From 06c03cac9487555478c7d80065ebf7818bf6fd06 Mon Sep 17 00:00:00 2001 From: Lennert Buytenhek Date: Mon, 7 Nov 2005 21:12:07 +0000 Subject: [ARM] 3117/1: nwfpe kernel memory info leak Patch from Lennert Buytenhek The routine that nwfpe uses for converting floats/doubles to extended precision fails to zero two bytes of kernel stack. This is not immediately obvious, as the floatx80 structure has 16 bits of implicit padding (by design.) These two bytes are copied to userspace when an stfe is emulated, causing a possible info leak. Make the padding explicit and zero it out in the relevant places. Signed-off-by: Lennert Buytenhek Signed-off-by: Russell King --- arch/arm/nwfpe/fpopcode.c | 16 ++++++++-------- arch/arm/nwfpe/softfloat-specialize | 1 + arch/arm/nwfpe/softfloat.c | 6 ++++++ arch/arm/nwfpe/softfloat.h | 1 + 4 files changed, 16 insertions(+), 8 deletions(-) (limited to 'arch/arm/nwfpe') diff --git a/arch/arm/nwfpe/fpopcode.c b/arch/arm/nwfpe/fpopcode.c index 4c9f5703148c..67ff2ab08ea0 100644 --- a/arch/arm/nwfpe/fpopcode.c +++ b/arch/arm/nwfpe/fpopcode.c @@ -29,14 +29,14 @@ #ifdef CONFIG_FPE_NWFPE_XP const floatx80 floatx80Constant[] = { - {0x0000, 0x0000000000000000ULL}, /* extended 0.0 */ - {0x3fff, 0x8000000000000000ULL}, /* extended 1.0 */ - {0x4000, 0x8000000000000000ULL}, /* extended 2.0 */ - {0x4000, 0xc000000000000000ULL}, /* extended 3.0 */ - {0x4001, 0x8000000000000000ULL}, /* extended 4.0 */ - {0x4001, 0xa000000000000000ULL}, /* extended 5.0 */ - {0x3ffe, 0x8000000000000000ULL}, /* extended 0.5 */ - {0x4002, 0xa000000000000000ULL} /* extended 10.0 */ + { .high = 0x0000, .low = 0x0000000000000000ULL},/* extended 0.0 */ + { .high = 0x3fff, .low = 0x8000000000000000ULL},/* extended 1.0 */ + { .high = 0x4000, .low = 0x8000000000000000ULL},/* extended 2.0 */ + { .high = 0x4000, .low = 0xc000000000000000ULL},/* extended 3.0 */ + { .high = 0x4001, .low = 0x8000000000000000ULL},/* extended 4.0 */ + { .high = 0x4001, .low = 0xa000000000000000ULL},/* extended 5.0 */ + { .high = 0x3ffe, .low = 0x8000000000000000ULL},/* extended 0.5 */ + { .high = 0x4002, .low = 0xa000000000000000ULL},/* extended 10.0 */ }; #endif diff --git a/arch/arm/nwfpe/softfloat-specialize b/arch/arm/nwfpe/softfloat-specialize index acf409144763..d4a4c8e06635 100644 --- a/arch/arm/nwfpe/softfloat-specialize +++ b/arch/arm/nwfpe/softfloat-specialize @@ -332,6 +332,7 @@ static floatx80 commonNaNToFloatx80( commonNaNT a ) z.low = LIT64( 0xC000000000000000 ) | ( a.high>>1 ); z.high = ( ( (bits16) a.sign )<<15 ) | 0x7FFF; + z.__padding = 0; return z; } diff --git a/arch/arm/nwfpe/softfloat.c b/arch/arm/nwfpe/softfloat.c index f9f049132a17..0f9656e482ba 100644 --- a/arch/arm/nwfpe/softfloat.c +++ b/arch/arm/nwfpe/softfloat.c @@ -531,6 +531,7 @@ INLINE floatx80 packFloatx80( flag zSign, int32 zExp, bits64 zSig ) z.low = zSig; z.high = ( ( (bits16) zSign )<<15 ) + zExp; + z.__padding = 0; return z; } @@ -2831,6 +2832,7 @@ static floatx80 subFloatx80Sigs( struct roundingData *roundData, floatx80 a, flo roundData->exception |= float_flag_invalid; z.low = floatx80_default_nan_low; z.high = floatx80_default_nan_high; + z.__padding = 0; return z; } if ( aExp == 0 ) { @@ -2950,6 +2952,7 @@ floatx80 floatx80_mul( struct roundingData *roundData, floatx80 a, floatx80 b ) roundData->exception |= float_flag_invalid; z.low = floatx80_default_nan_low; z.high = floatx80_default_nan_high; + z.__padding = 0; return z; } return packFloatx80( zSign, 0x7FFF, LIT64( 0x8000000000000000 ) ); @@ -3015,6 +3018,7 @@ floatx80 floatx80_div( struct roundingData *roundData, floatx80 a, floatx80 b ) roundData->exception |= float_flag_invalid; z.low = floatx80_default_nan_low; z.high = floatx80_default_nan_high; + z.__padding = 0; return z; } roundData->exception |= float_flag_divbyzero; @@ -3093,6 +3097,7 @@ floatx80 floatx80_rem( struct roundingData *roundData, floatx80 a, floatx80 b ) roundData->exception |= float_flag_invalid; z.low = floatx80_default_nan_low; z.high = floatx80_default_nan_high; + z.__padding = 0; return z; } normalizeFloatx80Subnormal( bSig, &bExp, &bSig ); @@ -3184,6 +3189,7 @@ floatx80 floatx80_sqrt( struct roundingData *roundData, floatx80 a ) roundData->exception |= float_flag_invalid; z.low = floatx80_default_nan_low; z.high = floatx80_default_nan_high; + z.__padding = 0; return z; } if ( aExp == 0 ) { diff --git a/arch/arm/nwfpe/softfloat.h b/arch/arm/nwfpe/softfloat.h index 14151700b6b2..1301d97e037f 100644 --- a/arch/arm/nwfpe/softfloat.h +++ b/arch/arm/nwfpe/softfloat.h @@ -55,6 +55,7 @@ typedef unsigned long int float32; typedef unsigned long long float64; typedef struct { unsigned short high; + unsigned short __padding; unsigned long long low; } floatx80; -- cgit v1.2.2 From bedf142b8bba4331ed93161292a4ce4f8cde7308 Mon Sep 17 00:00:00 2001 From: Lennert Buytenhek Date: Mon, 7 Nov 2005 21:12:08 +0000 Subject: [ARM] 3118/1: fix and reenable nwfpe extended precision emulation for big-endian Patch from Lennert Buytenhek nwfpe extended precision emulation used to be broken on big-endian and was therefore disabled. This patch fixes nwfpe so that it copies extended precision floats to/from userspace in the proper word order (similar to patch #2046, see the description of that patch for an explanation) and reenables the Kconfig option. Signed-off-by: Lennert Buytenhek Signed-off-by: Russell King --- arch/arm/nwfpe/fpa11.h | 2 +- arch/arm/nwfpe/fpa11_cpdt.c | 10 ++++++++++ arch/arm/nwfpe/softfloat.h | 15 ++++++++++----- 3 files changed, 21 insertions(+), 6 deletions(-) (limited to 'arch/arm/nwfpe') diff --git a/arch/arm/nwfpe/fpa11.h b/arch/arm/nwfpe/fpa11.h index 9677ae8448e8..da4c616b6c49 100644 --- a/arch/arm/nwfpe/fpa11.h +++ b/arch/arm/nwfpe/fpa11.h @@ -60,7 +60,7 @@ typedef union tagFPREG { #ifdef CONFIG_FPE_NWFPE_XP floatx80 fExtended; #else - int padding[3]; + u32 padding[3]; #endif } FPREG; diff --git a/arch/arm/nwfpe/fpa11_cpdt.c b/arch/arm/nwfpe/fpa11_cpdt.c index b0db5cbcc3b1..32859fa8dcfc 100644 --- a/arch/arm/nwfpe/fpa11_cpdt.c +++ b/arch/arm/nwfpe/fpa11_cpdt.c @@ -59,8 +59,13 @@ static inline void loadExtended(const unsigned int Fn, const unsigned int __user p = (unsigned int *) &fpa11->fpreg[Fn].fExtended; fpa11->fType[Fn] = typeExtended; get_user(p[0], &pMem[0]); /* sign & exponent */ +#ifdef __ARMEB__ + get_user(p[1], &pMem[1]); /* ms bits */ + get_user(p[2], &pMem[2]); /* ls bits */ +#else get_user(p[1], &pMem[2]); /* ls bits */ get_user(p[2], &pMem[1]); /* ms bits */ +#endif } #endif @@ -177,8 +182,13 @@ static inline void storeExtended(const unsigned int Fn, unsigned int __user *pMe } put_user(val.i[0], &pMem[0]); /* sign & exp */ +#ifdef __ARMEB__ + put_user(val.i[1], &pMem[1]); /* msw */ + put_user(val.i[2], &pMem[2]); +#else put_user(val.i[1], &pMem[2]); put_user(val.i[2], &pMem[1]); /* msw */ +#endif } #endif diff --git a/arch/arm/nwfpe/softfloat.h b/arch/arm/nwfpe/softfloat.h index 1301d97e037f..978c699673c6 100644 --- a/arch/arm/nwfpe/softfloat.h +++ b/arch/arm/nwfpe/softfloat.h @@ -51,12 +51,17 @@ input or output the `floatx80' type will be defined. Software IEC/IEEE floating-point types. ------------------------------------------------------------------------------- */ -typedef unsigned long int float32; -typedef unsigned long long float64; +typedef u32 float32; +typedef u64 float64; typedef struct { - unsigned short high; - unsigned short __padding; - unsigned long long low; +#ifdef __ARMEB__ + u16 __padding; + u16 high; +#else + u16 high; + u16 __padding; +#endif + u64 low; } floatx80; /* -- cgit v1.2.2