From: Michael Neuling <mikey@neuling.org>
To: Cyril Bur <cyrilbur@gmail.com>, linuxppc-dev@ozlabs.org
Subject: Re: [PATCH 3/5] powerpc: Fix TAR leak across exec() syscalls
Date: Thu, 24 Mar 2016 19:44:25 +1100 [thread overview]
Message-ID: <1458809065.23205.106.camel@neuling.org> (raw)
In-Reply-To: <1458712025-3525-3-git-send-email-cyrilbur@gmail.com>
On Wed, 2016-03-23 at 16:47 +1100, Cyril Bur wrote:
> Currently start_thread() doesn't sanitise TAR.
>=20
> The TAR SPR register is a register that can be set and branched to, not
> sanitising it presents an information leak to the new executable.
>=20
> Other SPR registers such as the Performance registers used by perf (and a=
re
> managed entirely by perf) as well as the Event Based Branch (EBB) registe=
rs are
> left alone by design as these fall into the same category as leaving file
> descriptors open across exec(), it is up the parent thread to sanitise wh=
at it
> deems necessary.
>=20
> Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
> ---
> arch/powerpc/kernel/process.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>=20
> diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.=
c
> index d7a9df5..56444a6 100644
> --- a/arch/powerpc/kernel/process.c
> +++ b/arch/powerpc/kernel/process.c
> @@ -1577,6 +1577,8 @@ void start_thread(struct pt_regs *regs, unsigned lo=
ng start, unsigned long sp)
> current->thread.vr_state.vscr.u[3] =3D 0x00010000; /* Java mode disable=
d */
> current->thread.vr_save_area =3D NULL;
> current->thread.vrsave =3D 0;
> + if (cpu_has_feature(CPU_FTR_ALTIVEC))
> + mtspr(SPRN_VRSAVE, 0);
VRSAVE is not mentioned in the commit message.
> current->thread.used_vr =3D 0;
> #endif /* CONFIG_ALTIVEC */
> #ifdef CONFIG_SPE
> @@ -1592,6 +1594,18 @@ void start_thread(struct pt_regs *regs, unsigned l=
ong start, unsigned long sp)
> current->thread.tm_texasr =3D 0;
> current->thread.tm_tfiar =3D 0;
> #endif /* CONFIG_PPC_TRANSACTIONAL_MEM */
> +#ifdef CONFIG_PPC_BOOK3S_64
> + /*
> + * Zero out the SPRs.
> + * Don't touch the ones use by perf, it controls them.
> + * Don't touch the EBB regs. This falls into the same category of
> + * responsibly as open file descriptors across exec(), the parent sho=
uld
> + * sanitise if it feels it would be a problem
> + */
> + current->thread.tar =3D 0;
> + if (cpu_has_feature(CPU_FTR_ARCH_206))
> + mtspr(SPRN_TAR, 0);
> +#endif /* CONFIG_PPC_BOOK3S_64 */
> }
> EXPORT_SYMBOL(start_thread);
> =20
next prev parent reply other threads:[~2016-03-24 8:44 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-23 5:47 [PATCH 1/5] selftests/powerpc: Add exec() test to check for spr sanitisation Cyril Bur
2016-03-23 5:47 ` [PATCH 2/5] selftests/powerpc: Add fork() test to check for spr being preserved Cyril Bur
2016-03-23 5:47 ` [PATCH 3/5] powerpc: Fix TAR leak across exec() syscalls Cyril Bur
2016-03-24 8:44 ` Michael Neuling [this message]
2016-03-23 5:47 ` [PATCH 4/5] powerpc: Move flush_all_to_thread() below save_sprs() Cyril Bur
2016-03-23 5:47 ` [PATCH 5/5] powerpc: Preserve the SPR values across fork() syscalls Cyril Bur
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1458809065.23205.106.camel@neuling.org \
--to=mikey@neuling.org \
--cc=cyrilbur@gmail.com \
--cc=linuxppc-dev@ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).