[patch 22/22] Add more prevent_tail_call()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
	Zwane Mwaikambo <zwane@arm.linux.org.uk>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Randy Dunlap <rdunlap@xenotime.net>,
	Dave Jones <davej@redhat.com>,
	Chuck Wolber <chuckw@quantumlinux.com>,
	torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk,
	OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>,
	Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 22/22] Add more prevent_tail_call()
Date: Thu, 20 Apr 2006 21:39:51 -0700	[thread overview]
Message-ID: <20060421043951.GT12846@kroah.com> (raw)
In-Reply-To: <20060421043706.GA12846@kroah.com>

[-- Attachment #1: add-more-prevent_tail_call.patch --]
[-- Type: text/plain, Size: 4609 bytes --]

From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>

[PATCH] Add more prevent_tail_call()

Those also break userland regs like following.

   00000000 <sys_chown16>:
      0:	0f b7 44 24 0c       	movzwl 0xc(%esp),%eax
      5:	83 ca ff             	or     $0xffffffff,%edx
      8:	0f b7 4c 24 08       	movzwl 0x8(%esp),%ecx
      d:	66 83 f8 ff          	cmp    $0xffffffff,%ax
     11:	0f 44 c2             	cmove  %edx,%eax
     14:	66 83 f9 ff          	cmp    $0xffffffff,%cx
     18:	0f 45 d1             	cmovne %ecx,%edx
     1b:	89 44 24 0c          	mov    %eax,0xc(%esp)
     1f:	89 54 24 08          	mov    %edx,0x8(%esp)
     23:	e9 fc ff ff ff       	jmp    24 <sys_chown16+0x24>

where the tailcall at the end overwrites the incoming stack-frame.

Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 kernel/uid16.c |   59 ++++++++++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 46 insertions(+), 13 deletions(-)

--- linux-2.6.16.9.orig/kernel/uid16.c
+++ linux-2.6.16.9/kernel/uid16.c
@@ -20,43 +20,67 @@
 
 asmlinkage long sys_chown16(const char __user * filename, old_uid_t user, old_gid_t group)
 {
-	return sys_chown(filename, low2highuid(user), low2highgid(group));
+	long ret = sys_chown(filename, low2highuid(user), low2highgid(group));
+	/* avoid REGPARM breakage on x86: */
+	prevent_tail_call(ret);
+	return ret;
 }
 
 asmlinkage long sys_lchown16(const char __user * filename, old_uid_t user, old_gid_t group)
 {
-	return sys_lchown(filename, low2highuid(user), low2highgid(group));
+	long ret = sys_lchown(filename, low2highuid(user), low2highgid(group));
+	/* avoid REGPARM breakage on x86: */
+	prevent_tail_call(ret);
+	return ret;
 }
 
 asmlinkage long sys_fchown16(unsigned int fd, old_uid_t user, old_gid_t group)
 {
-	return sys_fchown(fd, low2highuid(user), low2highgid(group));
+	long ret = sys_fchown(fd, low2highuid(user), low2highgid(group));
+	/* avoid REGPARM breakage on x86: */
+	prevent_tail_call(ret);
+	return ret;
 }
 
 asmlinkage long sys_setregid16(old_gid_t rgid, old_gid_t egid)
 {
-	return sys_setregid(low2highgid(rgid), low2highgid(egid));
+	long ret = sys_setregid(low2highgid(rgid), low2highgid(egid));
+	/* avoid REGPARM breakage on x86: */
+	prevent_tail_call(ret);
+	return ret;
 }
 
 asmlinkage long sys_setgid16(old_gid_t gid)
 {
-	return sys_setgid(low2highgid(gid));
+	long ret = sys_setgid(low2highgid(gid));
+	/* avoid REGPARM breakage on x86: */
+	prevent_tail_call(ret);
+	return ret;
 }
 
 asmlinkage long sys_setreuid16(old_uid_t ruid, old_uid_t euid)
 {
-	return sys_setreuid(low2highuid(ruid), low2highuid(euid));
+	long ret = sys_setreuid(low2highuid(ruid), low2highuid(euid));
+	/* avoid REGPARM breakage on x86: */
+	prevent_tail_call(ret);
+	return ret;
 }
 
 asmlinkage long sys_setuid16(old_uid_t uid)
 {
-	return sys_setuid(low2highuid(uid));
+	long ret = sys_setuid(low2highuid(uid));
+	/* avoid REGPARM breakage on x86: */
+	prevent_tail_call(ret);
+	return ret;
 }
 
 asmlinkage long sys_setresuid16(old_uid_t ruid, old_uid_t euid, old_uid_t suid)
 {
-	return sys_setresuid(low2highuid(ruid), low2highuid(euid),
-		low2highuid(suid));
+	long ret = sys_setresuid(low2highuid(ruid), low2highuid(euid),
+				 low2highuid(suid));
+	/* avoid REGPARM breakage on x86: */
+	prevent_tail_call(ret);
+	return ret;
 }
 
 asmlinkage long sys_getresuid16(old_uid_t __user *ruid, old_uid_t __user *euid, old_uid_t __user *suid)
@@ -72,8 +96,11 @@ asmlinkage long sys_getresuid16(old_uid_
 
 asmlinkage long sys_setresgid16(old_gid_t rgid, old_gid_t egid, old_gid_t sgid)
 {
-	return sys_setresgid(low2highgid(rgid), low2highgid(egid),
-		low2highgid(sgid));
+	long ret = sys_setresgid(low2highgid(rgid), low2highgid(egid),
+				 low2highgid(sgid));
+	/* avoid REGPARM breakage on x86: */
+	prevent_tail_call(ret);
+	return ret;
 }
 
 asmlinkage long sys_getresgid16(old_gid_t __user *rgid, old_gid_t __user *egid, old_gid_t __user *sgid)
@@ -89,12 +116,18 @@ asmlinkage long sys_getresgid16(old_gid_
 
 asmlinkage long sys_setfsuid16(old_uid_t uid)
 {
-	return sys_setfsuid(low2highuid(uid));
+	long ret = sys_setfsuid(low2highuid(uid));
+	/* avoid REGPARM breakage on x86: */
+	prevent_tail_call(ret);
+	return ret;
 }
 
 asmlinkage long sys_setfsgid16(old_gid_t gid)
 {
-	return sys_setfsgid(low2highgid(gid));
+	long ret = sys_setfsgid(low2highgid(gid));
+	/* avoid REGPARM breakage on x86: */
+	prevent_tail_call(ret);
+	return ret;
 }
 
 static int groups16_to_user(old_gid_t __user *grouplist,

--

next prev parent reply	other threads:[~2006-04-21  4:44 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20060421043353.602539000@blue.kroah.org>
2006-04-21  4:37 ` [patch 00/22] 2.6.16-stable review cycle Greg KH
2006-04-21  4:37   ` [patch 01/22] 3ware: kmap_atomic() fix Greg KH
2006-04-21  4:37   ` [patch 02/22] 3ware 9000 disable local irqs during kmap_atomic Greg KH
2006-04-21  4:37   ` [patch 03/22] efficeon-agp: Add missing memory mask Greg KH
2006-04-21  4:37   ` [patch 04/22] : Fix truesize underflow Greg KH
2006-04-21  4:37   ` [patch 05/22] : Fix hotplug race during device registration Greg KH
2006-04-21  4:38   ` [patch 06/22] i2c-i801: Fix resume when PEC is used Greg KH
2006-04-21  4:38   ` [patch 07/22] MTD_NAND_SHARPSL and MTD_NAND_NANDSIM should be tristates Greg KH
2006-04-21  4:38   ` [patch 08/22] PPC: fix oops in alsa powermac driver Greg KH
2006-04-21  4:38   ` [patch 09/22] selinux: Fix MLS compatibility off-by-one bug Greg KH
2006-04-21  4:38   ` [patch 10/22] IPV6: Ensure to have hop-by-hop options in our header of &sk_buff Greg KH
2006-04-21  4:39   ` [patch 11/22] IPV6: XFRM: Dont use old copy of pointer after pskb_may_pull() Greg KH
2006-04-21  4:39   ` [patch 12/22] IPV6: XFRM: Fix decoding session with preceding extension header(s) Greg KH
2006-04-21  4:39   ` [patch 13/22] x86: dont allow tail-calls in sys_ftruncate() Greg KH
2006-04-21  4:39   ` [patch 18/22] Fix file lookup without ref Greg KH
2006-04-21  4:39   ` [patch 17/22] IPC: access to unmapped vmalloc area in grow_ary() Greg KH
2006-04-21  4:39   ` [patch 16/22] m41t00: fix bitmasks when writing to chip Greg KH
2006-04-21  4:39   ` [patch 15/22] Open IPMI BT overflow Greg KH
2006-04-21  4:39   ` [patch 14/22] x86: be careful about tailcall breakage for sys_opentoo Greg KH
2006-04-21  4:39   ` Greg KH [this message]
2006-04-21  4:39   ` [patch 21/22] alim15x3: ULI M-1573 south Bridge support Greg KH
2006-04-21  4:40   ` [patch 20/22] apm: fix Armada laptops again Greg KH
2006-04-21  4:40   ` [patch 19/22] fbdev: Fix return error of fb_write Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20060421043951.GT12846@kroah.com \
    --to=gregkh@suse.de \
    --cc=akpm@osdl.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=chuckw@quantumlinux.com \
    --cc=davej@redhat.com \
    --cc=hirofumi@mail.parknet.co.jp \
    --cc=jmforbes@linuxtx.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rdunlap@xenotime.net \
    --cc=stable@kernel.org \
    --cc=torvalds@osdl.org \
    --cc=tytso@mit.edu \
    --cc=zwane@arm.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.