[PATCH V2 3/5] powerpc: Fix SPR leak across exec() syscalls

linuxppc-dev.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed

From: Cyril Bur <cyrilbur@gmail.com>
To: linuxppc-dev@ozlabs.org
Cc: mikey@neuling.org
Subject: [PATCH V2 3/5] powerpc: Fix SPR leak across exec() syscalls
Date: Tue,  5 Apr 2016 09:59:25 +1000	[thread overview]
Message-ID: <1459814367-3057-3-git-send-email-cyrilbur@gmail.com> (raw)
In-Reply-To: <1459814367-3057-1-git-send-email-cyrilbur@gmail.com>

Currently start_thread() doesn't sanitise TAR nor the VRSAVE.

The TAR SPR can be set and branched to, not sanitising it presents an
information leak to the new executable.

The VRSAVE SPR can be used by both application and operating system. The
PowerISA states (in a programming note) that an application could use VRSAVE as a
hint to the operating system as to which vector registers are being used and
therefore which ones to save and restore. Linux doesn't care and simply
saves/restores all vector registers, however, it should also be sanitising
VRSAVE as applications are free to do with it what they wish.

Other SPR registers such as the Performance registers used by perf (and are
managed entirely by perf) as well as the Event Based Branch (EBB) registers are
left alone by design as these fall into the same category as leaving file
descriptors open across exec(), it is up the parent thread to sanitise what it
deems necessary.

Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
---
 arch/powerpc/kernel/process.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
index d7a9df5..56444a6 100644
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -1577,6 +1577,8 @@ void start_thread(struct pt_regs *regs, unsigned long start, unsigned long sp)
 	current->thread.vr_state.vscr.u[3] = 0x00010000; /* Java mode disabled */
 	current->thread.vr_save_area = NULL;
 	current->thread.vrsave = 0;
+	if (cpu_has_feature(CPU_FTR_ALTIVEC))
+		mtspr(SPRN_VRSAVE, 0);
 	current->thread.used_vr = 0;
 #endif /* CONFIG_ALTIVEC */
 #ifdef CONFIG_SPE
@@ -1592,6 +1594,18 @@ void start_thread(struct pt_regs *regs, unsigned long start, unsigned long sp)
 	current->thread.tm_texasr = 0;
 	current->thread.tm_tfiar = 0;
 #endif /* CONFIG_PPC_TRANSACTIONAL_MEM */
+#ifdef CONFIG_PPC_BOOK3S_64
+	/*
+	 * Zero out the SPRs.
+	 * Don't touch the ones use by perf, it controls them.
+	 * Don't touch the EBB regs. This falls into the same category of
+	 *   responsibly as open file descriptors across exec(), the parent should
+	 *   sanitise if it feels it would be a problem
+	 */
+	current->thread.tar = 0;
+	if (cpu_has_feature(CPU_FTR_ARCH_206))
+		mtspr(SPRN_TAR, 0);
+#endif /* CONFIG_PPC_BOOK3S_64 */
 }
 EXPORT_SYMBOL(start_thread);

-- 
2.7.4

next prev parent reply	other threads:[~2016-04-05  0:01 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-04-04 23:59 [PATCH V2 1/5] selftests/powerpc: Add exec() test to check for spr sanitisation Cyril Bur
2016-04-04 23:59 ` [PATCH V2 2/5] selftests/powerpc: Add fork() test to check for spr being preserved Cyril Bur
2016-04-04 23:59 ` Cyril Bur [this message]
2016-04-04 23:59 ` [PATCH V2 4/5] powerpc: Move flush_all_to_thread() below save_sprs() Cyril Bur
2016-04-04 23:59 ` [PATCH V2 5/5] powerpc: Preserve the SPR values across fork() syscalls Cyril Bur

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d7a9df5 dfblob:56444a6 )
 OR (
bs:"[PATCH V2 3/5] powerpc: Fix SPR leak across exec() syscalls" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1459814367-3057-3-git-send-email-cyrilbur@gmail.com \
    --to=cyrilbur@gmail.com \
    --cc=linuxppc-dev@ozlabs.org \
    --cc=mikey@neuling.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).