From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Helge Deller <deller@gmx.de>,
Mike Frysinger <vapier@gentoo.org>
Subject: [PATCH 4.4 09/74] parisc: Fix ptrace syscall number and return value modification
Date: Mon, 7 Mar 2016 16:02:34 -0800 [thread overview]
Message-ID: <20160308000315.591166549@linuxfoundation.org> (raw)
In-Reply-To: <20160308000315.294406921@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 98e8b6c9ac9d1b1e9d1122dfa6783d5d566bb8f7 upstream.
Mike Frysinger reported that his ptrace testcase showed strange
behaviour on parisc: It was not possible to avoid a syscall and the
return value of a syscall couldn't be changed.
To modify a syscall number, we were missing to save the new syscall
number to gr20 which is then picked up later in assembly again.
The effect that the return value couldn't be changed is a side-effect of
another bug in the assembly code. When a process is ptraced, userspace
expects each syscall to report entrance and exit of a syscall. If a
syscall number was given which doesn't exist, we jumped to the normal
syscall exit code instead of informing userspace that the (non-existant)
syscall exits. This unexpected behaviour confuses userspace and thus the
bug was misinterpreted as if we can't change the return value.
This patch fixes both problems and was tested on 64bit kernel with
32bit userspace.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: Mike Frysinger <vapier@gentoo.org>
Tested-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/ptrace.c | 16 +++++++++++-----
arch/parisc/kernel/syscall.S | 5 ++++-
2 files changed, 15 insertions(+), 6 deletions(-)
--- a/arch/parisc/kernel/ptrace.c
+++ b/arch/parisc/kernel/ptrace.c
@@ -269,14 +269,19 @@ long compat_arch_ptrace(struct task_stru
long do_syscall_trace_enter(struct pt_regs *regs)
{
- long ret = 0;
-
/* Do the secure computing check first. */
secure_computing_strict(regs->gr[20]);
if (test_thread_flag(TIF_SYSCALL_TRACE) &&
- tracehook_report_syscall_entry(regs))
- ret = -1L;
+ tracehook_report_syscall_entry(regs)) {
+ /*
+ * Tracing decided this syscall should not happen or the
+ * debugger stored an invalid system call number. Skip
+ * the system call and the system call restart handling.
+ */
+ regs->gr[20] = -1UL;
+ goto out;
+ }
#ifdef CONFIG_64BIT
if (!is_compat_task())
@@ -290,7 +295,8 @@ long do_syscall_trace_enter(struct pt_re
regs->gr[24] & 0xffffffff,
regs->gr[23] & 0xffffffff);
- return ret ? : regs->gr[20];
+out:
+ return regs->gr[20];
}
void do_syscall_trace_exit(struct pt_regs *regs)
--- a/arch/parisc/kernel/syscall.S
+++ b/arch/parisc/kernel/syscall.S
@@ -343,7 +343,7 @@ tracesys_next:
#endif
comiclr,>>= __NR_Linux_syscalls, %r20, %r0
- b,n .Lsyscall_nosys
+ b,n .Ltracesys_nosys
LDREGX %r20(%r19), %r19
@@ -359,6 +359,9 @@ tracesys_next:
be 0(%sr7,%r19)
ldo R%tracesys_exit(%r2),%r2
+.Ltracesys_nosys:
+ ldo -ENOSYS(%r0),%r28 /* set errno */
+
/* Do *not* call this function on the gateway page, because it
makes a direct call to syscall_trace. */
next prev parent reply other threads:[~2016-03-08 0:02 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-08 0:02 [PATCH 4.4 00/74] 4.4.5-stable review Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 01/74] use ->d_seq to get coherency between ->d_inode and ->d_flags Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 02/74] drivers: sh: Restore legacy clock domain on SuperH platforms Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 03/74] Btrfs: fix deadlock running delayed iputs at transaction commit time Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 04/74] btrfs: Fix no_space in write and rm loop Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 05/74] btrfs: async-thread: Fix a use-after-free error for trace Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 07/74] block: Initialize max_dev_sectors to 0 Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 08/74] PCI: keystone: Fix MSI code that retrieves struct pcie_port pointer Greg Kroah-Hartman
2016-03-08 0:02 ` Greg Kroah-Hartman [this message]
2016-03-08 0:02 ` [PATCH 4.4 10/74] mips/kvm: fix ioctl error handling Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 11/74] kvm: x86: Update tsc multiplier on change Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 12/74] fbcon: set a default value to blink interval Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 13/74] cifs: fix out-of-bounds access in lease parsing Greg Kroah-Hartman
2016-03-09 3:47 ` Ben Hutchings
2016-03-09 4:23 ` Steve French
2016-03-09 16:17 ` Ben Hutchings
2016-03-08 0:02 ` [PATCH 4.4 14/74] CIFS: Fix SMB2+ interim response processing for read requests Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 15/74] Fix cifs_uniqueid_to_ino_t() function for s390x Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 16/74] vfio: fix ioctl error handling Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 17/74] KVM: x86: fix root cause for missed hardware breakpoints Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 18/74] arm/arm64: KVM: Fix ioctl error handling Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 19/74] iommu/amd: Apply workaround for ATS write permission check Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 20/74] iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 21/74] iommu/vt-d: Use BUS_NOTIFY_REMOVED_DEVICE in hotplug path Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 22/74] target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 23/74] drm/ast: Fix incorrect register check for DRAM width Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 28/74] drm/amdgpu: return from atombios_dp_get_dpcd only when error Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 29/74] libata: fix HDIO_GET_32BIT ioctl Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 30/74] libata: Align ata_devices id on a cacheline Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 31/74] block: bio: introduce helpers to get the 1st and last bvec Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 32/74] writeback: flush inode cgroup wb switches instead of pinning super_block Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 33/74] Adding Intel Lewisburg device IDs for SATA Greg Kroah-Hartman
2016-03-08 0:02 ` [PATCH 4.4 34/74] arm64: vmemmap: use virtual projection of linear region Greg Kroah-Hartman
2016-03-08 10:40 ` Ard Biesheuvel
2016-03-08 13:44 ` Greg Kroah-Hartman
2016-03-08 13:45 ` Ard Biesheuvel
2016-03-12 1:51 ` Ard Biesheuvel
2016-03-12 5:50 ` Greg Kroah-Hartman
2016-03-12 5:55 ` Ard Biesheuvel
2016-03-12 6:05 ` Greg Kroah-Hartman
2016-03-12 8:14 ` Ard Biesheuvel
2016-03-08 0:03 ` [PATCH 4.4 35/74] PM / sleep / x86: Fix crash on graph trace through x86 suspend Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 36/74] ata: ahci: dont mark HotPlugCapable Ports as external/removable Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 37/74] tracing: Do not have comm filter override event comm field Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 38/74] pata-rb532-cf: get rid of the irq_to_gpio() call Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 39/74] Btrfs: fix loading of orphan roots leading to BUG_ON Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 40/74] Revert "jffs2: Fix lock acquisition order bug in jffs2_write_begin" Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 43/74] dmaengine: pxa_dma: fix cyclic transfers Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 44/74] [media] adv7604: fix tx 5v detect regression Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 45/74] ALSA: usb-audio: Add a quirk for Plantronics DA45 Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 46/74] ALSA: ctl: Fix ioctls for X32 ABI Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 47/74] ALSA: hda - Fix mic issues on Acer Aspire E1-472 Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 48/74] ALSA: rawmidi: Fix ioctls X32 ABI Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 49/74] ALSA: timer: Fix ioctls for " Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 50/74] ALSA: pcm: " Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 51/74] ALSA: seq: oss: Dont drain at closing a client Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 52/74] ALSA: hdspm: Fix wrong boolean ctl value accesses Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 53/74] ALSA: hdsp: " Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 54/74] ALSA: hdspm: Fix zero-division Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 55/74] ALSA: timer: Fix broken compat timer user status ioctl Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 56/74] usb: chipidea: otg: change workqueue ci_otg as freezable Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 57/74] USB: cp210x: Add ID for Parrot NMEA GPS Flight Recorder Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 60/74] USB: serial: option: add support for Telit LE922 PID 0x1045 Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 61/74] USB: serial: option: add support for Quectel UC20 Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 62/74] MIPS: scache: Fix scache init with invalid line size Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 63/74] MIPS: traps: Fix SIGFPE information leak from `do_ov and `do_trap_or_bp Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 64/74] cxl: Fix PSL timebase synchronization detection Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 65/74] ubi: Fix out of bounds write in volume update code Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 66/74] i2c: brcmstb: allocate correct amount of memory for regmap Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 67/74] thermal: cpu_cooling: fix out of bounds access in time_in_idle Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 69/74] block: check virt boundary in bio_will_gap() Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 70/74] block: get the 1st and last bvec via helpers Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 71/74] drm/i915: more virtual south bridge detection Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 73/74] modules: fix longstanding /proc/kallsyms vs module insertion race Greg Kroah-Hartman
2016-03-08 0:03 ` [PATCH 4.4 74/74] drm/amdgpu: fix topaz/tonga gmc assignment in 4.4 stable Greg Kroah-Hartman
2016-03-08 11:45 ` [PATCH 4.4 00/74] 4.4.5-stable review Guenter Roeck
2016-03-08 14:19 ` Greg Kroah-Hartman
[not found] ` <56dea53c.a3f6c20a.71577.ffff9660@mx.google.com>
2016-03-08 14:34 ` Greg Kroah-Hartman
2016-03-09 5:32 ` Kevin Hilman
2016-03-08 16:24 ` Shuah Khan
2016-03-09 2:07 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160308000315.591166549@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=deller@gmx.de \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=vapier@gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).