From: Sasha Levin <sasha.levin@oracle.com>
To: stable@vger.kernel.org, stable-commits@vger.kernel.org
Cc: Helge Deller <deller@gmx.de>, Mike Frysinger <vapier@gentoo.org>,
Sasha Levin <sasha.levin@oracle.com>
Subject: [added to the 3.18 stable tree] parisc: Fix ptrace syscall number and return value modification
Date: Thu, 19 May 2016 00:15:31 -0400 [thread overview]
Message-ID: <1463631350-32182-42-git-send-email-sasha.levin@oracle.com> (raw)
In-Reply-To: <1463631350-32182-1-git-send-email-sasha.levin@oracle.com>
From: Helge Deller <deller@gmx.de>
This patch has been added to the 3.18 stable tree. If you have any
objections, please let us know.
===============
[ Upstream commit 98e8b6c9ac9d1b1e9d1122dfa6783d5d566bb8f7 ]
Mike Frysinger reported that his ptrace testcase showed strange
behaviour on parisc: It was not possible to avoid a syscall and the
return value of a syscall couldn't be changed.
To modify a syscall number, we were missing to save the new syscall
number to gr20 which is then picked up later in assembly again.
The effect that the return value couldn't be changed is a side-effect of
another bug in the assembly code. When a process is ptraced, userspace
expects each syscall to report entrance and exit of a syscall. If a
syscall number was given which doesn't exist, we jumped to the normal
syscall exit code instead of informing userspace that the (non-existant)
syscall exits. This unexpected behaviour confuses userspace and thus the
bug was misinterpreted as if we can't change the return value.
This patch fixes both problems and was tested on 64bit kernel with
32bit userspace.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: Mike Frysinger <vapier@gentoo.org>
Cc: stable@vger.kernel.org # v4.0+
Tested-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
---
arch/parisc/kernel/ptrace.c | 16 +++++++++++-----
arch/parisc/kernel/syscall.S | 5 ++++-
2 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/arch/parisc/kernel/ptrace.c b/arch/parisc/kernel/ptrace.c
index 9585c81..ce0b2b4 100644
--- a/arch/parisc/kernel/ptrace.c
+++ b/arch/parisc/kernel/ptrace.c
@@ -269,14 +269,19 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
long do_syscall_trace_enter(struct pt_regs *regs)
{
- long ret = 0;
-
/* Do the secure computing check first. */
secure_computing_strict(regs->gr[20]);
if (test_thread_flag(TIF_SYSCALL_TRACE) &&
- tracehook_report_syscall_entry(regs))
- ret = -1L;
+ tracehook_report_syscall_entry(regs)) {
+ /*
+ * Tracing decided this syscall should not happen or the
+ * debugger stored an invalid system call number. Skip
+ * the system call and the system call restart handling.
+ */
+ regs->gr[20] = -1UL;
+ goto out;
+ }
#ifdef CONFIG_64BIT
if (!is_compat_task())
@@ -290,7 +295,8 @@ long do_syscall_trace_enter(struct pt_regs *regs)
regs->gr[24] & 0xffffffff,
regs->gr[23] & 0xffffffff);
- return ret ? : regs->gr[20];
+out:
+ return regs->gr[20];
}
void do_syscall_trace_exit(struct pt_regs *regs)
diff --git a/arch/parisc/kernel/syscall.S b/arch/parisc/kernel/syscall.S
index 0b8d26d..02cf40c 100644
--- a/arch/parisc/kernel/syscall.S
+++ b/arch/parisc/kernel/syscall.S
@@ -343,7 +343,7 @@ tracesys_next:
#endif
comiclr,>>= __NR_Linux_syscalls, %r20, %r0
- b,n .Lsyscall_nosys
+ b,n .Ltracesys_nosys
LDREGX %r20(%r19), %r19
@@ -359,6 +359,9 @@ tracesys_next:
be 0(%sr7,%r19)
ldo R%tracesys_exit(%r2),%r2
+.Ltracesys_nosys:
+ ldo -ENOSYS(%r0),%r28 /* set errno */
+
/* Do *not* call this function on the gateway page, because it
makes a direct call to syscall_trace. */
--
2.5.0
next prev parent reply other threads:[~2016-05-19 4:18 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-19 4:14 [added to the 3.18 stable tree] Revert "usb: hub: do not clear BOS field during reset device" Sasha Levin
2016-05-19 4:14 ` [added to the 3.18 stable tree] timers: Use proper base migration in add_timer_on() Sasha Levin
2016-05-19 4:14 ` [added to the 3.18 stable tree] ASoC: rt5640: Correct the digital interface data select Sasha Levin
2016-05-19 4:14 ` [added to the 3.18 stable tree] regulator: s2mps11: Fix invalid selector mask and voltages for buck9 Sasha Levin
2016-05-19 4:14 ` [added to the 3.18 stable tree] libahci: save port map for forced port map Sasha Levin
2016-05-19 4:14 ` [added to the 3.18 stable tree] ata: ahci-platform: Add ports-implemented DT bindings Sasha Levin
2016-05-19 4:14 ` [added to the 3.18 stable tree] regmap: spmi: Fix regmap_spmi_ext_read in multi-byte case Sasha Levin
2016-05-19 4:14 ` [added to the 3.18 stable tree] iio: ak8975: Fix NULL pointer exception on early interrupt Sasha Levin
2016-05-19 4:14 ` [added to the 3.18 stable tree] efi: Fix out-of-bounds read in variable_matches() Sasha Levin
2016-05-19 4:14 ` [added to the 3.18 stable tree] USB: serial: cp210x: add ID for Link ECU Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] USB: serial: cp210x: add Straizona Focusers device ids Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] [media] v4l2-dv-timings.h: fix polarity for 4k formats Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] MD: make bio mergeable Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] ALSA: hda - Add dock support for ThinkPad X260 Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] workqueue: fix ghost PENDING flag while doing MQ IO Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] drm/dp/mst: Get validated port ref in drm_dp_update_payload_part1() Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] drm/dp/mst: Restore primary hub guid on resume Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] cxl: Keep IRQ mappings on context teardown Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] drm/i915: Read out the power sequencer port assignment on resume on vlv/chv Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] drm/i915/ddi: Fix eDP VDD handling during booting and suspend/resume Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] ARM: SoCFPGA: Fix secondary CPU startup in thumb2 kernel Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] IB/security: Restrict use of the write() interface Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] mm/huge_memory: replace VM_NO_THP VM_BUG_ON with actual VMA check Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] ALSA: usb-audio: Quirk for yet another Phoenix Audio devices (v2) Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] EDAC: i7core, sb_edac: Don't return NOTIFY_BAD from mce_decoder callback Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] atomic_open(): fix the handling of create_error Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] Drivers: hv: ring_buffer.c: fix comment style Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] Drivers: hv_vmbus: Fix signal to host condition Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] Drivers: hv: vmbus: Fix signaling logic in hv_need_to_signal_on_read() Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] powerpc: Fix bad inline asm constraint in create_zero_mask() Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] Minimal fix-up of bad hashing behavior of hash_64() Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] tracing: Don't display trigger file for events that can't be enabled Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] drm/radeon: make sure vertical front porch is at least 1 Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] MAINTAINERS: Remove asterisk from EFI directory names Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] ACPICA: Dispatcher: Update thread ID for recursive method calls Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] crypto: hash - Fix page length clamping in hash walk Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] x86/sysfb_efi: Fix valid BAR address range check Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] fs/pnode.c: treat zero mnt_group_id-s as unequal Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] propogate_mnt: Handle the first propogated copy being a slave Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] mm, cma: prevent nr_isolated_* counters from going negative Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] x86/tsc: Read all ratio bits from MSR_PLATFORM_INFO Sasha Levin
2016-05-19 4:15 ` Sasha Levin [this message]
2016-05-19 4:15 ` [added to the 3.18 stable tree] parisc: fix a bug when syscall number of tracee is __NR_Linux_syscalls Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] get_rock_ridge_filename(): handle malformed NM entries Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] ALSA: hda - Fix bass pin fixup for ASUS N550JX Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] ALSA: hda - Apply fix for white noise on Asus N550JV, too Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] ALSA: hda - Fix white noise on Asus UX501VW headset Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] Input: max8997-haptic - fix NULL pointer dereference Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] drm/i915: Bail out of pipe config compute loop on LPT Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] ALSA: hda - Asus N750JV external subwoofer fixup Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] ALSA: hda - Fix white noise on Asus N750JV headphone Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] ALSA: hda - Fix subwoofer pin on ASUS N751 and N551 Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] ALSA: usb-audio: Yet another Phoneix Audio device quirk Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] tools lib traceevent: Free filter tokens in process_filter() Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] tools lib traceevent: Do not reassign parg after collapse_tree() Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] workqueue: fix rebind bound workers warning Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] ocfs2: fix SGID not inherited issue Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] ocfs2: dereferencing freed pointers in ocfs2_reflink() Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] ocfs2: revert using ocfs2_acl_chmod to avoid inode cluster lock hang Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] ocfs2: fix posix_acl_create deadlock Sasha Levin
2016-05-19 4:15 ` [added to the 3.18 stable tree] nf_conntrack: avoid kernel pointer value leak in slab name Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1463631350-32182-42-git-send-email-sasha.levin@oracle.com \
--to=sasha.levin@oracle.com \
--cc=deller@gmx.de \
--cc=stable-commits@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=vapier@gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox