From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
Jake Edge <jake@lwn.net>, Eugene Teo <eteo@redhat.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, benh@kernel.crashing.org,
Josh Boyer <jwboyer@linux.vnet.ibm.com>
Subject: [patch 32/58] powerpc: Sanitize stack pointer in signal handling code
Date: Wed, 06 May 2009 14:46:00 -0700 [thread overview]
Message-ID: <20090506214759.718474240@mini.kroah.org> (raw)
In-Reply-To: <20090506215017.GA21981@kroah.com>
[-- Attachment #1: powerpc-sanitize-stack-pointer-in-signal-handling-code.patch --]
[-- Type: text/plain, Size: 3994 bytes --]
2.6.29-stable review patch. If anyone has any objections, please let us know.
------------------
From: Josh Boyer <jwboyer@linux.vnet.ibm.com>
This has been backported to 2.6.29.x from commit efbda86098 in Linus' tree
On powerpc64 machines running 32-bit userspace, we can get garbage bits in the
stack pointer passed into the kernel. Most places handle this correctly, but
the signal handling code uses the passed value directly for allocating signal
stack frames.
This fixes the issue by introducing a get_clean_sp function that returns a
sanitized stack pointer. For 32-bit tasks on a 64-bit kernel, the stack
pointer is masked correctly. In all other cases, the stack pointer is simply
returned.
Additionally, we pass an 'is_32' parameter to get_sigframe now in order to
get the properly sanitized stack. The callers are know to be 32 or 64-bit
statically.
Signed-off-by: Josh Boyer <jwboyer@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/powerpc/include/asm/processor.h | 19 +++++++++++++++++++
arch/powerpc/kernel/signal.c | 4 ++--
arch/powerpc/kernel/signal.h | 2 +-
arch/powerpc/kernel/signal_32.c | 4 ++--
arch/powerpc/kernel/signal_64.c | 2 +-
5 files changed, 25 insertions(+), 6 deletions(-)
--- a/arch/powerpc/include/asm/processor.h
+++ b/arch/powerpc/include/asm/processor.h
@@ -313,6 +313,25 @@ static inline void prefetchw(const void
#define HAVE_ARCH_PICK_MMAP_LAYOUT
#endif
+#ifdef CONFIG_PPC64
+static inline unsigned long get_clean_sp(struct pt_regs *regs, int is_32)
+{
+ unsigned long sp;
+
+ if (is_32)
+ sp = regs->gpr[1] & 0x0ffffffffUL;
+ else
+ sp = regs->gpr[1];
+
+ return sp;
+}
+#else
+static inline unsigned long get_clean_sp(struct pt_regs *regs, int is_32)
+{
+ return regs->gpr[1];
+}
+#endif
+
#endif /* __KERNEL__ */
#endif /* __ASSEMBLY__ */
#endif /* _ASM_POWERPC_PROCESSOR_H */
--- a/arch/powerpc/kernel/signal_32.c
+++ b/arch/powerpc/kernel/signal_32.c
@@ -836,7 +836,7 @@ int handle_rt_signal32(unsigned long sig
/* Set up Signal Frame */
/* Put a Real Time Context onto stack */
- rt_sf = get_sigframe(ka, regs, sizeof(*rt_sf));
+ rt_sf = get_sigframe(ka, regs, sizeof(*rt_sf), 1);
addr = rt_sf;
if (unlikely(rt_sf == NULL))
goto badframe;
@@ -1182,7 +1182,7 @@ int handle_signal32(unsigned long sig, s
unsigned long newsp = 0;
/* Set up Signal Frame */
- frame = get_sigframe(ka, regs, sizeof(*frame));
+ frame = get_sigframe(ka, regs, sizeof(*frame), 1);
if (unlikely(frame == NULL))
goto badframe;
sc = (struct sigcontext __user *) &frame->sctx;
--- a/arch/powerpc/kernel/signal_64.c
+++ b/arch/powerpc/kernel/signal_64.c
@@ -402,7 +402,7 @@ int handle_rt_signal64(int signr, struct
unsigned long newsp = 0;
long err = 0;
- frame = get_sigframe(ka, regs, sizeof(*frame));
+ frame = get_sigframe(ka, regs, sizeof(*frame), 0);
if (unlikely(frame == NULL))
goto badframe;
--- a/arch/powerpc/kernel/signal.c
+++ b/arch/powerpc/kernel/signal.c
@@ -26,12 +26,12 @@ int show_unhandled_signals = 0;
* Allocate space for the signal frame
*/
void __user * get_sigframe(struct k_sigaction *ka, struct pt_regs *regs,
- size_t frame_size)
+ size_t frame_size, int is_32)
{
unsigned long oldsp, newsp;
/* Default to using normal stack */
- oldsp = regs->gpr[1];
+ oldsp = get_clean_sp(regs, is_32);
/* Check for alt stack */
if ((ka->sa.sa_flags & SA_ONSTACK) &&
--- a/arch/powerpc/kernel/signal.h
+++ b/arch/powerpc/kernel/signal.h
@@ -15,7 +15,7 @@
extern void do_signal(struct pt_regs *regs, unsigned long thread_info_flags);
extern void __user * get_sigframe(struct k_sigaction *ka, struct pt_regs *regs,
- size_t frame_size);
+ size_t frame_size, int is_32);
extern void restore_sigmask(sigset_t *set);
extern int handle_signal32(unsigned long sig, struct k_sigaction *ka,
next prev parent reply other threads:[~2009-05-06 22:08 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20090506214528.660389067@mini.kroah.org>
2009-05-06 21:50 ` [patch 00/58] 2.6.29.3-stable review Greg KH
2009-05-06 21:45 ` [patch 01/58] forcedeth: Fix resume from hibernation regression Greg KH
2009-05-06 21:45 ` [patch 02/58] mac80211: Fix bug in getting rx status for frames pending in reorder buffer Greg KH
2009-05-06 21:45 ` [patch 03/58] b43: Poison RX buffers Greg KH
2009-05-06 21:45 ` [patch 04/58] b43: Refresh RX poison on buffer recycling Greg KH
2009-05-06 21:45 ` [patch 05/58] thinkpad-acpi: fix LED blinking through timer trigger Greg KH
2009-05-06 21:45 ` [patch 06/58] ALSA: us122l: add snd_us122l_free() Greg KH
2009-05-06 21:45 ` [patch 07/58] mac80211: fix basic rate bitmap calculation Greg KH
2009-05-06 21:45 ` [patch 08/58] KVM: MMU: Fix off-by-one calculating large page count Greg KH
2009-05-06 21:45 ` [patch 09/58] KVM: MMU: disable global page optimization Greg KH
2009-05-06 21:45 ` [patch 10/58] KVM: Fix overlapping check for memory slots Greg KH
2009-05-06 21:45 ` [patch 11/58] KVM: x86: release time_page on vcpu destruction Greg KH
2009-05-06 21:45 ` [patch 12/58] USB: Unusual Device support for Gold MP3 Player Energy Greg KH
2009-05-06 21:45 ` [patch 13/58] virtio-rng: Remove false BUG for spurious callbacks Greg KH
2009-05-06 21:45 ` [patch 14/58] b44: Use kernel DMA addresses for the kernel DMA API Greg KH
2009-05-06 21:45 ` [patch 15/58] block: include empty disks in /proc/diskstats Greg KH
2009-05-06 21:45 ` [patch 16/58] crypto: ixp4xx - Fix handling of chained sg buffers Greg KH
2009-05-06 21:45 ` [patch 17/58] exit_notify: kill the wrong capable(CAP_KILL) check (CVE-2009-1337) Greg KH
2009-05-06 21:45 ` [patch 18/58] PCI: fix incorrect mask of PM No_Soft_Reset bit Greg KH
2009-05-06 21:45 ` [patch 19/58] unreached code in selinux_ip_postroute_iptables_compat() (CVE-2009-1184) Greg KH
2009-05-06 21:45 ` [patch 20/58] drm/i915: add support for G41 chipset Greg KH
2009-05-06 21:45 ` [patch 21/58] x86-64: fix FPU corruption with signals and preemption Greg KH
2009-05-06 21:45 ` [patch 22/58] x86/PCI: dont call e820_all_mapped with -1 in the mmconfig case Greg KH
2009-05-06 21:45 ` [patch 23/58] ASoC: Fix offset of freqmode in WM8580 PLL configuration Greg KH
2009-05-06 21:45 ` [patch 24/58] PCI quirk: disable MSI on VIA VT3364 chipsets Greg KH
2009-05-06 21:45 ` [patch 25/58] bio: fix memcpy corruption in bio_copy_user_iov() Greg KH
2009-05-06 21:45 ` [patch 26/58] drm/i915: allow tiled front buffers on 965+ Greg KH
2009-05-06 21:45 ` [patch 27/58] pagemap: require aligned-length, non-null reads of /proc/pid/pagemap Greg KH
2009-05-06 21:45 ` [patch 28/58] kbuild: fix Module.markers permission error under cygwin Greg KH
2009-05-06 21:45 ` [patch 29/58] ptrace: ptrace_attach: fix the usage of ->cred_exec_mutex Greg KH
2009-05-06 21:45 ` [patch 30/58] USB: serial: fix lifetime and locking problems Greg KH
2009-05-06 21:45 ` [patch 31/58] ACPI: Revert conflicting workaround for BIOS w/ mangled PRT entries Greg KH
2009-05-06 21:46 ` Greg KH [this message]
2009-05-06 21:46 ` [patch 33/58] compat_do_execve should unshare_files Greg KH
2009-05-06 21:46 ` [patch 34/58] fix setuid sometimes doesnt Greg KH
2009-05-06 21:46 ` [patch 35/58] fix setuid sometimes wouldnt Greg KH
2009-05-06 21:46 ` [patch 36/58] Annotate struct fs_structs usage count restriction Greg KH
2009-05-06 21:46 ` [patch 37/58] Kill unsharing fs_struct in __set_personality() Greg KH
2009-05-06 21:46 ` [patch 38/58] Get rid of bumping fs_struct refcount in pivot_root(2) Greg KH
2009-05-06 21:46 ` [patch 39/58] Take fs_struct handling to new file (fs/fs_struct.c) Greg KH
2009-05-06 21:46 ` [patch 40/58] New locking/refcounting for fs_struct Greg KH
2009-05-06 21:46 ` [patch 41/58] check_unsafe_exec() doesnt care about signal handlers sharing Greg KH
2009-05-06 21:46 ` [patch 42/58] do_execve() must not clear fs->in_exec if it was set by another thread Greg KH
2009-05-06 21:46 ` [patch 43/58] check_unsafe_exec: s/lock_task_sighand/rcu_read_lock/ Greg KH
2009-05-06 21:46 ` [patch 44/58] mv643xx_eth: 64bit mib counter read fix Greg KH
2009-05-06 21:46 ` [patch 45/58] mv643xx_eth: OOM handling fixes Greg KH
2009-05-06 21:46 ` [patch 46/58] ath5k: fix buffer overrun in rate debug code Greg KH
2009-05-06 21:46 ` [patch 47/58] proc: avoid information leaks to non-privileged processes Greg KH
2009-05-06 21:46 ` [patch 48/58] cs5536: define dma_sff_read_status() method Greg KH
2009-05-06 21:46 ` [patch 49/58] intel-iommu: Fix device-to-iommu mapping for PCI-PCI bridges Greg KH
2009-05-06 21:46 ` [patch 50/58] intel-iommu: Fix oops in device_to_iommu() when devices not found Greg KH
2009-05-06 21:46 ` [patch 51/58] intel-iommu: Avoid panic() for DRHD at address zero Greg KH
2009-05-06 21:46 ` [patch 52/58] clockevents: prevent endless loop in tick_handle_periodic() Greg KH
2009-05-06 21:46 ` [patch 53/58] Ignore madvise(MADV_WILLNEED) for hugetlbfs-backed regions Greg KH
2009-05-06 21:46 ` [patch 54/58] mm: fix Committed_AS underflow on large NR_CPUS environment Greg KH
2009-05-06 21:46 ` [patch 55/58] rndis_wlan: fix initialization order for workqueue&workers Greg KH
2009-05-06 21:46 ` [patch 56/58] sched: account system time properly Greg KH
2009-05-06 21:46 ` [patch 57/58] tracing: x86, mmiotrace: fix range test Greg KH
2009-05-06 22:12 ` Steven Rostedt
2009-05-06 21:46 ` [patch 58/58] ath9k: Fix FIF_BCN_PRBRESP_PROMISC handling Greg KH
2009-05-07 0:58 ` [patch 00/58] 2.6.29.3-stable review Stefan Lippers-Hollmann
2009-05-07 1:26 ` Greg KH
2009-05-07 17:23 ` Chris Frey
2009-05-07 17:49 ` Steve French
2009-05-07 22:13 ` Greg KH
2009-05-08 4:33 ` Suresh Jayaraman
2009-05-08 5:13 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090506214759.718474240@mini.kroah.org \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=benh@kernel.crashing.org \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=eteo@redhat.com \
--cc=jake@lwn.net \
--cc=jmforbes@linuxtx.org \
--cc=jwboyer@linux.vnet.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rbranco@la.checkpoint.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox