From: Kees Cook <keescook@chromium.org>
To: Max Filippov <jcmvbkbc@gmail.com>
Cc: linux-xtensa@linux-xtensa.org, Chris Zankel <chris@zankel.net>,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH 2/2] xtensa: use XCHAL_NUM_AREGS as pt_regs::areg size
Date: Mon, 7 Mar 2022 11:56:42 -0800 [thread overview]
Message-ID: <202203071156.8BA231E@keescook> (raw)
In-Reply-To: <20220306064435.256328-3-jcmvbkbc@gmail.com>
On Sat, Mar 05, 2022 at 10:44:35PM -0800, Max Filippov wrote:
> struct pt_regs is used to access both kernel and user exception frames.
> User exception frames may contain up to XCHAL_NUM_AREG registers that
> task creation and signal delivery code may access, but pt_regs::areg
> array has only 16 entries that cover only the kernel exception frame.
> This results in the following build error:
>
> arch/xtensa/kernel/process.c: In function 'copy_thread':
> arch/xtensa/kernel/process.c:262:52: error: array subscript 53 is above
> array bounds of 'long unsigned int[16]' [-Werror=array-bounds]
> 262 | put_user(regs->areg[caller_ars+1],
>
> Change struct pt_regs::areg size to XCHAL_NUM_AREGS so that it covers
> the whole user exception frame. Adjust task_pt_regs and drop additional
> register copying code from copy_thread now that the whole user exception
> stack frame is copied.
>
> Reported-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
> ---
> arch/xtensa/include/asm/ptrace.h | 7 +++----
> arch/xtensa/kernel/process.c | 10 ----------
> 2 files changed, 3 insertions(+), 14 deletions(-)
^^^^^^^^^^^^
Well that's always nice to see in a fix. :) Thanks for digging into
this!
Reviewed-by: Kees Cook <keescook@chromium.org>
--
Kees Cook
prev parent reply other threads:[~2022-03-07 19:56 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-06 6:44 [PATCH 0/2] xtensa: fix pt_regs to cover user exception frame Max Filippov
2022-03-06 6:44 ` [PATCH 1/2] xtensa: rename PT_SIZE to PT_KERNEL_SIZE Max Filippov
2022-03-07 19:57 ` Kees Cook
2022-03-06 6:44 ` [PATCH 2/2] xtensa: use XCHAL_NUM_AREGS as pt_regs::areg size Max Filippov
2022-03-07 19:56 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202203071156.8BA231E@keescook \
--to=keescook@chromium.org \
--cc=chris@zankel.net \
--cc=jcmvbkbc@gmail.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-xtensa@linux-xtensa.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.