From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Jan Beulich <jbeulich@novell.com>, Ingo Molnar <mingo@elte.hu>
Subject: [patch 03/26] x86: Dont leak 64-bit kernel register values to 32-bit processes
Date: Fri, 09 Oct 2009 16:08:39 -0700 [thread overview]
Message-ID: <20091009231000.480936034@mini.kroah.org> (raw)
In-Reply-To: <20091009231249.GA31084@kroah.com>
[-- Attachment #1: x86-don-t-leak-64-bit-kernel-register-values-to-32-bit-processes.patch --]
[-- Type: text/plain, Size: 3204 bytes --]
2.6.31-stable review patch. If anyone has any objections, please let us know.
------------------
From: Jan Beulich <JBeulich@novell.com>
commit 24e35800cdc4350fc34e2bed37b608a9e13ab3b6 upstream.
While 32-bit processes can't directly access R8...R15, they can
gain access to these registers by temporarily switching themselves
into 64-bit mode.
Therefore, registers not preserved anyway by called C functions
(i.e. R8...R11) must be cleared prior to returning to user mode.
Signed-off-by: Jan Beulich <jbeulich@novell.com>
LKML-Reference: <4AC34D73020000780001744A@vpn.id2.novell.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -21,8 +21,8 @@
#define __AUDIT_ARCH_LE 0x40000000
#ifndef CONFIG_AUDITSYSCALL
-#define sysexit_audit int_ret_from_sys_call
-#define sysretl_audit int_ret_from_sys_call
+#define sysexit_audit ia32_ret_from_sys_call
+#define sysretl_audit ia32_ret_from_sys_call
#endif
#define IA32_NR_syscalls ((ia32_syscall_end - ia32_sys_call_table)/8)
@@ -39,12 +39,12 @@
.endm
/* clobbers %eax */
- .macro CLEAR_RREGS _r9=rax
+ .macro CLEAR_RREGS offset=0, _r9=rax
xorl %eax,%eax
- movq %rax,R11(%rsp)
- movq %rax,R10(%rsp)
- movq %\_r9,R9(%rsp)
- movq %rax,R8(%rsp)
+ movq %rax,\offset+R11(%rsp)
+ movq %rax,\offset+R10(%rsp)
+ movq %\_r9,\offset+R9(%rsp)
+ movq %rax,\offset+R8(%rsp)
.endm
/*
@@ -172,6 +172,10 @@ sysexit_from_sys_call:
movl RIP-R11(%rsp),%edx /* User %eip */
CFI_REGISTER rip,rdx
RESTORE_ARGS 1,24,1,1,1,1
+ xorq %r8,%r8
+ xorq %r9,%r9
+ xorq %r10,%r10
+ xorq %r11,%r11
popfq
CFI_ADJUST_CFA_OFFSET -8
/*CFI_RESTORE rflags*/
@@ -202,7 +206,7 @@ sysexit_from_sys_call:
.macro auditsys_exit exit,ebpsave=RBP
testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10)
- jnz int_ret_from_sys_call
+ jnz ia32_ret_from_sys_call
TRACE_IRQS_ON
sti
movl %eax,%esi /* second arg, syscall return value */
@@ -218,8 +222,9 @@ sysexit_from_sys_call:
cli
TRACE_IRQS_OFF
testl %edi,TI_flags(%r10)
- jnz int_with_check
- jmp \exit
+ jz \exit
+ CLEAR_RREGS -ARGOFFSET
+ jmp int_with_check
.endm
sysenter_auditsys:
@@ -329,6 +334,9 @@ sysretl_from_sys_call:
CFI_REGISTER rip,rcx
movl EFLAGS-ARGOFFSET(%rsp),%r11d
/*CFI_REGISTER rflags,r11*/
+ xorq %r10,%r10
+ xorq %r9,%r9
+ xorq %r8,%r8
TRACE_IRQS_ON
movl RSP-ARGOFFSET(%rsp),%esp
CFI_RESTORE rsp
@@ -353,7 +361,7 @@ cstar_tracesys:
#endif
xchgl %r9d,%ebp
SAVE_REST
- CLEAR_RREGS r9
+ CLEAR_RREGS 0, r9
movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
movq %rsp,%rdi /* &pt_regs -> arg1 */
call syscall_trace_enter
@@ -425,6 +433,8 @@ ia32_do_call:
call *ia32_sys_call_table(,%rax,8) # xxx: rip relative
ia32_sysret:
movq %rax,RAX-ARGOFFSET(%rsp)
+ia32_ret_from_sys_call:
+ CLEAR_RREGS -ARGOFFSET
jmp int_ret_from_sys_call
ia32_tracesys:
@@ -442,8 +452,8 @@ END(ia32_syscall)
ia32_badsys:
movq $0,ORIG_RAX-ARGOFFSET(%rsp)
- movq $-ENOSYS,RAX-ARGOFFSET(%rsp)
- jmp int_ret_from_sys_call
+ movq $-ENOSYS,%rax
+ jmp ia32_sysret
quiet_ni_syscall:
movq $-ENOSYS,%rax
next prev parent reply other threads:[~2009-10-09 23:16 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20091009230836.316410305@mini.kroah.org>
2009-10-09 23:12 ` [patch 00/26] 2.6.31.4-stable review Greg KH
2009-10-09 23:08 ` [patch 01/26] x86: fix csum_ipv6_magic asm memory clobber Greg KH
2009-10-09 23:08 ` [patch 02/26] tty: Avoid dropping ldisc_mutex over hangup tty re-initialization Greg KH
2009-10-09 23:08 ` Greg KH [this message]
2009-10-09 23:08 ` [patch 04/26] ALSA: hda - Added quirk to enable sound on Toshiba NB200 Greg KH
2009-10-09 23:08 ` [patch 05/26] tracing: correct module boundaries for ftrace_release Greg KH
2009-10-09 23:08 ` [patch 06/26] ftrace: check for failure for all conversions Greg KH
2009-10-09 23:08 ` [patch 07/26] futex: fix requeue_pi key imbalance Greg KH
2009-10-09 23:08 ` [patch 08/26] futex: Move exit_pi_state() call to release_mm() Greg KH
2009-10-09 23:08 ` [patch 09/26] futex: Nullify robust lists after cleanup Greg KH
2009-10-09 23:08 ` [patch 10/26] futex: Fix locking imbalance Greg KH
2009-10-09 23:08 ` [patch 11/26] NOHZ: update idle state also when NOHZ is inactive Greg KH
2009-10-09 23:08 ` [patch 12/26] ima: ecryptfs fix imbalance message Greg KH
2009-10-09 23:08 ` [patch 13/26] libata: fix incorrect link online check during probe Greg KH
2009-10-09 23:08 ` [patch 14/26] sound: via82xx: move DXS volume controls to PCM interface Greg KH
2009-10-09 23:08 ` [patch 15/26] ASoC: WM8350 capture PGA mutes are inverted Greg KH
2009-10-09 23:08 ` [patch 16/26] KVM: Prevent overflow in KVM_GET_SUPPORTED_CPUID Greg KH
2009-10-09 23:08 ` [patch 17/26] KVM: VMX: flush TLB with INVEPT on cpu migration Greg KH
2009-10-09 23:08 ` [patch 18/26] KVM: fix LAPIC timer period overflow Greg KH
2009-10-09 23:08 ` [patch 19/26] KVM: SVM: Fix tsc offset adjustment when running nested Greg KH
2009-10-09 23:08 ` [patch 20/26] net: Fix wrong sizeof Greg KH
2009-10-09 23:08 ` [patch 21/26] mm: add_to_swap_cache() must not sleep Greg KH
2009-10-09 23:08 ` [patch 22/26] sis5513: fix PIO setup for ATAPI devices Greg KH
2009-10-09 23:08 ` [patch 23/26] PIT fixes to unbreak suspend/resume (bug #14222) Greg KH
2009-10-09 23:09 ` [patch 24/26] IMA: open new file for read Greg KH
2009-10-09 23:09 ` [patch 25/26] ACPI: Clarify resource conflict message Greg KH
2009-10-09 23:09 ` [patch 26/26] ACPI: fix Compaq Evo N800c (Pentium 4m) boot hang regression Greg KH
2009-10-09 23:38 ` [patch 00/26] 2.6.31.4-stable review Greg KH
2009-10-09 23:34 ` [patch 27/37] net: restore tx timestamping for accelerated vlans Greg KH
2009-10-09 23:34 ` [patch 28/37] net: unix: fix sending fds in multiple buffers Greg KH
2009-10-09 23:34 ` [patch 29/37] tun: Return -EINVAL if neither IFF_TUN nor IFF_TAP is set Greg KH
2009-10-13 12:36 ` [Stable-review] " Stefan Bader
2009-10-09 23:34 ` [patch 30/37] tcp: fix CONFIG_TCP_MD5SIG + CONFIG_PREEMPT timer BUG() Greg KH
2009-10-09 23:34 ` [patch 31/37] net: Fix sock_wfree() race Greg KH
2009-10-09 23:34 ` [patch 32/37] smsc95xx: fix transmission where ZLP is expected Greg KH
2009-10-09 23:34 ` [patch 33/37] sky2: Set SKY2_HW_RAM_BUFFER in sky2_init Greg KH
2009-10-09 23:34 ` [patch 34/37] appletalk: Fix skb leak when ipddp interface is not loaded Greg KH
2009-10-09 23:34 ` [patch 35/37] ax25: Fix possible oops in ax25_make_new Greg KH
2009-10-09 23:34 ` [patch 36/37] ax25: Fix SIOCAX25GETINFO ioctl Greg KH
2009-10-09 23:34 ` [patch 37/37] sit: fix off-by-one in ipip6_tunnel_get_prl Greg KH
2009-10-10 0:34 ` Templin, Fred L
2009-10-10 3:42 ` David Miller
2009-10-11 1:29 ` Wolfgang Walter
2009-10-12 23:58 ` Templin, Fred L
2009-10-12 22:04 ` [stable] " Greg KH
2009-10-12 23:29 ` [stable] [patch 37/37] sit: fix off-by-one inipip6_tunnel_get_prl Templin, Fred L
2009-10-12 23:58 ` Greg KH
2009-10-13 0:12 ` David Miller
2009-10-12 23:12 ` [patch 37/37] sit: fix off-by-one in ipip6_tunnel_get_prl Templin, Fred L
2009-10-10 7:17 ` [Stable-review] [patch 00/26] 2.6.31.4-stable review Willy Tarreau
2009-10-10 7:22 ` [stable] " Greg KH
2009-10-10 7:46 ` Willy Tarreau
2009-10-12 11:09 ` Thomas Voegtle
2009-10-12 12:34 ` [Stable-review] " Chuck Ebbert
[not found] <20091009233411.852013234@mini.kroah.org>
[not found] ` <20091009233440.7866800 01@mini.kroah.org>
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091009231000.480936034@mini.kroah.org \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=jbeulich@novell.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.