From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Roland McGrath <roland@redhat.com>,
Jeff Mahoney <jeffm@suse.com>,
Oliver Pinter <oliver.pntr@gmail.com>
Subject: [patch 08/23] Handle bogus %cs selector in single-step instruction decoding (CVE-2007-3731)
Date: Fri, 22 Feb 2008 13:40:24 -0800 [thread overview]
Message-ID: <20080222214024.GI8686@suse.de> (raw)
In-Reply-To: <20080222213927.GA8686@suse.de>
[-- Attachment #1: handle-bogus-cs-selector-in-single-step-instruction-decoding.patch --]
[-- Type: text/plain, Size: 2618 bytes --]
2.6.22-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Roland McGrath <roland@redhat.com>
Handle bogus %cs selector in single-step instruction decoding
mainline: 29eb51101c02df517ca64ec472d7501127ad1da8
The code for LDT segment selectors was not robust in the face of a bogus
selector set in %cs via ptrace before the single-step was done.
Signed-off-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Jeff Mahoney <jeffm@suse.com>
CC: Oliver Pinter <oliver.pntr@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/i386/kernel/ptrace.c | 22 +++++++++++++++-------
arch/x86_64/kernel/ptrace.c | 23 ++++++++++++++++-------
2 files changed, 31 insertions(+), 14 deletions(-)
--- a/arch/i386/kernel/ptrace.c
+++ b/arch/i386/kernel/ptrace.c
@@ -164,14 +164,22 @@ static unsigned long convert_eip_to_line
u32 *desc;
unsigned long base;
- down(&child->mm->context.sem);
- desc = child->mm->context.ldt + (seg & ~7);
- base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000);
+ seg &= ~7UL;
- /* 16-bit code segment? */
- if (!((desc[1] >> 22) & 1))
- addr &= 0xffff;
- addr += base;
+ down(&child->mm->context.sem);
+ if (unlikely((seg >> 3) >= child->mm->context.size))
+ addr = -1L; /* bogus selector, access would fault */
+ else {
+ desc = child->mm->context.ldt + seg;
+ base = ((desc[0] >> 16) |
+ ((desc[1] & 0xff) << 16) |
+ (desc[1] & 0xff000000));
+
+ /* 16-bit code segment? */
+ if (!((desc[1] >> 22) & 1))
+ addr &= 0xffff;
+ addr += base;
+ }
up(&child->mm->context.sem);
}
return addr;
--- a/arch/x86_64/kernel/ptrace.c
+++ b/arch/x86_64/kernel/ptrace.c
@@ -102,16 +102,25 @@ unsigned long convert_rip_to_linear(stru
u32 *desc;
unsigned long base;
- down(&child->mm->context.sem);
- desc = child->mm->context.ldt + (seg & ~7);
- base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000);
+ seg &= ~7UL;
- /* 16-bit code segment? */
- if (!((desc[1] >> 22) & 1))
- addr &= 0xffff;
- addr += base;
+ down(&child->mm->context.sem);
+ if (unlikely((seg >> 3) >= child->mm->context.size))
+ addr = -1L; /* bogus selector, access would fault */
+ else {
+ desc = child->mm->context.ldt + seg;
+ base = ((desc[0] >> 16) |
+ ((desc[1] & 0xff) << 16) |
+ (desc[1] & 0xff000000));
+
+ /* 16-bit code segment? */
+ if (!((desc[1] >> 22) & 1))
+ addr &= 0xffff;
+ addr += base;
+ }
up(&child->mm->context.sem);
}
+
return addr;
}
--
next prev parent reply other threads:[~2008-02-22 21:47 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20080222213114.583282464@mini.kroah.org>
2008-02-22 21:39 ` [patch 00/23] 2.6.22-stable review Greg KH
2008-02-22 21:39 ` [patch 01/23] cciss: fix memory leak Greg KH
2008-02-22 21:40 ` [patch 02/23] sata_promise: FastTrack TX4200 is a second-generation chip Greg KH
2008-02-22 21:40 ` [patch 03/23] sata_promise: ASIC PRD table bug workaround Greg KH
2008-02-22 21:40 ` [patch 04/23] PCI: Fix fakephp deadlock Greg KH
2008-02-22 21:40 ` [patch 05/23] quicklists: do not release off node pages early Greg KH
2008-02-22 21:40 ` [patch 06/23] NFS: Fix a potential file corruption issue when writing Greg KH
2008-02-22 21:40 ` [patch 07/23] cciss: Panic in blk_rq_map_sg() from CCISS driver Greg KH
2008-02-25 15:06 ` Lee Schermerhorn
2008-02-25 15:39 ` Jens Axboe
2008-02-25 17:55 ` [stable] " Greg KH
2008-02-22 21:40 ` Greg KH [this message]
2008-02-22 21:40 ` [patch 09/23] i386: fixup TRACE_IRQ breakage (CVE-2007-3731) Greg KH
2008-02-22 21:40 ` [patch 10/23] Intel_agp: really fix 945/965GME Greg KH
2008-02-22 21:40 ` [patch 11/23] pci: fix unterminated pci_device_id lists Greg KH
2008-02-22 21:40 ` [patch 12/23] sony-laptop: call sonypi_compat_init earlier Greg KH
2008-02-22 21:40 ` [patch 13/23] VIA_VELOCITY: Dont oops on MTU change Greg KH
2008-02-22 21:40 ` [patch 14/23] via-velocity: dont oops on MTU change (resend) Greg KH
2008-02-22 21:40 ` [patch 15/23] knfsd: fix spurious EINVAL errors on first access of new filesystem Greg KH
2008-02-22 21:40 ` [patch 16/23] NFS: Fix nfs_reval_fsid() Greg KH
2008-02-22 21:40 ` [patch 17/23] NFSv2/v3: Fix a memory leak when using -onolock Greg KH
2008-02-22 21:40 ` [patch 18/23] NFS: Fix an Oops in encode_lookup() Greg KH
2008-02-22 21:40 ` [patch 19/23] knfsd: query filesystem for NFSv4 getattr of FATTR4_MAXNAME Greg KH
2008-02-22 21:40 ` [patch 20/23] quicklists: Only consider memory that can be used with GFP_KERNEL Greg KH
2008-02-22 21:40 ` [patch 21/23] Be more robust about bad arguments in get_user_pages() Greg KH
2008-02-22 21:40 ` [patch 22/23] SCSI: sd: handle bad lba in sense information Greg KH
2008-02-22 21:41 ` [patch 23/23] NETFILTER: nf_conntrack_tcp: conntrack reopening fix Greg KH
2008-02-22 21:44 ` [patch 00/23] 2.6.22-stable review Greg KH
2008-02-22 22:03 ` Oliver Pinter
2008-02-22 22:32 ` Greg KH
2008-02-23 8:47 ` Willy Tarreau
2008-02-22 21:59 ` Oliver Pinter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080222214024.GI8686@suse.de \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=jeffm@suse.com \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=oliver.pntr@gmail.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=roland@redhat.com \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox