x86-64: Fix register leak in 32-bit syscall audting

Restoring %ebp after the call to audit_syscall_exit() is not
only unnecessary (because the register didn't get clobbered),
but in the sysenter case wasn't even doing the right thing: It
loaded %ebp from a location below the top of stack (RBP <
ARGOFFSET), i.e. arbitrary kernel data got passed back to user
mode in the register.

Signed-off-by: Jan Beulich <jbeulich@novell.com>
Acked-by: Roland McGrath <roland@redhat.com>
Cc: <stable@kernel.org>
LKML-Reference: <4AE5CC4D020000780001BD13@vpn.id2.novell.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>

1 files changed, 2 insertions, 3 deletions

diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index 1733f9f65e82..581b0568fe19 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -204,7 +204,7 @@ sysexit_from_sys_call:
         movl RDI-ARGOFFSET(%rsp),%r8d   /* reload 5th syscall arg */
         .endm
 
-        .macro auditsys_exit exit,ebpsave=RBP
+        .macro auditsys_exit exit
         testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10)
         jnz ia32_ret_from_sys_call
         TRACE_IRQS_ON
@@ -217,7 +217,6 @@ sysexit_from_sys_call:
         call audit_syscall_exit
         GET_THREAD_INFO(%r10)
         movl RAX-ARGOFFSET(%rsp),%eax   /* reload syscall return value */
-        movl \ebpsave-ARGOFFSET(%rsp),%ebp /* reload user register value */
         movl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),%edi
         cli
         TRACE_IRQS_OFF
@@ -351,7 +350,7 @@ cstar_auditsys:
         jmp cstar_dispatch
 
 sysretl_audit:
-        auditsys_exit sysretl_from_sys_call, RCX /* user %ebp in RCX slot */
+        auditsys_exit sysretl_from_sys_call
 #endif
 
 cstar_tracesys: