x86 - 32-bit ptrace emulation mishandles 6th arg

[ jdike - Pushing Chuck's patch - see http://lkml.org/lkml/2005/9/16/261 for some history and a test program. UML is also broken without this patch - its processes get SIGBUS from the corrupt 6th argument to mmap being interpretted as a file offset ] When the 32-bit vDSO is used to make a system call, the %ebp register for the 6th syscall arg has to be loaded from the user stack (where it's pushed by the vDSO user code). The native i386 kernel always does this before stopping for syscall tracing, so %ebp can be seen and modified via ptrace to access the 6th syscall argument. The x86-64 kernel fails to do this, presenting the stack address to ptrace instead. This makes the %rbp value seen by 64-bit ptrace of a 32-bit process, and the %ebp value seen by a 32-bit caller of ptrace, both differ from the native i386 behavior. This patch fixes the problem by putting the word loaded from the user stack into %rbp before calling syscall_trace_enter, and reloading the 6th syscall argument from there afterwards (so ptrace can change it). This makes the behavior match that of i386 kernels. Original-Patch-By: Roland McGrath <roland@redhat.com> Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com> Signed-off-by: Jeff Dike <jdike@linux.intel.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
author: Chuck Ebbert <76306.1226@compuserve.com> 2007-11-07 10:48:39 -0500
committer: Thomas Gleixner <tglx@apollo.(none)> 2007-11-09 22:30:36 -0500
commit: ecd744eec3aa8bbc949ec04ed3fbf7ecb2958a0e (patch)
tree: 47c398a2e76b2354977df0d72ed91271ce85acf8 /arch
parent: fd181c72a3c202a3986bcee7551c0838265aec2a (diff)
1 files changed, 6 insertions, 13 deletions
diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index 18b231810908..df588f0f76e1 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -159,20 +159,16 @@ sysenter_do_call:
 sysenter_tracesys:
        CFI_RESTORE_STATE
+        xchgl   %r9d,%ebp
        SAVE_REST
        CLEAR_RREGS
+        movq    %r9,R9(%rsp)
        movq    $-ENOSYS,RAX(%rsp)      /* really needed? */
        movq    %rsp,%rdi        /* &pt_regs -> arg1 */
        call    syscall_trace_enter
        LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
        RESTORE_REST
-        movl    %ebp, %ebp
+        xchgl   %ebp,%r9d
-        /* no need to do an access_ok check here because rbp has been
-           32bit zero extended */ 
-1:      movl    (%rbp),%r9d
-        .section __ex_table,"a"
-        .quad 1b,ia32_badarg
-        .previous
        jmp     sysenter_do_call
        CFI_ENDPROC
 ENDPROC(ia32_sysenter_target)
@@ -262,20 +258,17 @@ cstar_do_call:
        
 cstar_tracesys: 
        CFI_RESTORE_STATE
+        xchgl %r9d,%ebp
        SAVE_REST
        CLEAR_RREGS
+        movq %r9,R9(%rsp)
        movq $-ENOSYS,RAX(%rsp) /* really needed? */
        movq %rsp,%rdi        /* &pt_regs -> arg1 */
        call syscall_trace_enter
        LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
        RESTORE_REST
+        xchgl %ebp,%r9d
        movl RSP-ARGOFFSET(%rsp), %r8d
-        /* no need to do an access_ok check here because r8 has been
-           32bit zero extended */ 
-1:      movl    (%r8),%r9d
-        .section __ex_table,"a"
-        .quad 1b,ia32_badarg
-        .previous
        jmp cstar_do_call
 END(ia32_cstar_target)
author	Chuck Ebbert <76306.1226@compuserve.com>	2007-11-07 10:48:39 -0500
committer	Thomas Gleixner <tglx@apollo.(none)>	2007-11-09 22:30:36 -0500
commit	ecd744eec3aa8bbc949ec04ed3fbf7ecb2958a0e (patch)
tree	47c398a2e76b2354977df0d72ed91271ce85acf8 /arch
parent	fd181c72a3c202a3986bcee7551c0838265aec2a (diff)