From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Roland McGrath <roland@redhat.com>,
Jeff Mahoney <jeffm@suse.com>,
Oliver Pinter <oliver.pntr@gmail.com>
Subject: [patch 08/23] Handle bogus %cs selector in single-step instruction decoding (CVE-2007-3731)
Date: Fri, 22 Feb 2008 13:40:24 -0800 [thread overview]
Message-ID: <20080222214024.GI8686@suse.de> (raw)
In-Reply-To: <20080222213927.GA8686@suse.de>
[-- Attachment #1: handle-bogus-cs-selector-in-single-step-instruction-decoding.patch --]
[-- Type: text/plain, Size: 2618 bytes --]
2.6.22-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Roland McGrath <roland@redhat.com>
Handle bogus %cs selector in single-step instruction decoding
mainline: 29eb51101c02df517ca64ec472d7501127ad1da8
The code for LDT segment selectors was not robust in the face of a bogus
selector set in %cs via ptrace before the single-step was done.
Signed-off-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Jeff Mahoney <jeffm@suse.com>
CC: Oliver Pinter <oliver.pntr@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/i386/kernel/ptrace.c | 22 +++++++++++++++-------
arch/x86_64/kernel/ptrace.c | 23 ++++++++++++++++-------
2 files changed, 31 insertions(+), 14 deletions(-)
--- a/arch/i386/kernel/ptrace.c
+++ b/arch/i386/kernel/ptrace.c
@@ -164,14 +164,22 @@ static unsigned long convert_eip_to_line
u32 *desc;
unsigned long base;
- down(&child->mm->context.sem);
- desc = child->mm->context.ldt + (seg & ~7);
- base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000);
+ seg &= ~7UL;
- /* 16-bit code segment? */
- if (!((desc[1] >> 22) & 1))
- addr &= 0xffff;
- addr += base;
+ down(&child->mm->context.sem);
+ if (unlikely((seg >> 3) >= child->mm->context.size))
+ addr = -1L; /* bogus selector, access would fault */
+ else {
+ desc = child->mm->context.ldt + seg;
+ base = ((desc[0] >> 16) |
+ ((desc[1] & 0xff) << 16) |
+ (desc[1] & 0xff000000));
+
+ /* 16-bit code segment? */
+ if (!((desc[1] >> 22) & 1))
+ addr &= 0xffff;
+ addr += base;
+ }
up(&child->mm->context.sem);
}
return addr;
--- a/arch/x86_64/kernel/ptrace.c
+++ b/arch/x86_64/kernel/ptrace.c
@@ -102,16 +102,25 @@ unsigned long convert_rip_to_linear(stru
u32 *desc;
unsigned long base;
- down(&child->mm->context.sem);
- desc = child->mm->context.ldt + (seg & ~7);
- base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000);
+ seg &= ~7UL;
- /* 16-bit code segment? */
- if (!((desc[1] >> 22) & 1))
- addr &= 0xffff;
- addr += base;
+ down(&child->mm->context.sem);
+ if (unlikely((seg >> 3) >= child->mm->context.size))
+ addr = -1L; /* bogus selector, access would fault */
+ else {
+ desc = child->mm->context.ldt + seg;
+ base = ((desc[0] >> 16) |
+ ((desc[1] & 0xff) << 16) |
+ (desc[1] & 0xff000000));
+
+ /* 16-bit code segment? */
+ if (!((desc[1] >> 22) & 1))
+ addr &= 0xffff;
+ addr += base;
+ }
up(&child->mm->context.sem);
}
+
return addr;
}
--
next prev parent reply other threads:[~2008-02-22 21:47 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20080222213114.583282464@mini.kroah.org>
2008-02-22 21:39 ` [patch 00/23] 2.6.22-stable review Greg KH
2008-02-22 21:39 ` [patch 01/23] cciss: fix memory leak Greg KH
2008-02-22 21:40 ` [patch 02/23] sata_promise: FastTrack TX4200 is a second-generation chip Greg KH
2008-02-22 21:40 ` [patch 03/23] sata_promise: ASIC PRD table bug workaround Greg KH
2008-02-22 21:40 ` [patch 04/23] PCI: Fix fakephp deadlock Greg KH
2008-02-22 21:40 ` [patch 05/23] quicklists: do not release off node pages early Greg KH
2008-02-22 21:40 ` [patch 06/23] NFS: Fix a potential file corruption issue when writing Greg KH
2008-02-22 21:40 ` [patch 07/23] cciss: Panic in blk_rq_map_sg() from CCISS driver Greg KH
2008-02-25 15:06 ` Lee Schermerhorn
2008-02-25 15:39 ` Jens Axboe
2008-02-25 17:55 ` [stable] " Greg KH
2008-02-22 21:40 ` Greg KH [this message]
2008-02-22 21:40 ` [patch 09/23] i386: fixup TRACE_IRQ breakage (CVE-2007-3731) Greg KH
2008-02-22 21:40 ` [patch 10/23] Intel_agp: really fix 945/965GME Greg KH
2008-02-22 21:40 ` [patch 11/23] pci: fix unterminated pci_device_id lists Greg KH
2008-02-22 21:40 ` [patch 12/23] sony-laptop: call sonypi_compat_init earlier Greg KH
2008-02-22 21:40 ` [patch 13/23] VIA_VELOCITY: Dont oops on MTU change Greg KH
2008-02-22 21:40 ` [patch 14/23] via-velocity: dont oops on MTU change (resend) Greg KH
2008-02-22 21:40 ` [patch 15/23] knfsd: fix spurious EINVAL errors on first access of new filesystem Greg KH
2008-02-22 21:40 ` [patch 16/23] NFS: Fix nfs_reval_fsid() Greg KH
2008-02-22 21:40 ` [patch 17/23] NFSv2/v3: Fix a memory leak when using -onolock Greg KH
2008-02-22 21:40 ` [patch 18/23] NFS: Fix an Oops in encode_lookup() Greg KH
2008-02-22 21:40 ` [patch 19/23] knfsd: query filesystem for NFSv4 getattr of FATTR4_MAXNAME Greg KH
2008-02-22 21:40 ` [patch 20/23] quicklists: Only consider memory that can be used with GFP_KERNEL Greg KH
2008-02-22 21:40 ` [patch 21/23] Be more robust about bad arguments in get_user_pages() Greg KH
2008-02-22 21:40 ` [patch 22/23] SCSI: sd: handle bad lba in sense information Greg KH
2008-02-22 21:41 ` [patch 23/23] NETFILTER: nf_conntrack_tcp: conntrack reopening fix Greg KH
2008-02-22 21:44 ` [patch 00/23] 2.6.22-stable review Greg KH
2008-02-22 22:03 ` Oliver Pinter
2008-02-22 22:32 ` Greg KH
2008-02-23 8:47 ` Willy Tarreau
2008-02-22 21:59 ` Oliver Pinter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080222214024.GI8686@suse.de \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=jeffm@suse.com \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=oliver.pntr@gmail.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=roland@redhat.com \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.