Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 248720 Details for
Bug 337659
Kernel: IA32 Emulation Stack Underflow (CVE-2010-3081)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Backported patch for 2.6.34.7
2.6.34.7_compat_alloc_user_space-incorporate-access_ok.patch (text/plain), 7.77 KB, created by
kfm
on 2010-09-26 23:59:12 UTC
(
hide
)
Description:
Backported patch for 2.6.34.7
Filename:
MIME Type:
Creator:
kfm
Created:
2010-09-26 23:59:12 UTC
Size:
7.77 KB
patch
obsolete
>Backported for 2.6.34.7 by Kerin Millar <kerframil@gmail.com> >--- > >From: H. Peter Anvin <hpa@linux.intel.com> >Date: Tue, 7 Sep 2010 23:16:18 +0000 (-0700) >Subject: compat: Make compat_alloc_user_space() incorporate the access_ok() >X-Git-Tag: v2.6.32.22~62 >X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.32.y.git;a=commitdiff_plain;h=337b16213b3810a982e34f4b9497745c700da8a0 > >compat: Make compat_alloc_user_space() incorporate the access_ok() > >commit c41d68a513c71e35a14f66d71782d27a79a81ea6 upstream. > >compat_alloc_user_space() expects the caller to independently call >access_ok() to verify the returned area. A missing call could >introduce problems on some architectures. > >This patch incorporates the access_ok() check into >compat_alloc_user_space() and also adds a sanity check on the length. >The existing compat_alloc_user_space() implementations are renamed >arch_compat_alloc_user_space() and are used as part of the >implementation of the new global function. > >This patch assumes NULL will cause __get_user()/__put_user() to either >fail or access userspace on all architectures. This should be >followed by checking the return value of compat_access_user_space() >for NULL in the callers, at which time the access_ok() in the callers >can also be removed. > >Reported-by: Ben Hawkes <hawkes@sota.gen.nz> >Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> >Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> >Acked-by: Chris Metcalf <cmetcalf@tilera.com> >Acked-by: David S. Miller <davem@davemloft.net> >Acked-by: Ingo Molnar <mingo@elte.hu> >Acked-by: Thomas Gleixner <tglx@linutronix.de> >Acked-by: Tony Luck <tony.luck@intel.com> >Cc: Andrew Morton <akpm@linux-foundation.org> >Cc: Arnd Bergmann <arnd@arndb.de> >Cc: Fenghua Yu <fenghua.yu@intel.com> >Cc: H. Peter Anvin <hpa@zytor.com> >Cc: Heiko Carstens <heiko.carstens@de.ibm.com> >Cc: Helge Deller <deller@gmx.de> >Cc: James Bottomley <jejb@parisc-linux.org> >Cc: Kyle McMartin <kyle@mcmartin.ca> >Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> >Cc: Paul Mackerras <paulus@samba.org> >Cc: Ralf Baechle <ralf@linux-mips.org> >Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> >--- > >diff -urp linux-2.6.34.7.orig/arch/ia64/include/asm/compat.h linux-2.6.34.7/arch/ia64/include/asm/compat.h >--- linux-2.6.34.7.orig/arch/ia64/include/asm/compat.h 2010-05-16 22:17:36.000000000 +0100 >+++ linux-2.6.34.7/arch/ia64/include/asm/compat.h 2010-09-27 00:53:03.712604894 +0100 >@@ -199,7 +199,7 @@ ptr_to_compat(void __user *uptr) > } > > static __inline__ void __user * >-compat_alloc_user_space (long len) >+arch_compat_alloc_user_space (long len) > { > struct pt_regs *regs = task_pt_regs(current); > return (void __user *) (((regs->r12 & 0xffffffff) & -16) - len); >diff -urp linux-2.6.34.7.orig/arch/mips/include/asm/compat.h linux-2.6.34.7/arch/mips/include/asm/compat.h >--- linux-2.6.34.7.orig/arch/mips/include/asm/compat.h 2010-05-16 22:17:36.000000000 +0100 >+++ linux-2.6.34.7/arch/mips/include/asm/compat.h 2010-09-27 00:53:03.712604894 +0100 >@@ -145,7 +145,7 @@ static inline compat_uptr_t ptr_to_compa > return (u32)(unsigned long)uptr; > } > >-static inline void __user *compat_alloc_user_space(long len) >+static inline void __user *arch_compat_alloc_user_space(long len) > { > struct pt_regs *regs = (struct pt_regs *) > ((unsigned long) current_thread_info() + THREAD_SIZE - 32) - 1; >diff -urp linux-2.6.34.7.orig/arch/parisc/include/asm/compat.h linux-2.6.34.7/arch/parisc/include/asm/compat.h >--- linux-2.6.34.7.orig/arch/parisc/include/asm/compat.h 2010-05-16 22:17:36.000000000 +0100 >+++ linux-2.6.34.7/arch/parisc/include/asm/compat.h 2010-09-27 00:53:03.712604894 +0100 >@@ -147,7 +147,7 @@ static inline compat_uptr_t ptr_to_compa > return (u32)(unsigned long)uptr; > } > >-static __inline__ void __user *compat_alloc_user_space(long len) >+static __inline__ void __user *arch_compat_alloc_user_space(long len) > { > struct pt_regs *regs = ¤t->thread.regs; > return (void __user *)regs->gr[30]; >diff -urp linux-2.6.34.7.orig/arch/powerpc/include/asm/compat.h linux-2.6.34.7/arch/powerpc/include/asm/compat.h >--- linux-2.6.34.7.orig/arch/powerpc/include/asm/compat.h 2010-05-16 22:17:36.000000000 +0100 >+++ linux-2.6.34.7/arch/powerpc/include/asm/compat.h 2010-09-27 00:53:03.712604894 +0100 >@@ -134,7 +134,7 @@ static inline compat_uptr_t ptr_to_compa > return (u32)(unsigned long)uptr; > } > >-static inline void __user *compat_alloc_user_space(long len) >+static inline void __user *arch_compat_alloc_user_space(long len) > { > struct pt_regs *regs = current->thread.regs; > unsigned long usp = regs->gpr[1]; >diff -urp linux-2.6.34.7.orig/arch/s390/include/asm/compat.h linux-2.6.34.7/arch/s390/include/asm/compat.h >--- linux-2.6.34.7.orig/arch/s390/include/asm/compat.h 2010-05-16 22:17:36.000000000 +0100 >+++ linux-2.6.34.7/arch/s390/include/asm/compat.h 2010-09-27 00:53:03.712604894 +0100 >@@ -181,7 +181,7 @@ static inline int is_compat_task(void) > > #endif > >-static inline void __user *compat_alloc_user_space(long len) >+static inline void __user *arch_compat_alloc_user_space(long len) > { > unsigned long stack; > >diff -urp linux-2.6.34.7.orig/arch/sparc/include/asm/compat.h linux-2.6.34.7/arch/sparc/include/asm/compat.h >--- linux-2.6.34.7.orig/arch/sparc/include/asm/compat.h 2010-05-16 22:17:36.000000000 +0100 >+++ linux-2.6.34.7/arch/sparc/include/asm/compat.h 2010-09-27 00:53:03.712604894 +0100 >@@ -167,7 +167,7 @@ static inline compat_uptr_t ptr_to_compa > return (u32)(unsigned long)uptr; > } > >-static inline void __user *compat_alloc_user_space(long len) >+static inline void __user *arch_compat_alloc_user_space(long len) > { > struct pt_regs *regs = current_thread_info()->kregs; > unsigned long usp = regs->u_regs[UREG_I6]; >diff -urp linux-2.6.34.7.orig/arch/x86/include/asm/compat.h linux-2.6.34.7/arch/x86/include/asm/compat.h >--- linux-2.6.34.7.orig/arch/x86/include/asm/compat.h 2010-05-16 22:17:36.000000000 +0100 >+++ linux-2.6.34.7/arch/x86/include/asm/compat.h 2010-09-27 00:53:03.712604894 +0100 >@@ -205,7 +205,7 @@ static inline compat_uptr_t ptr_to_compa > return (u32)(unsigned long)uptr; > } > >-static inline void __user *compat_alloc_user_space(long len) >+static inline void __user *arch_compat_alloc_user_space(long len) > { > struct pt_regs *regs = task_pt_regs(current); > return (void __user *)regs->sp - len; >diff -urp linux-2.6.34.7.orig/include/linux/compat.h linux-2.6.34.7/include/linux/compat.h >--- linux-2.6.34.7.orig/include/linux/compat.h 2010-09-26 23:12:10.377096155 +0100 >+++ linux-2.6.34.7/include/linux/compat.h 2010-09-27 00:54:31.405104526 +0100 >@@ -360,5 +360,8 @@ extern ssize_t compat_rw_copy_check_uvec > const struct compat_iovec __user *uvector, unsigned long nr_segs, > unsigned long fast_segs, struct iovec *fast_pointer, > struct iovec **ret_pointer); >+ >+extern void __user *compat_alloc_user_space(unsigned long len); >+ > #endif /* CONFIG_COMPAT */ > #endif /* _LINUX_COMPAT_H */ >diff -urp linux-2.6.34.7.orig/kernel/compat.c linux-2.6.34.7/kernel/compat.c >--- linux-2.6.34.7.orig/kernel/compat.c 2010-09-26 23:12:10.381096260 +0100 >+++ linux-2.6.34.7/kernel/compat.c 2010-09-27 00:55:28.401102437 +0100 >@@ -25,6 +25,7 @@ > #include <linux/posix-timers.h> > #include <linux/times.h> > #include <linux/ptrace.h> >+#include <linux/module.h> > #include <linux/gfp.h> > > #include <asm/uaccess.h> >@@ -1137,3 +1138,24 @@ compat_sys_sysinfo(struct compat_sysinfo > > return 0; > } >+ >+/* >+ * Allocate user-space memory for the duration of a single system call, >+ * in order to marshall parameters inside a compat thunk. >+ */ >+void __user *compat_alloc_user_space(unsigned long len) >+{ >+ void __user *ptr; >+ >+ /* If len would occupy more than half of the entire compat space... */ >+ if (unlikely(len > (((compat_uptr_t)~0) >> 1))) >+ return NULL; >+ >+ ptr = arch_compat_alloc_user_space(len); >+ >+ if (unlikely(!access_ok(VERIFY_WRITE, ptr, len))) >+ return NULL; >+ >+ return ptr; >+} >+EXPORT_SYMBOL_GPL(compat_alloc_user_space);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=248720">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 337659
: 248720 |
248808
|
248810
