diff options
| author | Andi Kleen <ak@suse.de> | 2007-09-21 10:16:18 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-09-21 12:52:07 -0400 |
| commit | 176df2457ef6207156ca1a40991c54ca01fef567 (patch) | |
| tree | dddbc675ad695d1bae8f32a1c877b47c3a548a09 /arch/x86_64/ia32 | |
| parent | 335fb8fc71692830aca0a5a5fe7f60016ee0d0aa (diff) | |
x86_64: Zero extend all registers after ptrace in 32bit entry path.
Strictly it's only needed for eax.
It actually does a little more than strictly needed -- the other registers
are already zero extended.
Also remove the now unnecessary and non functional compat task check
in ptrace.
This is CVE-2007-4573
Found by Wojciech Purczynski
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'arch/x86_64/ia32')
| -rw-r--r-- | arch/x86_64/ia32/ia32entry.S | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/arch/x86_64/ia32/ia32entry.S b/arch/x86_64/ia32/ia32entry.S index 938278697e20..18b231810908 100644 --- a/arch/x86_64/ia32/ia32entry.S +++ b/arch/x86_64/ia32/ia32entry.S | |||
| @@ -38,6 +38,18 @@ | |||
| 38 | movq %rax,R8(%rsp) | 38 | movq %rax,R8(%rsp) |
| 39 | .endm | 39 | .endm |
| 40 | 40 | ||
| 41 | .macro LOAD_ARGS32 offset | ||
| 42 | movl \offset(%rsp),%r11d | ||
| 43 | movl \offset+8(%rsp),%r10d | ||
| 44 | movl \offset+16(%rsp),%r9d | ||
| 45 | movl \offset+24(%rsp),%r8d | ||
| 46 | movl \offset+40(%rsp),%ecx | ||
| 47 | movl \offset+48(%rsp),%edx | ||
| 48 | movl \offset+56(%rsp),%esi | ||
| 49 | movl \offset+64(%rsp),%edi | ||
| 50 | movl \offset+72(%rsp),%eax | ||
| 51 | .endm | ||
| 52 | |||
| 41 | .macro CFI_STARTPROC32 simple | 53 | .macro CFI_STARTPROC32 simple |
| 42 | CFI_STARTPROC \simple | 54 | CFI_STARTPROC \simple |
| 43 | CFI_UNDEFINED r8 | 55 | CFI_UNDEFINED r8 |
| @@ -152,7 +164,7 @@ sysenter_tracesys: | |||
| 152 | movq $-ENOSYS,RAX(%rsp) /* really needed? */ | 164 | movq $-ENOSYS,RAX(%rsp) /* really needed? */ |
| 153 | movq %rsp,%rdi /* &pt_regs -> arg1 */ | 165 | movq %rsp,%rdi /* &pt_regs -> arg1 */ |
| 154 | call syscall_trace_enter | 166 | call syscall_trace_enter |
| 155 | LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */ | 167 | LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ |
| 156 | RESTORE_REST | 168 | RESTORE_REST |
| 157 | movl %ebp, %ebp | 169 | movl %ebp, %ebp |
| 158 | /* no need to do an access_ok check here because rbp has been | 170 | /* no need to do an access_ok check here because rbp has been |
| @@ -255,7 +267,7 @@ cstar_tracesys: | |||
| 255 | movq $-ENOSYS,RAX(%rsp) /* really needed? */ | 267 | movq $-ENOSYS,RAX(%rsp) /* really needed? */ |
| 256 | movq %rsp,%rdi /* &pt_regs -> arg1 */ | 268 | movq %rsp,%rdi /* &pt_regs -> arg1 */ |
| 257 | call syscall_trace_enter | 269 | call syscall_trace_enter |
| 258 | LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */ | 270 | LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ |
| 259 | RESTORE_REST | 271 | RESTORE_REST |
| 260 | movl RSP-ARGOFFSET(%rsp), %r8d | 272 | movl RSP-ARGOFFSET(%rsp), %r8d |
| 261 | /* no need to do an access_ok check here because r8 has been | 273 | /* no need to do an access_ok check here because r8 has been |
| @@ -334,7 +346,7 @@ ia32_tracesys: | |||
| 334 | movq $-ENOSYS,RAX(%rsp) /* really needed? */ | 346 | movq $-ENOSYS,RAX(%rsp) /* really needed? */ |
| 335 | movq %rsp,%rdi /* &pt_regs -> arg1 */ | 347 | movq %rsp,%rdi /* &pt_regs -> arg1 */ |
| 336 | call syscall_trace_enter | 348 | call syscall_trace_enter |
| 337 | LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */ | 349 | LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ |
| 338 | RESTORE_REST | 350 | RESTORE_REST |
| 339 | jmp ia32_do_syscall | 351 | jmp ia32_do_syscall |
| 340 | END(ia32_syscall) | 352 | END(ia32_syscall) |