Received: by 10.223.185.116 with SMTP id b49csp6366451wrg; Wed, 28 Feb 2018 08:14:38 -0800 (PST) X-Google-Smtp-Source: AH8x226kbOf0uFLstQalHV8rVNcEQNG84lJcdjT1IM3OpNnOy50wFTHC6MWIU8UXxHEgO82BHyxV X-Received: by 2002:a17:902:8302:: with SMTP id bd2-v6mr17925098plb.295.1519834478159; Wed, 28 Feb 2018 08:14:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519834478; cv=none; d=google.com; s=arc-20160816; b=OxPNgJh2u2L+uEby0bxkbsq3Fxsi9Y3HFcG8S8We43Cgkt/+8TT3AzmrZ6QxY44rcP z46h45fFQU1cY2msg8DUJOpQfeQCD8XmU+wbU+k2Jt67g9B9Q4Od1a85Oy5/2wRAbhqa kEVDlIv275DJHy03uXsHfzOQc4uVAb+pfRm3ypToH3fzfWH5T1Ugl5sgcgOe5a7WI14g PENWgqGEsraM5OX+p9Jzgjbxfw8B+d+G5lZpFGJ5JSGFP08TW6CtNylBsvFN8M7pSOtE zEUEtPA1DsEsIYG89x1zwvf6Ulkbt2/H92mFJvrl7AZjrW2UGvpdPQIY0u/9X3bVDzmS YcSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=iXkTx35Vyr+SYQ0ZF7j9t8R4kpvJ/lhsM6+Y24enmSQ=; b=UJhjOrr6ZcBWbbPcLl3vX/3wU9nTbvAJh+YLHnO7Rbx2qx+FssqUZpRC/38s/c+3UY svPAcc9Gu4/YbW8Cr7SS8Vsut5jJ7RSOIwyrrxkyhkwVVIFZSODymYVjFCYqhA45dFTS wtiAAt792ML2K/mGwWHxFlEr/23P7qB3mr6IiBoEF/OpVbrCYK3G27yEqqFfqkJpUw+j BteMSZLnmtAN0wx/GRv5ECA0tSqqQB5weQlIcDrYwJ5Brz122wqeqCPjuNutbRggtw8j lKFOhG4nLhh/BCz1iAeMrpgFsOgy0FNcg5EZ71amM0SeFLui2Y20CuKz2bwFf0h6nTxt QOFA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n18si1415833pfj.58.2018.02.28.08.14.23; Wed, 28 Feb 2018 08:14:38 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934448AbeB1QMH (ORCPT + 99 others); Wed, 28 Feb 2018 11:12:07 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35028 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933269AbeB1QME (ORCPT ); Wed, 28 Feb 2018 11:12:04 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1er3Ys-0006Xi-H2; Wed, 28 Feb 2018 15:22:30 +0000 Received: from ben by deadeye with local (Exim 4.90_1) (envelope-from ) id 1er3Yg-00005X-Hf; Wed, 28 Feb 2018 15:22:18 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Dave Martin" , "Paul Burton" , "Ralf Baechle" , "Maciej W. Rozycki" , "Alex Smith" , "James Hogan" , linux-mips@linux-mips.org Date: Wed, 28 Feb 2018 15:20:18 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 108/254] MIPS: Guard against any partial write attempt with PTRACE_SETREGSET In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.55-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: "Maciej W. Rozycki" commit dc24d0edf33c3e15099688b6bbdf7bdc24bf6e91 upstream. Complement commit d614fd58a283 ("mips/ptrace: Preserve previous registers for short regset write") and ensure that no partial register write attempt is made with PTRACE_SETREGSET, as we do not preinitialize any temporaries used to hold incoming register data and consequently random data could be written. It is the responsibility of the caller, such as `ptrace_regset', to arrange for writes to span whole registers only, so here we only assert that it has indeed happened. Signed-off-by: Maciej W. Rozycki Fixes: 72b22bbad1e7 ("MIPS: Don't assume 64-bit FP registers for FP regset") Cc: James Hogan Cc: Paul Burton Cc: Alex Smith Cc: Dave Martin Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/17926/ Signed-off-by: Ralf Baechle Signed-off-by: Ben Hutchings --- arch/mips/kernel/ptrace.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) --- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c @@ -535,7 +535,15 @@ static int fpr_set_msa(struct task_struc return 0; } -/* Copy the supplied NT_PRFPREG buffer to the floating-point context. */ +/* + * Copy the supplied NT_PRFPREG buffer to the floating-point context. + * + * We optimize for the case where `count % sizeof(elf_fpreg_t) == 0', + * which is supposed to have been guaranteed by the kernel before + * calling us, e.g. in `ptrace_regset'. We enforce that requirement, + * so that we can safely avoid preinitializing temporaries for + * partial register writes. + */ static int fpr_set(struct task_struct *target, const struct user_regset *regset, unsigned int pos, unsigned int count, @@ -543,6 +551,8 @@ static int fpr_set(struct task_struct *t { int err; + BUG_ON(count % sizeof(elf_fpreg_t)); + /* XXX fcr31 */ init_fp_ctx(target);