On Wed, 2016-03-23 at 16:47 +1100, Cyril Bur wrote:

Currently start_thread() doesn't sanitise TAR.
=20
The TAR SPR register is a register that can be set and branched to, not
sanitising it presents an information leak to the new executable.
=20
Other SPR registers such as the Performance registers used by perf (and a=

re

managed entirely by perf) as well as the Event Based Branch (EBB) registe=

rs are

left alone by design as these fall into the same category as leaving file
descriptors open across exec(), it is up the parent thread to sanitise wh=

at it

c

ng start, unsigned long sp)

 	current->thread.vr_state.vscr.u[3] =3D 0x00010000; /* Java mode disable=

d */

 	current->thread.vr_save_area =3D NULL;
 	current->thread.vrsave =3D 0;
+	if (cpu_has_feature(CPU_FTR_ALTIVEC))
+		mtspr(SPRN_VRSAVE, 0);

VRSAVE is not mentioned in the commit message.

ong start, unsigned long sp)

 	current->thread.tm_texasr =3D 0;
 	current->thread.tm_tfiar =3D 0;
 #endif /* CONFIG_PPC_TRANSACTIONAL_MEM */
+#ifdef CONFIG_PPC_BOOK3S_64
+	/*
+	 * Zero out the SPRs.
+	 * Don't touch the ones use by perf, it controls them.
+	 * Don't touch the EBB regs. This falls into the same category of
+	 *   responsibly as open file descriptors across exec(), the parent sho=

uld

+	 *   sanitise if it feels it would be a problem
+	 */
+	current->thread.tar =3D 0;
+	if (cpu_has_feature(CPU_FTR_ARCH_206))
+		mtspr(SPRN_TAR, 0);
+#endif /* CONFIG_PPC_BOOK3S_64 */
 }
 EXPORT_SYMBOL(start_thread);
=20