[PATCH 4/5] m32r: hole in shifting pc back

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Al Viro <viro@ZenIV.linux.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Hirokazu Takata <takata@linux-m32r.org>,
	linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org
Subject: [PATCH 4/5] m32r: hole in shifting pc back
Date: Fri, 24 Sep 2010 06:24:53 +0100	[thread overview]
Message-ID: <20100924052453.GO19804@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20100924052035.GL19804@ZenIV.linux.org.uk>

It's a userland pointer; worse, an untrustable one since ptrace
has just provided a chance to modify it.

X-Roothole-Covering-Cabal: TINRCC
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
 arch/m32r/kernel/signal.c |   38 +++++++++++++++++---------------------
 1 files changed, 17 insertions(+), 21 deletions(-)

diff --git a/arch/m32r/kernel/signal.c b/arch/m32r/kernel/signal.c
index a56fcbd..7bbe386 100644
--- a/arch/m32r/kernel/signal.c
+++ b/arch/m32r/kernel/signal.c
@@ -251,6 +251,19 @@ give_sigsegv:
 	return -EFAULT;
 }
 
+static int prev_insn(struct pt_regs *regs)
+{
+	u16 inst;
+	if (get_user(&inst, (u16 __user *)(regs->bpc - 2)))
+		return -EFAULT;
+	if ((inst & 0xfff0) == 0x10f0)	/* trap ? */
+		regs->bpc -= 2;
+	else
+		regs->bpc -= 4;
+	regs->syscall_nr = -1;
+	return 0;
+}
+
 /*
  * OK, we're invoking a handler
  */
@@ -259,8 +272,6 @@ static int
 handle_signal(unsigned long sig, struct k_sigaction *ka, siginfo_t *info,
 	      sigset_t *oldset, struct pt_regs *regs)
 {
-	unsigned short inst;
-
 	/* Are we from a system call? */
 	if (regs->syscall_nr >= 0) {
 		/* If so, check system call restarting.. */
@@ -278,12 +289,8 @@ handle_signal(unsigned long sig, struct k_sigaction *ka, siginfo_t *info,
 			/* fallthrough */
 			case -ERESTARTNOINTR:
 				regs->r0 = regs->orig_r0;
-				inst = *(unsigned short *)(regs->bpc - 2);
-				if ((inst & 0xfff0) == 0x10f0)	/* trap ? */
-					regs->bpc -= 2;
-				else
-					regs->bpc -= 4;
-				regs->syscall_nr = -1;
+				if (prev_insn(regs) < 0)
+					return -EFAULT;
 		}
 	}
 
@@ -310,7 +317,6 @@ static void do_signal(struct pt_regs *regs)
 	siginfo_t info;
 	int signr;
 	struct k_sigaction ka;
-	unsigned short inst;
 	sigset_t *oldset;
 
 	/*
@@ -353,21 +359,11 @@ static void do_signal(struct pt_regs *regs)
 		    regs->r0 == -ERESTARTSYS ||
 		    regs->r0 == -ERESTARTNOINTR) {
 			regs->r0 = regs->orig_r0;
-			inst = *(unsigned short *)(regs->bpc - 2);
-			if ((inst & 0xfff0) == 0x10f0)	/* trap ? */
-				regs->bpc -= 2;
-			else
-				regs->bpc -= 4;
-			regs->syscall_nr = -1;
+			prev_insn(regs);
 		} else if (regs->r0 == -ERESTART_RESTARTBLOCK){
 			regs->r0 = regs->orig_r0;
 			regs->r7 = __NR_restart_syscall;
-			inst = *(unsigned short *)(regs->bpc - 2);
-			if ((inst & 0xfff0) == 0x10f0)	/* trap ? */
-				regs->bpc -= 2;
-			else
-				regs->bpc -= 4;
-			regs->syscall_nr = -1;
+			prev_insn(regs);
 		}
 	}
 	if (test_thread_flag(TIF_RESTORE_SIGMASK)) {
-- 
1.5.6.5

next prev parent reply	other threads:[~2010-09-24  5:24 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-09-24  5:20 [PATCH 1/5] m32r: fix rt_sigsuspend() Al Viro
2010-09-24  5:22 ` [PATCH 2/5] make m32r handle multiple pending signals Al Viro
2010-09-24  5:23 ` [PATCH 3/5] m32r: don't block signals if sigframe setup has failed Al Viro
2010-09-24  5:24 ` Al Viro [this message]
2010-09-24  5:25 ` [PATCH 5/5] m32r: fix breakage from "m32r: use generic ptrace_resume code" Al Viro

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a56fcbd dfblob:7bbe386 )
 OR (
bs:"[PATCH 4/5] m32r: hole in shifting pc back" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100924052453.GO19804@ZenIV.linux.org.uk \
    --to=viro@zeniv.linux.org.uk \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=takata@linux-m32r.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.