux
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [parisc-linux] pa_memcpy kernel crashing testcase == "glibc +nptl +testsuite", and some tests. 2005-08-01 15:15 [parisc-linux] pa_memcpy kernel crashing testcase == "glibc +nptl +testsuite", and some tests Carlos O'Donell @ 2005-08-01 16:42 ` Carlos O'Donell 2005-08-02 0:15 ` [parisc-linux] [RFC] Fix compat_sys_timer_create kernel security hole Carlos O'Donell 0 siblings, 1 reply; 4+ messages in thread From: Carlos O'Donell @ 2005-08-01 16:42 UTC (permalink / raw) To: parisc-linux parisc, Another crash. Remember in the compat case that the source and destination addresses may have sr's both set to zero since you are copying into a temporary kernel structure. Backtrace: [<0000000010325ef4>] copy_to_user+0x34/0x40 [<00000000101711dc>] sys_timer_create+0x294/0x8c8 [<00000000101836f4>] compat_sys_timer_create+0x74/0xa8 [<0000000010107f8c>] syscall_exit+0x0/0x14 Kernel Fault: Code=15 regs=0000000058fa0480 (Addr=00000000bffd6b48) YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI PSW: 00001000000001001111111100001111 Not tainted r00-03 0000000000000000 0000000010669a08 0000000010325ef4 0000000000000000 r04-07 00000000106d3ac0 0000000058f76e80 0000000000000000 00000000bffd6b48 r08-11 0000000058fa0190 0000000000000001 00000000000e8608 0000000000000000 r12-15 00000000000e8648 00000000000e88e8 00000000000aa000 00000000000eac08 r16-19 00000000000ecc08 00000000000e8648 0000000000000000 0000000000000000 r20-23 0000000058fa0000 0000000058fa0280 0000000058fa0281 00000000bffd6b48 r24-27 0000000000000004 0000000058fa0280 00000000bffd6b48 00000000106d3ac0 r28-31 0000000000000000 00000000bffd6b48 0000000058fa0480 0000000000000004 sr0-3 0000000000ae3800 0000000000000000 0000000000000000 0000000000ae3800 sr4-7 0000000000000000 0000000000000000 0000000000000000 0000000000000000 VZOUICununcqcqcqcqcqcrmunTDVZOUI FPSR: 00000000000000000000000000000000 FPER1: 00000000 fr00-03 0000000000000000 0000000000000000 0000000000000000 0000000000000000 fr04-07 00000000101f3d2c 00000000107575f8 0000000012603c18 0000000000000000 fr08-11 00000000106d3ac0 0000000000000002 00000000106d3ac0 0000000000000802 fr12-15 0000000010199b48 0000000000000020 00000000101c7cd4 00000000125ae000 fr16-19 00000000125ae000 0000000000000000 00000000106d3ac0 000f41fa2f8c1980 fr20-23 0000000000000020 00000000101c7cd4 0000000065378f74 000dae5bffe932bc fr24-27 00000000001fec2c 3fe0000000000000 412e848000000000 00000000106d3ac0 fr28-31 000000006f8b3dc8 000000000000000b 0000000000000020 0000000000000043 IASQ: 0000000000000000 0000000000000000 IAOQ: 0000000010325bd8 0000000010325bdc IIR: 0fb39222 ISR: 0000000000000000 IOR: 00000000bffd6b48 CPU: 0 CR30: 0000000058fa0000 CR31: 0000000010694000 ORIG_R28: 00000000107733e0 IAOQ[0]: pa_memcpy+0x118/0x2d0 IAOQ[1]: pa_memcpy+0x11c/0x2d0 RP(r2): copy_to_user+0x34/0x40 Kernel panic - not syncing: Kernel Fault <0>Rebooting in 180 seconds.. For the interested parties, here is a disassembly of pa_memcpy: 0000000010325ac0 <pa_memcpy>: 10325ac0: 0f c2 12 c1 std rp,-10(,sp) 10325ac4: 37 de 01 00 ldo 80(sp),sp 10325ac8: 73 c8 3f 41 std r8,-60(sp) 10325acc: 73 c6 3f 51 std r6,-58(sp) 10325ad0: 73 c5 3f 61 std r5,-50(sp) 10325ad4: 73 c4 3f 71 std r4,-48(sp) 10325ad8: 73 c3 3f 81 std r3,-40(sp) 10325adc: 08 18 02 5f copy r24,r31 10325ae0: 08 1a 02 57 copy r26,r23 10325ae4: 08 19 02 55 copy r25,r21 10325ae8: 08 19 02 56 copy r25,r22 10325aec: ef 1e 81 b0 cmpib,*>>= f,r24,10325bcc <pa_memcpy+0x10c> 10325af0: 08 1a 02 5d copy r26,ret1 10325af4: 0b 59 02 b4 xor r25,r26,r20 10325af8: da 93 0b fd extrd,u r20,63,3,r19 10325afc: ee 60 a2 72 cmpib,*<>,n 0,r19,10325c3c <pa_memcpy+0x17c> 10325b00: db 34 0b fd extrd,u r25,63,3,r20 10325b04: ee 80 a1 fa cmpib,*<>,n 0,r20,10325c08 <pa_memcpy+0x148> 10325b08: 08 16 02 57 copy r22,r23 10325b0c: 34 1a 00 3e ldi 1f,r26 10325b10: bf 1a 80 d8 cmpb,*>>= r26,r24,10325b84 <pa_memcpy+0xc4> 10325b14: 08 1d 02 59 copy ret1,r25 10325b18: 0e e8 50 b6 ldw,ma 4(sr1,r23),r22 10325b1c: da d6 0b e0 extrd,u r22,63,32,r22 10325b20: 0e e8 50 b5 ldw,ma 4(sr1,r23),r21 10325b24: da b5 0b e0 extrd,u r21,63,32,r21 10325b28: 0e e8 50 b4 ldw,ma 4(sr1,r23),r20 10325b2c: da 94 0b e0 extrd,u r20,63,32,r20 10325b30: 0e e8 50 b3 ldw,ma 4(sr1,r23),r19 10325b34: da 73 0b e0 extrd,u r19,63,32,r19 10325b38: 0f 36 92 a8 stw,ma r22,4(sr2,r25) 10325b3c: 0f 35 92 a8 stw,ma r21,4(sr2,r25) 10325b40: 0f 34 92 a8 stw,ma r20,4(sr2,r25) 10325b44: 0f 33 92 a8 stw,ma r19,4(sr2,r25) 10325b48: 0e e8 50 b6 ldw,ma 4(sr1,r23),r22 10325b4c: da d6 0b e0 extrd,u r22,63,32,r22 10325b50: 0e e8 50 b5 ldw,ma 4(sr1,r23),r21 10325b54: da b5 0b e0 extrd,u r21,63,32,r21 10325b58: 0e e8 50 b4 ldw,ma 4(sr1,r23),r20 10325b5c: da 94 0b e0 extrd,u r20,63,32,r20 10325b60: 0e e8 50 b3 ldw,ma 4(sr1,r23),r19 10325b64: da 73 0b e0 extrd,u r19,63,32,r19 10325b68: 0f 36 92 a8 stw,ma r22,4(sr2,r25) 10325b6c: 0f 35 92 a8 stw,ma r21,4(sr2,r25) 10325b70: 0f 34 92 a8 stw,ma r20,4(sr2,r25) 10325b74: 0f 33 92 a8 stw,ma r19,4(sr2,r25) 10325b78: 37 18 3f c1 ldo -20(r24),r24 10325b7c: 9f 1a 9f 2d cmpb,*<< r26,r24,10325b18 <pa_memcpy+0x58> 10325b80: 08 00 02 40 nop 10325b84: ef 1e 80 78 cmpib,*>>= f,r24,10325bc8 <pa_memcpy+0x108> 10325b88: 08 17 02 56 copy r23,r22 10325b8c: 0e e8 50 b6 ldw,ma 4(sr1,r23),r22 10325b90: da d6 0b e0 extrd,u r22,63,32,r22 10325b94: 0e e8 50 b5 ldw,ma 4(sr1,r23),r21 10325b98: da b5 0b e0 extrd,u r21,63,32,r21 10325b9c: 0e e8 50 b4 ldw,ma 4(sr1,r23),r20 10325ba0: da 94 0b e0 extrd,u r20,63,32,r20 10325ba4: 0e e8 50 b3 ldw,ma 4(sr1,r23),r19 10325ba8: da 73 0b e0 extrd,u r19,63,32,r19 10325bac: 0f 36 92 a8 stw,ma r22,4(sr2,r25) 10325bb0: 0f 35 92 a8 stw,ma r21,4(sr2,r25) 10325bb4: 0f 34 92 a8 stw,ma r20,4(sr2,r25) 10325bb8: 0f 33 92 a8 stw,ma r19,4(sr2,r25) 10325bbc: 37 18 3f e1 ldo -10(r24),r24 10325bc0: ef 1e 1f 8d cmpib,*<< f,r24,10325b8c <pa_memcpy+0xcc> 10325bc4: 08 17 02 56 copy r23,r22 10325bc8: 08 19 02 5d copy r25,ret1 10325bcc: ef 00 20 28 cmpib,*= 0,r24,10325be8 <pa_memcpy+0x128> 10325bd0: 34 1c 00 00 ldi 0,ret0 10325bd4: 0e c2 50 33 ldb,ma 1(sr1,r22),r19 10325bd8: 0f b3 92 22 stb,ma r19,1(sr2,ret1) 10325bdc: 37 18 3f ff ldo -1(r24),r24 10325be0: ef 00 bf dd cmpib,*<> 0,r24,10325bd4 <pa_memcpy+0x114> 10325be4: 34 1c 00 00 ldi 0,ret0 10325be8: 53 c2 3e e1 ldd -90(sp),rp 10325bec: 53 c8 3f 41 ldd -60(sp),r8 10325bf0: 53 c6 3f 51 ldd -58(sp),r6 10325bf4: 53 c5 3f 61 ldd -50(sp),r5 10325bf8: 53 c4 3f 71 ldd -48(sp),r4 10325bfc: 53 c3 3f 81 ldd -40(sp),r3 10325c00: e8 40 d0 00 bve (rp) 10325c04: 37 de 3f 01 ldo -80(sp),sp 10325c08: 96 94 00 10 subi 8,r20,r20 10325c0c: 0a 80 52 73 or,*>= r0,r20,r19 10325c10: 96 73 00 00 subi 0,r19,r19 10325c14: 0a 60 04 33 sub r0,r19,r19 10325c18: ef 00 3d d5 cmpib,*= 0,r24,10325b08 <pa_memcpy+0x48> 10325c1c: da 73 00 1f extrd,u r19,0,1,r19 10325c20: 86 60 3d cd cmpib,= 0,r19,10325b0c <pa_memcpy+0x4c> 10325c24: 08 16 02 57 copy r22,r23 10325c28: 0e c2 50 33 ldb,ma 1(sr1,r22),r19 10325c2c: 37 18 3f ff ldo -1(r24),r24 10325c30: 0f b3 92 22 stb,ma r19,1(sr2,ret1) 10325c34: e8 1f 1f a5 b,l 10325c0c <pa_memcpy+0x14c>,r0 10325c38: 36 94 3f ff ldo -1(r20),r20 10325c3c: da 93 0b fe extrd,u r20,63,2,r19 10325c40: ee 60 24 80 cmpib,*= 0,r19,10325e88 <cda_ldw_exc+0xa0> 10325c44: db 53 0b fe extrd,u r26,63,2,r19 10325c48: ee 60 a4 20 cmpib,*<> 0,r19,10325e60 <cda_ldw_exc+0x78> 10325c4c: 96 74 00 08 subi 4,r19,r20 10325c50: da b3 0b fe extrd,u r21,63,2,r19 10325c54: db 05 1b a2 extrd,u r24,61,62,r5 10325c58: f2 73 10 63 depd,z r19,60,61,r19 10325c5c: 08 17 02 5c copy r23,ret0 10325c60: 96 73 00 40 subi 20,r19,r19 10325c64: 34 04 00 00 ldi 0,r4 10325c68: da 62 0f e0 extrd,s r19,63,32,rp 10325c6c: 34 01 00 00 ldi 0,r1 10325c70: d8 b3 0b fe extrd,u r5,63,2,r19 10325c74: ee 66 00 e0 cmpib,*<< 3,r19,10325cec <pa_memcpy+0x22c> 10325c78: f6 a0 04 1e depdi 0,63,2,r21 10325c7c: 86 66 80 d2 cmpib,<<,n 3,r19,10325cec <pa_memcpy+0x22c> 10325c80: e8 13 40 00 blr r19,r0 10325c84: 08 00 02 40 nop 10325c88: e8 00 02 e8 b,l 10325e04 <cda_ldw_exc+0x1c>,r0 10325c8c: 08 00 02 40 nop 10325c90: e8 00 03 20 b,l 10325e28 <cda_ldw_exc+0x40>,r0 10325c94: 08 00 02 40 nop 10325c98: e8 00 00 10 b,l 10325ca8 <pa_memcpy+0x1e8>,r0 10325c9c: 08 00 02 40 nop 10325ca0: e8 00 03 38 b,l 10325e44 <cda_ldw_exc+0x5c>,r0 10325ca4: 08 00 02 40 nop 10325ca8: 0e a0 50 93 ldw 0(sr1,r21),r19 10325cac: da 66 0b e0 extrd,u r19,63,32,r6 10325cb0: 0e a8 50 94 ldw 4(sr1,r21),r20 10325cb4: 36 b5 3f f9 ldo -4(r21),r21 10325cb8: da 84 0b e0 extrd,u r20,63,32,r4 10325cbc: 34 a5 00 04 ldo 2(r5),r5 10325cc0: 36 fc 3f e9 ldo -c(r23),ret0 10325cc4: 0e b8 50 94 ldw c(sr1,r21),r20 10325cc8: da 81 0b e0 extrd,u r20,63,32,r1 10325ccc: 01 62 18 40 mtsar rp 10325cd0: d0 86 00 13 shrpw r6,r4,%sar,r19 10325cd4: da 73 0b e0 extrd,u r19,63,32,r19 10325cd8: 0f 93 92 98 stw r19,c(sr2,ret0) 10325cdc: 36 b5 00 20 ldo 10(r21),r21 10325ce0: 37 9c 00 20 ldo 10(ret0),ret0 10325ce4: 34 a5 3f f9 ldo -4(r5),r5 10325ce8: ec a0 20 92 cmpib,*=,n 0,r5,10325d38 <pa_memcpy+0x278> 10325cec: 0e a0 50 94 ldw 0(sr1,r21),r20 10325cf0: da 83 0b e0 extrd,u r20,63,32,r3 10325cf4: 01 62 18 40 mtsar rp 10325cf8: d0 24 00 13 shrpw r4,r1,%sar,r19 10325cfc: da 73 0b e0 extrd,u r19,63,32,r19 10325d00: 0f 93 92 80 stw r19,0(sr2,ret0) 10325d04: 0e a8 50 94 ldw 4(sr1,r21),r20 10325d08: da 86 0b e0 extrd,u r20,63,32,r6 10325d0c: 01 62 18 40 mtsar rp 10325d10: d0 61 00 13 shrpw r1,r3,%sar,r19 10325d14: da 73 0b e0 extrd,u r19,63,32,r19 10325d18: 0f 93 92 88 stw r19,4(sr2,ret0) 10325d1c: 0e b0 50 94 ldw 8(sr1,r21),r20 10325d20: da 84 0b e0 extrd,u r20,63,32,r4 10325d24: 01 62 18 40 mtsar rp 10325d28: d0 c3 00 13 shrpw r3,r6,%sar,r19 10325d2c: da 73 0b e0 extrd,u r19,63,32,r19 10325d30: 0f 93 92 90 stw r19,8(sr2,ret0) 10325d34: e8 1f 1f 17 b,l,n 10325cc4 <pa_memcpy+0x204>,r0 10325d38: 01 62 18 40 mtsar rp 10325d3c: d0 24 00 13 shrpw r4,r1,%sar,r19 10325d40: da 73 0b e0 extrd,u r19,63,32,r19 10325d44: 0f 93 92 80 stw r19,0(sr2,ret0) 10325d48: 4b d4 3f 21 ldw -70(sp),r20 10325d4c: 4b d3 3f 21 ldw -70(sp),r19 10325d50: 8a 93 21 22 cmpb,<>,n r19,r20,10325de8 <cda_ldw_exc> 10325d54: 4b d4 3f 21 ldw -70(sp),r20 10325d58: 4b d3 3f 21 ldw -70(sp),r19 10325d5c: 8a 93 20 b8 cmpb,<> r19,r20,10325dc0 <cda_stw_exc> 10325d60: 08 18 02 53 copy r24,r19 10325d64: 4b d5 3f 21 ldw -70(sp),r21 10325d68: db 18 0b fe extrd,u r24,63,2,r24 10325d6c: 4b d4 3f 21 ldw -70(sp),r20 10325d70: f6 60 04 1e depdi 0,63,2,r19 10325d74: 0a 76 0a 36 add,l r22,r19,r22 10325d78: 8a b4 20 50 cmpb,<> r20,r21,10325da8 <pmc_load_exc> 10325d7c: 0a 7d 0a 3d add,l ret1,r19,ret1 10325d80: 4b d4 3f 21 ldw -70(sp),r20 10325d84: 4b d3 3f 21 ldw -70(sp),r19 10325d88: 82 93 3c 7d cmpb,= r19,r20,10325bcc <pa_memcpy+0x10c> 10325d8c: 08 00 02 40 nop c. _______________________________________________ parisc-linux mailing list parisc-linux@lists.parisc-linux.org http://lists.parisc-linux.org/mailman/listinfo/parisc-linux ^ permalink raw reply [flat|nested] 4+ messages in thread
* [parisc-linux] [RFC] Fix compat_sys_timer_create kernel security hole. 2005-08-01 16:42 ` Carlos O'Donell @ 2005-08-02 0:15 ` Carlos O'Donell 2005-08-02 3:42 ` Carlos O'Donell 0 siblings, 1 reply; 4+ messages in thread From: Carlos O'Donell @ 2005-08-02 0:15 UTC (permalink / raw) To: parisc-linux On Mon, Aug 01, 2005 at 12:42:54PM -0400, Carlos O'Donell wrote: > parisc, > > Another crash. Remember in the compat case that the source and destination > addresses may have sr's both set to zero since you are copying into a > temporary kernel structure. > > Backtrace: > [<0000000010325ef4>] copy_to_user+0x34/0x40 > [<00000000101711dc>] sys_timer_create+0x294/0x8c8 > [<00000000101836f4>] compat_sys_timer_create+0x74/0xa8 > [<0000000010107f8c>] syscall_exit+0x0/0x14 Found my own bug. I tested this code but at the time the kernel address dereference worked and it didn't crash. Oddly enough the timer tests passed in glibc. When you run the full testsuite in nptl it catches this bug. The value of created_timer_id is a userspace address and requires a copy into the kernel and a copy back out. Could someone else review this patch for any thing else I might have forgotten? --- When using set_fs(KERNEL_DS) all the variables crossing the boundary must be kernel addresses. Any user addresses would be treated as kernel addresses and dereferences would cause an HPMC. This was the case here. The value of created_timer_id must be read into the kernel and later copied back out, the same for timer_event_spec. 2005-08-01 Carlos O'Donell <carlos@systemhalted.org> * kernel/compat_signal.c (compat_copy_sigevent_to_user): New. * kernel/compat.c (compat_sys_timer_create): Also copy created_timer_id into kernel and use that. * include/linux/compat_signal.h: Add prototypes. Signed-of-by: Carlos O'Donell <carlos@systemhalted.org> Index: kernel/compat_signal.c =================================================================== RCS file: /var/cvs/linux-2.6/kernel/compat_signal.c,v retrieving revision 1.7 diff -u -p -r1.7 compat_signal.c --- kernel/compat_signal.c 3 Nov 2004 22:07:38 -0000 1.7 +++ kernel/compat_signal.c 2 Aug 2005 00:05:44 -0000 @@ -242,3 +242,39 @@ int compat_copy_sigevent_from_user(sigev } #endif +#ifndef HAVE_ARCH_COPY_SIGEVENT_TO_USER +int compat_copy_sigevent_to_user(compat_sigevent_t __user *to, sigevent_t *from) +{ + int err; + u32 scratch; + + /* copy sigval_t sigev_value + int_t sival_int (same) + uptr_t sival_ptr (32 vs 64)*/ + err = __put_user(from->sigev_value.sival_int, + &to->sigev_value.sival_int); + scratch = (u32 __force)from->sigev_value.sival_ptr & 0xffffffffUL; + err |= __put_user((compat_uptr_t)scratch, &to->sigev_value.sival_ptr); + + /* copy int_t sigev_signo (same)*/ + err |= __put_user(from->sigev_signo, &to->sigev_signo); + + /* copy int_t sigev_notify (same)*/ + err |= __put_user(from->sigev_notify, &to->sigev_notify); + + /* never copy _sigev_un padding */ + + /* copy int_t _tid (same), + good_sigevent() uses this value of */ + err |= __put_user(from->sigev_notify_thread_id, &to->sigev_notify_thread_id); + + /* XXX: Do not copy these, they aren't used by + anyone. We would need to distinguish the uses of the union. + copy _sigev_thread + uptr_t _function (32 vs 64) + uptr_t _attribute (32 vs 64)*/ + + return err; +} +#endif + Index: kernel/compat.c =================================================================== RCS file: /var/cvs/linux-2.6/kernel/compat.c,v retrieving revision 1.27 diff -u -p -r1.27 compat.c --- kernel/compat.c 22 Apr 2005 00:26:08 -0000 1.27 +++ kernel/compat.c 2 Aug 2005 00:05:46 -0000 @@ -663,17 +663,35 @@ long compat_sys_timer_create(clockid_t w compat_timer_t __user * created_timer_id) { sigevent_t kevent; + timer_t ktimer; mm_segment_t old_fs = get_fs(); long ret; + /* sigevent_t needs handling for 32-bit to 64-bit compat */ if (timer_event_spec != NULL) if (compat_copy_sigevent_from_user(&kevent, timer_event_spec) != 0) return -EFAULT; + + /* Timer ID is assumed to be a non-struct simple value */ + if (created_timer_id != NULL) + if (__get_user(ktimer, created_timer_id) != 0) + return -EFAULT; set_fs(KERNEL_DS); - ret = sys_timer_create(which_clock, timer_event_spec ? (sigevent_t __user *)&kevent : NULL, created_timer_id); + ret = sys_timer_create(which_clock, + timer_event_spec ? (sigevent_t __user *)&kevent : NULL, + created_timer_id ? (timer_t __user *)&ktimer : NULL); set_fs(old_fs); + + /* Copy back the results to userspace */ + if (timer_event_spec != NULL) + if (compat_copy_sigevent_to_user(timer_event_spec, &kevent) != 0) + return -EFAULT; + if (created_timer_id != NULL) + if (__put_user(ktimer, created_timer_id) != 0) + return -EFAULT; + return ret; } Index: include/linux/compat_siginfo.h =================================================================== RCS file: /var/cvs/linux-2.6/include/linux/compat_siginfo.h,v retrieving revision 1.7 diff -u -p -r1.7 compat_siginfo.h --- include/linux/compat_siginfo.h 18 Mar 2005 14:38:12 -0000 1.7 +++ include/linux/compat_siginfo.h 2 Aug 2005 00:05:46 -0000 @@ -175,6 +175,7 @@ extern int compat_copy_siginfo_to_user(c extern int compat_copy_siginfo_from_user(struct siginfo *to, compat_siginfo_t __user *from); extern int compat_copy_sigevent_from_user(struct sigevent *to, compat_sigevent_t __user *from); +extern int compat_copy_sigevent_to_user(compat_sigevent_t __user *to, struct sigevent *from); #endif /* CONFIG_COMPAT */ #endif /* _ASM_GENERIC_COMPAT_SIGINFO_H */ _______________________________________________ parisc-linux mailing list parisc-linux@lists.parisc-linux.org http://lists.parisc-linux.org/mailman/listinfo/parisc-linux ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [parisc-linux] [RFC] Fix compat_sys_timer_create kernel security hole. 2005-08-02 0:15 ` [parisc-linux] [RFC] Fix compat_sys_timer_create kernel security hole Carlos O'Donell @ 2005-08-02 3:42 ` Carlos O'Donell 0 siblings, 0 replies; 4+ messages in thread From: Carlos O'Donell @ 2005-08-02 3:42 UTC (permalink / raw) To: parisc-linux; +Cc: James Bottomley On Mon, Aug 01, 2005 at 08:15:09PM -0400, Carlos O'Donell wrote: > On Mon, Aug 01, 2005 at 12:42:54PM -0400, Carlos O'Donell wrote: > > parisc, > > > > Another crash. Remember in the compat case that the source and destination > > addresses may have sr's both set to zero since you are copying into a > > temporary kernel structure. > > > > Backtrace: > > [<0000000010325ef4>] copy_to_user+0x34/0x40 > > [<00000000101711dc>] sys_timer_create+0x294/0x8c8 > > [<00000000101836f4>] compat_sys_timer_create+0x74/0xa8 > > [<0000000010107f8c>] syscall_exit+0x0/0x14 > > Found my own bug. James Bottomley deserves credit here :) c. _______________________________________________ parisc-linux mailing list parisc-linux@lists.parisc-linux.org http://lists.parisc-linux.org/mailman/listinfo/parisc-linux ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-08-02 3:42 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2005-08-01 15:15 [parisc-linux] pa_memcpy kernel crashing testcase == "glibc +nptl +testsuite", and some tests Carlos O'Donell 2005-08-01 16:42 ` Carlos O'Donell 2005-08-02 0:15 ` [parisc-linux] [RFC] Fix compat_sys_timer_create kernel security hole Carlos O'Donell 2005-08-02 3:42 ` Carlos O'Donell
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.