From: "Dmitry V. Levin" <[email protected]>
RISC-V syscall arguments are located in orig_a0,a1..a5 fields
of struct pt_regs.
Due to an off-by-one bug and a bug in pointer arithmetic
syscall_get_arguments() was reading s3..s7 fields instead of a1..a5.
Likewise, syscall_set_arguments() was writing s3..s7 fields
instead of a1..a5.
Link: http://lkml.kernel.org/r/[email protected]
Fixes: e2c0cdfba7f69 ("RISC-V: User-facing API")
Cc: Ingo Molnar <[email protected]>
Cc: Kees Cook <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Will Drewry <[email protected]>
Cc: Palmer Dabbelt <[email protected]>
Cc: Albert Ou <[email protected]>
Cc: [email protected]
Cc: [email protected] # v4.15+
Signed-off-by: Dmitry V. Levin <[email protected]>
Signed-off-by: Steven Rostedt (VMware) <[email protected]>
---
arch/riscv/include/asm/syscall.h | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
index bba3da6ef157..6ea9e1804233 100644
--- a/arch/riscv/include/asm/syscall.h
+++ b/arch/riscv/include/asm/syscall.h
@@ -79,10 +79,11 @@ static inline void syscall_get_arguments(struct task_struct *task,
if (i == 0) {
args[0] = regs->orig_a0;
args++;
- i++;
n--;
+ } else {
+ i--;
}
- memcpy(args, ®s->a1 + i * sizeof(regs->a1), n * sizeof(args[0]));
+ memcpy(args, ®s->a1 + i, n * sizeof(args[0]));
}
static inline void syscall_set_arguments(struct task_struct *task,
@@ -94,10 +95,11 @@ static inline void syscall_set_arguments(struct task_struct *task,
if (i == 0) {
regs->orig_a0 = args[0];
args++;
- i++;
n--;
- }
- memcpy(®s->a1 + i * sizeof(regs->a1), args, n * sizeof(regs->a0));
+ } else {
+ i--;
+ }
+ memcpy(®s->a1 + i, args, n * sizeof(regs->a1));
}
static inline int syscall_get_arch(void)
--
2.20.1
On Mon, Apr 01, 2019 at 09:41:07AM -0400, Steven Rostedt wrote:
> From: "Dmitry V. Levin" <[email protected]>
>
> RISC-V syscall arguments are located in orig_a0,a1..a5 fields
> of struct pt_regs.
>
> Due to an off-by-one bug and a bug in pointer arithmetic
> syscall_get_arguments() was reading s3..s7 fields instead of a1..a5.
> Likewise, syscall_set_arguments() was writing s3..s7 fields
> instead of a1..a5.
>
> Link: http://lkml.kernel.org/r/[email protected]
>
> Fixes: e2c0cdfba7f69 ("RISC-V: User-facing API")
> Cc: Ingo Molnar <[email protected]>
> Cc: Kees Cook <[email protected]>
> Cc: Andy Lutomirski <[email protected]>
> Cc: Will Drewry <[email protected]>
> Cc: Palmer Dabbelt <[email protected]>
> Cc: Albert Ou <[email protected]>
> Cc: [email protected]
> Cc: [email protected] # v4.15+
> Signed-off-by: Dmitry V. Levin <[email protected]>
> Signed-off-by: Steven Rostedt (VMware) <[email protected]>
According to
https://lore.kernel.org/lkml/mhng-8e9b547b-7fe3-43d2-9dea-b217de923605@palmer-si-x1c4/
the following tag could be added to this patch:
Acked-by: Palmer Dabbelt <[email protected]>
--
ldv
On Thu, 4 Apr 2019 17:02:10 +0300
"Dmitry V. Levin" <[email protected]> wrote:
> On Mon, Apr 01, 2019 at 09:41:07AM -0400, Steven Rostedt wrote:
> > From: "Dmitry V. Levin" <[email protected]>
> >
> > RISC-V syscall arguments are located in orig_a0,a1..a5 fields
> > of struct pt_regs.
> >
> > Due to an off-by-one bug and a bug in pointer arithmetic
> > syscall_get_arguments() was reading s3..s7 fields instead of a1..a5.
> > Likewise, syscall_set_arguments() was writing s3..s7 fields
> > instead of a1..a5.
> >
> > Link: http://lkml.kernel.org/r/[email protected]
> >
> > Fixes: e2c0cdfba7f69 ("RISC-V: User-facing API")
> > Cc: Ingo Molnar <[email protected]>
> > Cc: Kees Cook <[email protected]>
> > Cc: Andy Lutomirski <[email protected]>
> > Cc: Will Drewry <[email protected]>
> > Cc: Palmer Dabbelt <[email protected]>
> > Cc: Albert Ou <[email protected]>
> > Cc: [email protected]
> > Cc: [email protected] # v4.15+
> > Signed-off-by: Dmitry V. Levin <[email protected]>
> > Signed-off-by: Steven Rostedt (VMware) <[email protected]>
>
> According to
> https://lore.kernel.org/lkml/mhng-8e9b547b-7fe3-43d2-9dea-b217de923605@palmer-si-x1c4/
> the following tag could be added to this patch:
>
> Acked-by: Palmer Dabbelt <[email protected]>
That link isn't actually an ack. Palmer, you OK if I add it?
-- Steve
On Thu, 04 Apr 2019 07:26:53 PDT (-0700), [email protected] wrote:
> On Thu, 4 Apr 2019 17:02:10 +0300
> "Dmitry V. Levin" <[email protected]> wrote:
>
>> On Mon, Apr 01, 2019 at 09:41:07AM -0400, Steven Rostedt wrote:
>> > From: "Dmitry V. Levin" <[email protected]>
>> >
>> > RISC-V syscall arguments are located in orig_a0,a1..a5 fields
>> > of struct pt_regs.
>> >
>> > Due to an off-by-one bug and a bug in pointer arithmetic
>> > syscall_get_arguments() was reading s3..s7 fields instead of a1..a5.
>> > Likewise, syscall_set_arguments() was writing s3..s7 fields
>> > instead of a1..a5.
>> >
>> > Link: http://lkml.kernel.org/r/[email protected]
>> >
>> > Fixes: e2c0cdfba7f69 ("RISC-V: User-facing API")
>> > Cc: Ingo Molnar <[email protected]>
>> > Cc: Kees Cook <[email protected]>
>> > Cc: Andy Lutomirski <[email protected]>
>> > Cc: Will Drewry <[email protected]>
>> > Cc: Palmer Dabbelt <[email protected]>
>> > Cc: Albert Ou <[email protected]>
>> > Cc: [email protected]
>> > Cc: [email protected] # v4.15+
>> > Signed-off-by: Dmitry V. Levin <[email protected]>
>> > Signed-off-by: Steven Rostedt (VMware) <[email protected]>
>>
>> According to
>> https://lore.kernel.org/lkml/mhng-8e9b547b-7fe3-43d2-9dea-b217de923605@palmer-si-x1c4/
>> the following tag could be added to this patch:
>>
>> Acked-by: Palmer Dabbelt <[email protected]>
>
> That link isn't actually an ack. Palmer, you OK if I add it?
Acked-by: Palmer Dabbelt <[email protected]> (for the RISC-V parts)
Thanks!