Thread (13 messages) 13 messages, 2 authors, 2017-12-11

Re: [PATCH 4/5] MIPS: Execute any partial write of the last register with PTRACE_SETREGSET

From: Dave Martin <Dave.Martin@arm.com>
Date: 2017-11-30 17:28:46
Also in: lkml, stable 

On Wed, Nov 29, 2017 at 03:21:14PM +0000, Maciej W. Rozycki wrote:
quoted hunk ↗ jump to hunk
Fix a commit d614fd58a283 ("mips/ptrace: Preserve previous registers for 
short regset write") bug and allow the last register requested with a 
ptrace(2) PTRACE_SETREGSET call to be partially written if supplied this 
way by the caller, like with other register sets.

Cc: stable@vger.kernel.org # v4.11+
Fixes: d614fd58a283 ("mips/ptrace: Preserve previous registers for short regset write")
Signed-off-by: Maciej W. Rozycki <redacted>
---
 arch/mips/kernel/ptrace.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

linux-mips-nt-prfpreg-count.diff
Index: linux-sfr-test/arch/mips/kernel/ptrace.c
===================================================================
--- linux-sfr-test.orig/arch/mips/kernel/ptrace.c	2017-11-21 22:12:00.000000000 +0000
+++ linux-sfr-test/arch/mips/kernel/ptrace.c	2017-11-21 22:13:13.471970000 +0000
@@ -484,7 +484,7 @@ static int fpr_set_msa(struct task_struc
 	int err;
 
 	BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t));
-	for (i = 0; i < NUM_FPU_REGS && *count >= sizeof(elf_fpreg_t); i++) {
+	for (i = 0; i < NUM_FPU_REGS && *count > 0; i++) {

 		err = user_regset_copyin(pos, count, kbuf, ubuf,
 					 &fpr_val, i * sizeof(elf_fpreg_t),
 					 (i + 1) * sizeof(elf_fpreg_t));
But mips*_regsets[REGSET_FPR].size == sizeof(elf_fpreg_t),
linux/kernel/regset.c:ptrace_regset() polices
iov_len % regset->size == 0, and each user_regset_copyout() call here
transfers sizeof(elf_fpreg_t) bytes, decrementing *count by that
amount unless something goest wrong in which case we return.

So how do we end up with *count > 0 && *count < sizeof(elf_fpreg_t)
here?

If we can't end up with that, then this patch doesn't change ABI-
observable behaviour, unless I've missed something.

If we can end up with that somehow, then this patch reintroduces the
issue d614fd58a283 aims to fix, whereby fpr_val can contain
uninitialised kernel stack which userspace can then obtain via
PTRACE_GETREGSET.

Cheers
---Dave
Related discussions
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help