Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 248808 Details for
Bug 337659
Kernel: IA32 Emulation Stack Underflow (CVE-2010-3081)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches cleanly against 2.6.34-r10
2.6.34-compat-alloc.patch (text/plain), 6.99 KB, created by
Isaac Richter
on 2010-09-27 16:30:36 UTC
(
hide
)
Description:
Patches cleanly against 2.6.34-r10
Filename:
MIME Type:
Creator:
Isaac Richter
Created:
2010-09-27 16:30:36 UTC
Size:
6.99 KB
patch
obsolete
>From c41d68a513c71e35a14f66d71782d27a79a81ea6 Mon Sep 17 00:00:00 2001 >From: H. Peter Anvin <hpa@linux.intel.com> >Date: Tue, 7 Sep 2010 16:16:18 -0700 >Subject: [PATCH] compat: Make compat_alloc_user_space() incorporate the access_ok() > >compat_alloc_user_space() expects the caller to independently call >access_ok() to verify the returned area. A missing call could >introduce problems on some architectures. > >This patch incorporates the access_ok() check into >compat_alloc_user_space() and also adds a sanity check on the length. >The existing compat_alloc_user_space() implementations are renamed >arch_compat_alloc_user_space() and are used as part of the >implementation of the new global function. > >This patch assumes NULL will cause __get_user()/__put_user() to either >fail or access userspace on all architectures. This should be >followed by checking the return value of compat_access_user_space() >for NULL in the callers, at which time the access_ok() in the callers >can also be removed. > >Reported-by: Ben Hawkes <hawkes@sota.gen.nz> >Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> >Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> >Acked-by: Chris Metcalf <cmetcalf@tilera.com> >Acked-by: David S. Miller <davem@davemloft.net> >Acked-by: Ingo Molnar <mingo@elte.hu> >Acked-by: Thomas Gleixner <tglx@linutronix.de> >Acked-by: Tony Luck <tony.luck@intel.com> >Cc: Andrew Morton <akpm@linux-foundation.org> >Cc: Arnd Bergmann <arnd@arndb.de> >Cc: Fenghua Yu <fenghua.yu@intel.com> >Cc: H. Peter Anvin <hpa@zytor.com> >Cc: Heiko Carstens <heiko.carstens@de.ibm.com> >Cc: Helge Deller <deller@gmx.de> >Cc: James Bottomley <jejb@parisc-linux.org> >Cc: Kyle McMartin <kyle@mcmartin.ca> >Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> >Cc: Paul Mackerras <paulus@samba.org> >Cc: Ralf Baechle <ralf@linux-mips.org> >Cc: <stable@kernel.org> >--- > arch/ia64/include/asm/compat.h | 2 +- > arch/mips/include/asm/compat.h | 2 +- > arch/parisc/include/asm/compat.h | 2 +- > arch/powerpc/include/asm/compat.h | 2 +- > arch/s390/include/asm/compat.h | 2 +- > arch/sparc/include/asm/compat.h | 2 +- >#Removed since gentoo does not support arch/tile/include/asm/compat.h | 2 +- > arch/x86/include/asm/compat.h | 2 +- > include/linux/compat.h | 3 +++ > kernel/compat.c | 21 +++++++++++++++++++++ > 10 files changed, 32 insertions(+), 8 deletions(-) > >diff --git a/arch/ia64/include/asm/compat.h b/arch/ia64/include/asm/compat.h >index f90edc8..9301a28 100644 >--- a/arch/ia64/include/asm/compat.h >+++ b/arch/ia64/include/asm/compat.h >@@ -199,7 +199,7 @@ ptr_to_compat(void __user *uptr) > } > > static __inline__ void __user * >-compat_alloc_user_space (long len) >+arch_compat_alloc_user_space (long len) > { > struct pt_regs *regs = task_pt_regs(current); > return (void __user *) (((regs->r12 & 0xffffffff) & -16) - len); >diff --git a/arch/mips/include/asm/compat.h b/arch/mips/include/asm/compat.h >index 613f691..dbc5106 100644 >--- a/arch/mips/include/asm/compat.h >+++ b/arch/mips/include/asm/compat.h >@@ -145,7 +145,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) > return (u32)(unsigned long)uptr; > } > >-static inline void __user *compat_alloc_user_space(long len) >+static inline void __user *arch_compat_alloc_user_space(long len) > { > struct pt_regs *regs = (struct pt_regs *) > ((unsigned long) current_thread_info() + THREAD_SIZE - 32) - 1; >diff --git a/arch/parisc/include/asm/compat.h b/arch/parisc/include/asm/compat.h >index 02b77ba..efa0b60 100644 >--- a/arch/parisc/include/asm/compat.h >+++ b/arch/parisc/include/asm/compat.h >@@ -147,7 +147,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) > return (u32)(unsigned long)uptr; > } > >-static __inline__ void __user *compat_alloc_user_space(long len) >+static __inline__ void __user *arch_compat_alloc_user_space(long len) > { > struct pt_regs *regs = ¤t->thread.regs; > return (void __user *)regs->gr[30]; >diff --git a/arch/powerpc/include/asm/compat.h b/arch/powerpc/include/asm/compat.h >index 396d21a..a11d4ea 100644 >--- a/arch/powerpc/include/asm/compat.h >+++ b/arch/powerpc/include/asm/compat.h >@@ -134,7 +134,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) > return (u32)(unsigned long)uptr; > } > >-static inline void __user *compat_alloc_user_space(long len) >+static inline void __user *arch_compat_alloc_user_space(long len) > { > struct pt_regs *regs = current->thread.regs; > unsigned long usp = regs->gpr[1]; >diff --git a/arch/s390/include/asm/compat.h b/arch/s390/include/asm/compat.h >index 104f200..a875c2f 100644 >--- a/arch/s390/include/asm/compat.h >+++ b/arch/s390/include/asm/compat.h >@@ -181,7 +181,7 @@ static inline int is_compat_task(void) > > #endif > >-static inline void __user *compat_alloc_user_space(long len) >+static inline void __user *arch_compat_alloc_user_space(long len) > { > unsigned long stack; > >diff --git a/arch/sparc/include/asm/compat.h b/arch/sparc/include/asm/compat.h >index 5016f76..6f57325 100644 >--- a/arch/sparc/include/asm/compat.h >+++ b/arch/sparc/include/asm/compat.h >@@ -167,7 +167,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) > return (u32)(unsigned long)uptr; > } > >-static inline void __user *compat_alloc_user_space(long len) >+static inline void __user *arch_compat_alloc_user_space(long len) > { > struct pt_regs *regs = current_thread_info()->kregs; > unsigned long usp = regs->u_regs[UREG_I6]; >diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h >index 306160e..1d9cd27 100644 >--- a/arch/x86/include/asm/compat.h >+++ b/arch/x86/include/asm/compat.h >@@ -205,7 +205,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) > return (u32)(unsigned long)uptr; > } > >-static inline void __user *compat_alloc_user_space(long len) >+static inline void __user *arch_compat_alloc_user_space(long len) > { > struct pt_regs *regs = task_pt_regs(current); > return (void __user *)regs->sp - len; >diff --git a/include/linux/compat.h b/include/linux/compat.h >index 9ddc878..5778b55 100644 >--- a/include/linux/compat.h >+++ b/include/linux/compat.h >@@ -356,5 +356,7 @@ asmlinkage long compat_sys_newfstatat(un > asmlinkage long compat_sys_openat(unsigned int dfd, const char __user *filename, > int flags, int mode); > >+extern void __user *compat_alloc_user_space(unsigned long len); >+ > #endif /* CONFIG_COMPAT */ > #endif /* _LINUX_COMPAT_H */ >diff --git a/kernel/compat.c b/kernel/compat.c >index e167efc..c9e2ec0 100644 >--- a/kernel/compat.c >+++ b/kernel/compat.c >@@ -1126,3 +1140,24 @@ compat_sys_sysinfo(struct compat_sysinfo __user *info) > > return 0; > } >+ >+/* >+ * Allocate user-space memory for the duration of a single system call, >+ * in order to marshall parameters inside a compat thunk. >+ */ >+void __user *compat_alloc_user_space(unsigned long len) >+{ >+ void __user *ptr; >+ >+ /* If len would occupy more than half of the entire compat space... */ >+ if (unlikely(len > (((compat_uptr_t)~0) >> 1))) >+ return NULL; >+ >+ ptr = arch_compat_alloc_user_space(len); >+ >+ if (unlikely(!access_ok(VERIFY_WRITE, ptr, len))) >+ return NULL; >+ >+ return ptr; >+} >+EXPORT_SYMBOL_GPL(compat_alloc_user_space); >-- >1.7.3 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 337659
:
248720
| 248808 |
248810