All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH, resend] x86-64: fix register leak in 32-bit syscall audting
@ 2009-10-26 15:20 Jan Beulich
  2009-10-26 15:24 ` [tip:x86/urgent] x86-64: Fix " tip-bot for Jan Beulich
  0 siblings, 1 reply; 2+ messages in thread
From: Jan Beulich @ 2009-10-26 15:20 UTC (permalink / raw)
  To: mingo, tglx, hpa; +Cc: stable, Roland McGrath, linux-kernel

Restoring %ebp after the call to audit_syscall_exit() is not only
unnecessary (because the register didn't get clobbered), but in the
sysenter case wasn't even doing the right thing: It loaded %ebp from a
location below the top of stack (RBP < ARGOFFSET), i.e. arbitrary
kernel data got passed back to user mode in the register.

Signed-off-by: Jan Beulich <jbeulich@novell.com>
Acked-by: Roland McGrath <roland@redhat.com>
Cc: <stable@kernel.org>

---
 arch/x86/ia32/ia32entry.S |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- linux-2.6.32-rc5/arch/x86/ia32/ia32entry.S	2009-10-19 13:12:43.000000000 +0200
+++ 2.6.32-rc5-x86_64-ia32-syscall-audit-ebp/arch/x86/ia32/ia32entry.S	2009-10-19 09:36:39.000000000 +0200
@@ -204,7 +204,7 @@ sysexit_from_sys_call:
 	movl RDI-ARGOFFSET(%rsp),%r8d	/* reload 5th syscall arg */
 	.endm
 
-	.macro auditsys_exit exit,ebpsave=RBP
+	.macro auditsys_exit exit
 	testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10)
 	jnz ia32_ret_from_sys_call
 	TRACE_IRQS_ON
@@ -217,7 +217,6 @@ sysexit_from_sys_call:
 	call audit_syscall_exit
 	GET_THREAD_INFO(%r10)
 	movl RAX-ARGOFFSET(%rsp),%eax	/* reload syscall return value */
-	movl \ebpsave-ARGOFFSET(%rsp),%ebp /* reload user register value */
 	movl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),%edi
 	cli
 	TRACE_IRQS_OFF
@@ -351,7 +350,7 @@ cstar_auditsys:
 	jmp cstar_dispatch
 
 sysretl_audit:
-	auditsys_exit sysretl_from_sys_call, RCX /* user %ebp in RCX slot */
+	auditsys_exit sysretl_from_sys_call
 #endif
 
 cstar_tracesys:




^ permalink raw reply	[flat|nested] 2+ messages in thread
* [tip:x86/urgent] x86-64: Fix register leak in 32-bit syscall audting
  2009-10-26 15:20 [PATCH, resend] x86-64: fix register leak in 32-bit syscall audting Jan Beulich
@ 2009-10-26 15:24 ` tip-bot for Jan Beulich
  0 siblings, 0 replies; 2+ messages in thread
From: tip-bot for Jan Beulich @ 2009-10-26 15:24 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: linux-kernel, hpa, mingo, roland, jbeulich, stable, JBeulich,
	tglx, mingo

Commit-ID:  81766741fe1eee3884219e8daaf03f466f2ed52f
Gitweb:     http://git.kernel.org/tip/81766741fe1eee3884219e8daaf03f466f2ed52f
Author:     Jan Beulich <JBeulich@novell.com>
AuthorDate: Mon, 26 Oct 2009 15:20:29 +0000
Committer:  Ingo Molnar <mingo@elte.hu>
CommitDate: Mon, 26 Oct 2009 16:23:26 +0100

x86-64: Fix register leak in 32-bit syscall audting

Restoring %ebp after the call to audit_syscall_exit() is not
only unnecessary (because the register didn't get clobbered),
but in the sysenter case wasn't even doing the right thing: It
loaded %ebp from a location below the top of stack (RBP <
ARGOFFSET), i.e. arbitrary kernel data got passed back to user
mode in the register.

Signed-off-by: Jan Beulich <jbeulich@novell.com>
Acked-by: Roland McGrath <roland@redhat.com>
Cc: <stable@kernel.org>
LKML-Reference: <4AE5CC4D020000780001BD13@vpn.id2.novell.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
---
 arch/x86/ia32/ia32entry.S |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index 1733f9f..581b056 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -204,7 +204,7 @@ sysexit_from_sys_call:
 	movl RDI-ARGOFFSET(%rsp),%r8d	/* reload 5th syscall arg */
 	.endm
 
-	.macro auditsys_exit exit,ebpsave=RBP
+	.macro auditsys_exit exit
 	testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10)
 	jnz ia32_ret_from_sys_call
 	TRACE_IRQS_ON
@@ -217,7 +217,6 @@ sysexit_from_sys_call:
 	call audit_syscall_exit
 	GET_THREAD_INFO(%r10)
 	movl RAX-ARGOFFSET(%rsp),%eax	/* reload syscall return value */
-	movl \ebpsave-ARGOFFSET(%rsp),%ebp /* reload user register value */
 	movl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),%edi
 	cli
 	TRACE_IRQS_OFF
@@ -351,7 +350,7 @@ cstar_auditsys:
 	jmp cstar_dispatch
 
 sysretl_audit:
-	auditsys_exit sysretl_from_sys_call, RCX /* user %ebp in RCX slot */
+	auditsys_exit sysretl_from_sys_call
 #endif
 
 cstar_tracesys:

^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-10-26 15:26 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-10-26 15:20 [PATCH, resend] x86-64: fix register leak in 32-bit syscall audting Jan Beulich
2009-10-26 15:24 ` [tip:x86/urgent] x86-64: Fix " tip-bot for Jan Beulich

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.