diff options
| author | Paul Mackerras <paulus@samba.org> | 2006-06-08 23:02:59 -0400 |
|---|---|---|
| committer | Paul Mackerras <paulus@samba.org> | 2006-06-08 23:02:59 -0400 |
| commit | 7c85d1f9d358b24c5b05c3a2783a78423775a080 (patch) | |
| tree | 71f92966cba279120cb81965cb3a5294295413ba /arch/powerpc/kernel/signal_32.c | |
| parent | 1def630a6a49dda5bc89dfbd86656293640456f0 (diff) | |
powerpc: Fix machine check problem on 32-bit kernels
This fixes a bug found by Dave Jones that means that it is possible
for userspace to provoke a machine check on 32-bit kernels. This
also fixes a couple of other places where I found similar problems
by inspection.
Signed-off-by: Paul Mackerras <paulus@samba.org>
Diffstat (limited to 'arch/powerpc/kernel/signal_32.c')
| -rw-r--r-- | arch/powerpc/kernel/signal_32.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c index 01e3c08cb550..8fdeca2d4597 100644 --- a/arch/powerpc/kernel/signal_32.c +++ b/arch/powerpc/kernel/signal_32.c | |||
| @@ -803,10 +803,13 @@ static int do_setcontext(struct ucontext __user *ucp, struct pt_regs *regs, int | |||
| 803 | if (__get_user(cmcp, &ucp->uc_regs)) | 803 | if (__get_user(cmcp, &ucp->uc_regs)) |
| 804 | return -EFAULT; | 804 | return -EFAULT; |
| 805 | mcp = (struct mcontext __user *)(u64)cmcp; | 805 | mcp = (struct mcontext __user *)(u64)cmcp; |
| 806 | /* no need to check access_ok(mcp), since mcp < 4GB */ | ||
| 806 | } | 807 | } |
| 807 | #else | 808 | #else |
| 808 | if (__get_user(mcp, &ucp->uc_regs)) | 809 | if (__get_user(mcp, &ucp->uc_regs)) |
| 809 | return -EFAULT; | 810 | return -EFAULT; |
| 811 | if (!access_ok(VERIFY_READ, mcp, sizeof(*mcp))) | ||
| 812 | return -EFAULT; | ||
| 810 | #endif | 813 | #endif |
| 811 | restore_sigmask(&set); | 814 | restore_sigmask(&set); |
| 812 | if (restore_user_regs(regs, mcp, sig)) | 815 | if (restore_user_regs(regs, mcp, sig)) |
| @@ -908,13 +911,14 @@ int sys_debug_setcontext(struct ucontext __user *ctx, | |||
| 908 | { | 911 | { |
| 909 | struct sig_dbg_op op; | 912 | struct sig_dbg_op op; |
| 910 | int i; | 913 | int i; |
| 914 | unsigned char tmp; | ||
| 911 | unsigned long new_msr = regs->msr; | 915 | unsigned long new_msr = regs->msr; |
| 912 | #if defined(CONFIG_4xx) || defined(CONFIG_BOOKE) | 916 | #if defined(CONFIG_4xx) || defined(CONFIG_BOOKE) |
| 913 | unsigned long new_dbcr0 = current->thread.dbcr0; | 917 | unsigned long new_dbcr0 = current->thread.dbcr0; |
| 914 | #endif | 918 | #endif |
| 915 | 919 | ||
| 916 | for (i=0; i<ndbg; i++) { | 920 | for (i=0; i<ndbg; i++) { |
| 917 | if (__copy_from_user(&op, dbg, sizeof(op))) | 921 | if (copy_from_user(&op, dbg + i, sizeof(op))) |
| 918 | return -EFAULT; | 922 | return -EFAULT; |
| 919 | switch (op.dbg_type) { | 923 | switch (op.dbg_type) { |
| 920 | case SIG_DBG_SINGLE_STEPPING: | 924 | case SIG_DBG_SINGLE_STEPPING: |
| @@ -959,6 +963,11 @@ int sys_debug_setcontext(struct ucontext __user *ctx, | |||
| 959 | current->thread.dbcr0 = new_dbcr0; | 963 | current->thread.dbcr0 = new_dbcr0; |
| 960 | #endif | 964 | #endif |
| 961 | 965 | ||
| 966 | if (!access_ok(VERIFY_READ, ctx, sizeof(*ctx)) | ||
| 967 | || __get_user(tmp, (u8 __user *) ctx) | ||
| 968 | || __get_user(tmp, (u8 __user *) (ctx + 1) - 1)) | ||
| 969 | return -EFAULT; | ||
| 970 | |||
| 962 | /* | 971 | /* |
| 963 | * If we get a fault copying the context into the kernel's | 972 | * If we get a fault copying the context into the kernel's |
| 964 | * image of the user's registers, we can't just return -EFAULT | 973 | * image of the user's registers, we can't just return -EFAULT |