Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

powerpc: Fix machine check problem on 32-bit kernels

This fixes a bug found by Dave Jones that means that it is possible
for userspace to provoke a machine check on 32-bit kernels.  This
also fixes a couple of other places where I found similar problems
by inspection.

Signed-off-by: Paul Mackerras <paulus@samba.org>
Paul Mackerras 19 years ago
parent
1def630a6a
commit
7c85d1f9d3
2 changed files with 12 additions and 1 deletions
Unified View Show Diff Stats
  1. 10 1
      arch/powerpc/kernel/signal_32.c
  2. 2 0
      arch/powerpc/kernel/signal_64.c

+ 10 - 1
arch/powerpc/kernel/signal_32.c
View File 

@@ -803,10 +803,13 @@ static int do_setcontext(struct ucontext __user *ucp, struct pt_regs *regs, int
 
 		if (__get_user(cmcp, &ucp->uc_regs))
 
 		if (__get_user(cmcp, &ucp->uc_regs))
 
 			return -EFAULT;
 
 			return -EFAULT;
 
 		mcp = (struct mcontext __user *)(u64)cmcp;
 
 		mcp = (struct mcontext __user *)(u64)cmcp;
 
+		/* no need to check access_ok(mcp), since mcp < 4GB */
 
 	}
 
 	}
 
 #else
 
 #else
 
 	if (__get_user(mcp, &ucp->uc_regs))
 
 	if (__get_user(mcp, &ucp->uc_regs))
 
 		return -EFAULT;
 
 		return -EFAULT;
 
+	if (!access_ok(VERIFY_READ, mcp, sizeof(*mcp)))
 
+		return -EFAULT;
 
 #endif
 
 #endif
 
 	restore_sigmask(&set);
 
 	restore_sigmask(&set);
 
 	if (restore_user_regs(regs, mcp, sig))
 
 	if (restore_user_regs(regs, mcp, sig))
 
@@ -908,13 +911,14 @@ int sys_debug_setcontext(struct ucontext __user *ctx,
 
 {
 
 {
 
 	struct sig_dbg_op op;
 
 	struct sig_dbg_op op;
 
 	int i;
 
 	int i;
 
+	unsigned char tmp;
 
 	unsigned long new_msr = regs->msr;
 
 	unsigned long new_msr = regs->msr;
 
 #if defined(CONFIG_4xx) || defined(CONFIG_BOOKE)
 
 #if defined(CONFIG_4xx) || defined(CONFIG_BOOKE)
 
 	unsigned long new_dbcr0 = current->thread.dbcr0;
 
 	unsigned long new_dbcr0 = current->thread.dbcr0;
 
 #endif
 
 #endif
 
 
 
 	for (i=0; i<ndbg; i++) {
 
 	for (i=0; i<ndbg; i++) {
 
-		if (__copy_from_user(&op, dbg, sizeof(op)))
 
+		if (copy_from_user(&op, dbg + i, sizeof(op)))
 
 			return -EFAULT;
 
 			return -EFAULT;
 
 		switch (op.dbg_type) {
 
 		switch (op.dbg_type) {
 
 		case SIG_DBG_SINGLE_STEPPING:
 
 		case SIG_DBG_SINGLE_STEPPING:
 
@@ -959,6 +963,11 @@ int sys_debug_setcontext(struct ucontext __user *ctx,
 
 	current->thread.dbcr0 = new_dbcr0;
 
 	current->thread.dbcr0 = new_dbcr0;
 
 #endif
 
 #endif
 
 
 
+	if (!access_ok(VERIFY_READ, ctx, sizeof(*ctx))
 
+	    || __get_user(tmp, (u8 __user *) ctx)
 
+	    || __get_user(tmp, (u8 __user *) (ctx + 1) - 1))
 
+		return -EFAULT;
 
+
 
 	/*
 
 	/*
 
 	 * If we get a fault copying the context into the kernel's
 
 	 * If we get a fault copying the context into the kernel's
 
 	 * image of the user's registers, we can't just return -EFAULT
 
 	 * image of the user's registers, we can't just return -EFAULT

+ 2 - 0
arch/powerpc/kernel/signal_64.c
View File 

@@ -182,6 +182,8 @@ static long restore_sigcontext(struct pt_regs *regs, sigset_t *set, int sig,
 
 	err |= __get_user(msr, &sc->gp_regs[PT_MSR]);
 
 	err |= __get_user(msr, &sc->gp_regs[PT_MSR]);
 
 	if (err)
 
 	if (err)
 
 		return err;
 
 		return err;
 
+	if (v_regs && !access_ok(VERIFY_READ, v_regs, 34 * sizeof(vector128)))
 
+		return -EFAULT;
 
 	/* Copy 33 vec registers (vr0..31 and vscr) from the stack */
 
 	/* Copy 33 vec registers (vr0..31 and vscr) from the stack */
 
 	if (v_regs != 0 && (msr & MSR_VEC) != 0)
 
 	if (v_regs != 0 && (msr & MSR_VEC) != 0)
 
 		err |= __copy_from_user(current->thread.vr, v_regs,
 
 		err |= __copy_from_user(current->thread.vr, v_regs,