From: Willy Tarreau <w@1wt.eu>
To: linux-kernel@vger.kernel.org
Cc: mingo@redhat.com, ralf@linux-mips.org, pageexec@freemail.hu
Subject: [PATCH][RFC] fix long long cast in pte macro
Date: Wed, 30 Aug 2006 08:27:18 +0200 [thread overview]
Message-ID: <20060830062718.GA289@1wt.eu> (raw)
Hi,
PaX Team sent me this patch, which I think is valid. It fixes a long long
cast in the pte macro for i386 and mips. If nobody has any objections, I
will apply it to 2.4. I'd also like someone to check whether it's needed
for 2.6 and to forward port it if needed.
Thanks,
Willy
--
the current idiom used for initializing a structure of two unsigned longs
from unsigned long long is wrong, it effectively loses the upper 32 bits
which in this particular case could turn a non-executable PTE into an
executable one on NX capable i386 (i.e., it's a potential security bug).
fortunately the in-tree users in 2.4 (drivers/char/drm-4.0/ffb_drv.c
and arch/mips/baget/baget.c) are not affected.
diff -u linux-2.4.33-pax/include/asm-i386/page.h linux-2.4.33-pax/include/asm-i386/page.h
--- linux-2.4.33-pax/include/asm-i386/page.h 2006-08-16 15:18:16.000000000 +0200
+++ linux-2.4.33-pax/include/asm-i386/page.h 2006-08-20 13:48:17.000000000 +0200
@@ -41,11 +41,13 @@
typedef struct { unsigned long long pmd; } pmd_t;
typedef struct { unsigned long long pgd; } pgd_t;
#define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
+#define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
#else
typedef struct { unsigned long pte_low; } pte_t;
typedef struct { unsigned long pmd; } pmd_t;
typedef struct { unsigned long pgd; } pgd_t;
#define pte_val(x) ((x).pte_low)
+#define __pte(x) ((pte_t) { (x) } )
#endif
#define PTE_MASK PAGE_MASK
@@ -55,7 +57,6 @@
#define pgd_val(x) ((x).pgd)
#define pgprot_val(x) ((x).pgprot)
-#define __pte(x) ((pte_t) { (x) } )
#define __pmd(x) ((pmd_t) { (x) } )
#define __pgd(x) ((pgd_t) { (x) } )
#define __pgprot(x) ((pgprot_t) { (x) } )
diff -u linux-2.4.33-pax/include/asm-mips/page.h linux-2.4.33-pax/include/asm-mips/page.h
--- linux-2.4.33-pax/include/asm-mips/page.h 2006-08-13 00:03:26.000000000 +0200
+++ linux-2.4.33-pax/include/asm-mips/page.h 2006-08-20 13:51:58.000000000 +0200
@@ -77,13 +77,16 @@
#ifdef CONFIG_CPU_MIPS32
typedef struct { unsigned long pte_low, pte_high; } pte_t;
#define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
+ #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
#else
typedef struct { unsigned long long pte_low; } pte_t;
#define pte_val(x) ((x).pte_low)
+ #define __pte(x) ((pte_t) { (x) } )
#endif
#else
typedef struct { unsigned long pte_low; } pte_t;
#define pte_val(x) ((x).pte_low)
+#define __pte(x) ((pte_t) { (x) } )
#endif
typedef struct { unsigned long pmd; } pmd_t;
@@ -96,7 +99,6 @@
#define ptep_buddy(x) ((pte_t *)((unsigned long)(x) ^ sizeof(pte_t)))
-#define __pte(x) ((pte_t) { (x) } )
#define __pmd(x) ((pmd_t) { (x) } )
#define __pgd(x) ((pgd_t) { (x) } )
#define __pgprot(x) ((pgprot_t) { (x) } )
next reply other threads:[~2006-08-30 6:27 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-30 6:27 Willy Tarreau [this message]
2006-08-31 16:35 ` [PATCH][RFC] fix long long cast in pte macro Ralf Baechle
2006-08-31 16:58 ` Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060830062718.GA289@1wt.eu \
--to=w@1wt.eu \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=pageexec@freemail.hu \
--cc=ralf@linux-mips.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.