From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
"NAGESWARA R. SASTRY" <nasastry@in.ibm.com>,
Vasant Hegde <hegdevasant@linux.vnet.ibm.com>,
Michael Ellerman <mpe@ellerman.id.au>
Subject: [PATCH 3.14 07/37] powerpc/rtas: Validate rtas.entry before calling enter_rtas()
Date: Fri, 6 Nov 2015 11:24:22 -0800 [thread overview]
Message-ID: <20151106192411.246212215@linuxfoundation.org> (raw)
In-Reply-To: <20151106192410.681850286@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
commit 8832317f662c06f5c06e638f57bfe89a71c9b266 upstream.
Currently we do not validate rtas.entry before calling enter_rtas(). This
leads to a kernel oops when user space calls rtas system call on a powernv
platform (see below). This patch adds code to validate rtas.entry before
making enter_rtas() call.
Oops: Exception in kernel mode, sig: 4 [#1]
SMP NR_CPUS=1024 NUMA PowerNV
task: c000000004294b80 ti: c0000007e1a78000 task.ti: c0000007e1a78000
NIP: 0000000000000000 LR: 0000000000009c14 CTR: c000000000423140
REGS: c0000007e1a7b920 TRAP: 0e40 Not tainted (3.18.17-340.el7_1.pkvm3_1_0.2400.1.ppc64le)
MSR: 1000000000081000 <HV,ME> CR: 00000000 XER: 00000000
CFAR: c000000000009c0c SOFTE: 0
NIP [0000000000000000] (null)
LR [0000000000009c14] 0x9c14
Call Trace:
[c0000007e1a7bba0] [c00000000041a7f4] avc_has_perm_noaudit+0x54/0x110 (unreliable)
[c0000007e1a7bd80] [c00000000002ddc0] ppc_rtas+0x150/0x2d0
[c0000007e1a7be30] [c000000000009358] syscall_exit+0x0/0x98
Fixes: 55190f88789a ("powerpc: Add skeleton PowerNV platform")
Reported-by: NAGESWARA R. SASTRY <nasastry@in.ibm.com>
Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
[mpe: Reword change log, trim oops, and add stable + fixes]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/kernel/rtas.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/powerpc/kernel/rtas.c
+++ b/arch/powerpc/kernel/rtas.c
@@ -1041,6 +1041,9 @@ asmlinkage int ppc_rtas(struct rtas_args
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
+ if (!rtas.entry)
+ return -EINVAL;
+
if (copy_from_user(&args, uargs, 3 * sizeof(u32)) != 0)
return -EFAULT;
next prev parent reply other threads:[~2015-11-06 19:52 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-06 19:24 [PATCH 3.14 00/37] 3.14.57-stable review Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 01/37] ath9k: declare required extra tx headroom Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 02/37] iwlwifi: dvm: fix D3 firmware PN programming Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 03/37] iwlwifi: fix firmware filename for 3160 Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 04/37] iwlwifi: mvm: fix D3 firmware PN programming Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 05/37] iwlwifi: pci: add a few more PCI subvendor IDs for the 7265 series Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 06/37] iommu/amd: Dont clear DTE flags when modifying it Greg Kroah-Hartman
2015-11-06 19:24 ` Greg Kroah-Hartman [this message]
2015-11-06 19:24 ` [PATCH 3.14 08/37] ASoC: wm8904: Correct number of EQ registers Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 09/37] x86/setup: Extend low identity map to cover whole kernel range Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 10/37] mm: make sendfile(2) killable Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 14/37] drm/nouveau/gem: return only valid domain when theres only one Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 16/37] drm/radeon: dont try to recreate sysfs entries on resume Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 18/37] rbd: require stable pages if message data CRCs are enabled Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 19/37] rbd: dont leak parent_spec in rbd_dev_probe_parent() Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 20/37] rbd: prevent kernel stack blow up on rbd map Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 21/37] Revert "ARM64: unwind: Fix PC calculation" Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 22/37] dm btree remove: fix a bug when rebalancing nodes after removal Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 23/37] dm btree: fix leak of bufio-backed block in btree_split_beneath error path Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 24/37] xhci: handle no ping response error properly Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 25/37] xhci: Add spurious wakeup quirk for LynxPoint-LP controllers Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 26/37] xen-blkfront: check for null drvdata in blkback_changed (XenbusStateClosing) Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 27/37] module: Fix locking in symbol_put_addr() Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 28/37] crypto: api - Only abort operations on fatal signal Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 29/37] md/raid1: submit_bio_wait() returns 0 on success Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 30/37] md/raid10: " Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 31/37] Revert "md: allow a partially recovered device to be hot-added to an array." Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 33/37] IB/cm: Fix rb-tree duplicate free and use-after-free Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 34/37] md/raid5: fix locking in handle_stripe_clean_event() Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 35/37] serial: 8250_pci: Add support for 16 port Exar boards Greg Kroah-Hartman
2015-11-23 14:23 ` Soeren Grunewald
2016-02-23 23:51 ` Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 36/37] serial: 8250_pci: Add support for 12 " Greg Kroah-Hartman
2015-11-06 19:24 ` [PATCH 3.14 37/37] xen: fix backport of previous kexec patch Greg Kroah-Hartman
2015-11-07 1:41 ` [PATCH 3.14 00/37] 3.14.57-stable review Guenter Roeck
2015-11-07 2:54 ` Shuah Khan
[not found] ` <56402111.42371c0a.e127c.749b@mx.google.com>
2015-11-09 4:41 ` Kevin Hilman
2015-11-09 17:09 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151106192411.246212215@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=hegdevasant@linux.vnet.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mpe@ellerman.id.au \
--cc=nasastry@in.ibm.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.