diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2008-09-09 14:53:05 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-09-09 14:53:05 -0400 |
commit | ea81e2722e55ba0269c92f266763e445dcffb973 (patch) | |
tree | a582e2dabdf77a895418ad6bfa5deee2a197b499 /arch | |
parent | 0b1fc335d2f2c1206ac4048e5f6d8971f2aae6be (diff) | |
parent | b301ea8c81b13123761772f344faf606c76ba174 (diff) |
Merge branch 'for-linus' of git://git390.osdl.marist.edu/pub/scm/linux-2.6
* 'for-linus' of git://git390.osdl.marist.edu/pub/scm/linux-2.6:
[S390] cio: allow offline processing for disconnected devices
[S390] cio: handle ssch() return codes correctly.
[S390] cio: Correct cleanup on error.
[S390] CVE-2008-1514: prevent ptrace padding area read/write in 31-bit mode
Diffstat (limited to 'arch')
-rw-r--r-- | arch/s390/kernel/compat_ptrace.h | 1 | ||||
-rw-r--r-- | arch/s390/kernel/ptrace.c | 28 |
2 files changed, 29 insertions, 0 deletions
diff --git a/arch/s390/kernel/compat_ptrace.h b/arch/s390/kernel/compat_ptrace.h index cde81fa64f8..a2be3a978d5 100644 --- a/arch/s390/kernel/compat_ptrace.h +++ b/arch/s390/kernel/compat_ptrace.h | |||
@@ -42,6 +42,7 @@ struct user_regs_struct32 | |||
42 | u32 gprs[NUM_GPRS]; | 42 | u32 gprs[NUM_GPRS]; |
43 | u32 acrs[NUM_ACRS]; | 43 | u32 acrs[NUM_ACRS]; |
44 | u32 orig_gpr2; | 44 | u32 orig_gpr2; |
45 | /* nb: there's a 4-byte hole here */ | ||
45 | s390_fp_regs fp_regs; | 46 | s390_fp_regs fp_regs; |
46 | /* | 47 | /* |
47 | * These per registers are in here so that gdb can modify them | 48 | * These per registers are in here so that gdb can modify them |
diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c index 2815bfe348a..c8b08289eb8 100644 --- a/arch/s390/kernel/ptrace.c +++ b/arch/s390/kernel/ptrace.c | |||
@@ -170,6 +170,13 @@ static unsigned long __peek_user(struct task_struct *child, addr_t addr) | |||
170 | */ | 170 | */ |
171 | tmp = (addr_t) task_pt_regs(child)->orig_gpr2; | 171 | tmp = (addr_t) task_pt_regs(child)->orig_gpr2; |
172 | 172 | ||
173 | } else if (addr < (addr_t) &dummy->regs.fp_regs) { | ||
174 | /* | ||
175 | * prevent reads of padding hole between | ||
176 | * orig_gpr2 and fp_regs on s390. | ||
177 | */ | ||
178 | tmp = 0; | ||
179 | |||
173 | } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) { | 180 | } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) { |
174 | /* | 181 | /* |
175 | * floating point regs. are stored in the thread structure | 182 | * floating point regs. are stored in the thread structure |
@@ -270,6 +277,13 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data) | |||
270 | */ | 277 | */ |
271 | task_pt_regs(child)->orig_gpr2 = data; | 278 | task_pt_regs(child)->orig_gpr2 = data; |
272 | 279 | ||
280 | } else if (addr < (addr_t) &dummy->regs.fp_regs) { | ||
281 | /* | ||
282 | * prevent writes of padding hole between | ||
283 | * orig_gpr2 and fp_regs on s390. | ||
284 | */ | ||
285 | return 0; | ||
286 | |||
273 | } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) { | 287 | } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) { |
274 | /* | 288 | /* |
275 | * floating point regs. are stored in the thread structure | 289 | * floating point regs. are stored in the thread structure |
@@ -428,6 +442,13 @@ static u32 __peek_user_compat(struct task_struct *child, addr_t addr) | |||
428 | */ | 442 | */ |
429 | tmp = *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4); | 443 | tmp = *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4); |
430 | 444 | ||
445 | } else if (addr < (addr_t) &dummy32->regs.fp_regs) { | ||
446 | /* | ||
447 | * prevent reads of padding hole between | ||
448 | * orig_gpr2 and fp_regs on s390. | ||
449 | */ | ||
450 | tmp = 0; | ||
451 | |||
431 | } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) { | 452 | } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) { |
432 | /* | 453 | /* |
433 | * floating point regs. are stored in the thread structure | 454 | * floating point regs. are stored in the thread structure |
@@ -514,6 +535,13 @@ static int __poke_user_compat(struct task_struct *child, | |||
514 | */ | 535 | */ |
515 | *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4) = tmp; | 536 | *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4) = tmp; |
516 | 537 | ||
538 | } else if (addr < (addr_t) &dummy32->regs.fp_regs) { | ||
539 | /* | ||
540 | * prevent writess of padding hole between | ||
541 | * orig_gpr2 and fp_regs on s390. | ||
542 | */ | ||
543 | return 0; | ||
544 | |||
517 | } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) { | 545 | } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) { |
518 | /* | 546 | /* |
519 | * floating point regs. are stored in the thread structure | 547 | * floating point regs. are stored in the thread structure |