diff options
| author | Jarod Wilson <jwilson@redhat.com> | 2008-09-09 06:38:56 -0400 |
|---|---|---|
| committer | Martin Schwidefsky <schwidefsky@de.ibm.com> | 2008-09-09 06:39:06 -0400 |
| commit | 3d6e48f43340343d97839eadb1ab7b6a3ea98797 (patch) | |
| tree | 81d1c8709ef5a1dc8cd8c6e44072928f7c0f903a /arch | |
| parent | 82a28c794f27aac17d7a3ebd7f14d731a11a5532 (diff) | |
[S390] CVE-2008-1514: prevent ptrace padding area read/write in 31-bit mode
When running a 31-bit ptrace, on either an s390 or s390x kernel,
reads and writes into a padding area in struct user_regs_struct32
will result in a kernel panic.
This is also known as CVE-2008-1514.
Test case available here:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/user-area-padding.c?cvsroot=systemtap
Steps to reproduce:
1) wget the above
2) gcc -o user-area-padding-31bit user-area-padding.c -Wall -ggdb2 -D_GNU_SOURCE -m31
3) ./user-area-padding-31bit
<panic>
Test status
-----------
Without patch, both s390 and s390x kernels panic. With patch, the test case,
as well as the gdb testsuite, pass without incident, padding area reads
returning zero, writes ignored.
Nb: original version returned -EINVAL on write attempts, which broke the
gdb test and made the test case slightly unhappy, Jan Kratochvil suggested
the change to return 0 on write attempts.
Signed-off-by: Jarod Wilson <jarod@redhat.com>
Tested-by: Jan Kratochvil <jan.kratochvil@redhat.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'arch')
| -rw-r--r-- | arch/s390/kernel/compat_ptrace.h | 1 | ||||
| -rw-r--r-- | arch/s390/kernel/ptrace.c | 28 |
2 files changed, 29 insertions, 0 deletions
diff --git a/arch/s390/kernel/compat_ptrace.h b/arch/s390/kernel/compat_ptrace.h index cde81fa64f8..a2be3a978d5 100644 --- a/arch/s390/kernel/compat_ptrace.h +++ b/arch/s390/kernel/compat_ptrace.h | |||
| @@ -42,6 +42,7 @@ struct user_regs_struct32 | |||
| 42 | u32 gprs[NUM_GPRS]; | 42 | u32 gprs[NUM_GPRS]; |
| 43 | u32 acrs[NUM_ACRS]; | 43 | u32 acrs[NUM_ACRS]; |
| 44 | u32 orig_gpr2; | 44 | u32 orig_gpr2; |
| 45 | /* nb: there's a 4-byte hole here */ | ||
| 45 | s390_fp_regs fp_regs; | 46 | s390_fp_regs fp_regs; |
| 46 | /* | 47 | /* |
| 47 | * These per registers are in here so that gdb can modify them | 48 | * These per registers are in here so that gdb can modify them |
diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c index 2815bfe348a..c8b08289eb8 100644 --- a/arch/s390/kernel/ptrace.c +++ b/arch/s390/kernel/ptrace.c | |||
| @@ -170,6 +170,13 @@ static unsigned long __peek_user(struct task_struct *child, addr_t addr) | |||
| 170 | */ | 170 | */ |
| 171 | tmp = (addr_t) task_pt_regs(child)->orig_gpr2; | 171 | tmp = (addr_t) task_pt_regs(child)->orig_gpr2; |
| 172 | 172 | ||
| 173 | } else if (addr < (addr_t) &dummy->regs.fp_regs) { | ||
| 174 | /* | ||
| 175 | * prevent reads of padding hole between | ||
| 176 | * orig_gpr2 and fp_regs on s390. | ||
| 177 | */ | ||
| 178 | tmp = 0; | ||
| 179 | |||
| 173 | } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) { | 180 | } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) { |
| 174 | /* | 181 | /* |
| 175 | * floating point regs. are stored in the thread structure | 182 | * floating point regs. are stored in the thread structure |
| @@ -270,6 +277,13 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data) | |||
| 270 | */ | 277 | */ |
| 271 | task_pt_regs(child)->orig_gpr2 = data; | 278 | task_pt_regs(child)->orig_gpr2 = data; |
| 272 | 279 | ||
| 280 | } else if (addr < (addr_t) &dummy->regs.fp_regs) { | ||
| 281 | /* | ||
| 282 | * prevent writes of padding hole between | ||
| 283 | * orig_gpr2 and fp_regs on s390. | ||
| 284 | */ | ||
| 285 | return 0; | ||
| 286 | |||
| 273 | } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) { | 287 | } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) { |
| 274 | /* | 288 | /* |
| 275 | * floating point regs. are stored in the thread structure | 289 | * floating point regs. are stored in the thread structure |
| @@ -428,6 +442,13 @@ static u32 __peek_user_compat(struct task_struct *child, addr_t addr) | |||
| 428 | */ | 442 | */ |
| 429 | tmp = *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4); | 443 | tmp = *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4); |
| 430 | 444 | ||
| 445 | } else if (addr < (addr_t) &dummy32->regs.fp_regs) { | ||
| 446 | /* | ||
| 447 | * prevent reads of padding hole between | ||
| 448 | * orig_gpr2 and fp_regs on s390. | ||
| 449 | */ | ||
| 450 | tmp = 0; | ||
| 451 | |||
| 431 | } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) { | 452 | } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) { |
| 432 | /* | 453 | /* |
| 433 | * floating point regs. are stored in the thread structure | 454 | * floating point regs. are stored in the thread structure |
| @@ -514,6 +535,13 @@ static int __poke_user_compat(struct task_struct *child, | |||
| 514 | */ | 535 | */ |
| 515 | *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4) = tmp; | 536 | *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4) = tmp; |
| 516 | 537 | ||
| 538 | } else if (addr < (addr_t) &dummy32->regs.fp_regs) { | ||
| 539 | /* | ||
| 540 | * prevent writess of padding hole between | ||
| 541 | * orig_gpr2 and fp_regs on s390. | ||
| 542 | */ | ||
| 543 | return 0; | ||
| 544 | |||
| 517 | } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) { | 545 | } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) { |
| 518 | /* | 546 | /* |
| 519 | * floating point regs. are stored in the thread structure | 547 | * floating point regs. are stored in the thread structure |