tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

x86_64: Zero extend all registers after ptrace in 32bit entry path.

Strictly it's only needed for eax.

It actually does a little more than strictly needed -- the other registers
are already zero extended.

Also remove the now unnecessary and non functional compat task check
in ptrace.

This is CVE-2007-4573

Found by Wojciech Purczynski

Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Andi Kleen and committed by
Linus Torvalds 176df245 335fb8fc

+15 -7
+15 -3
arch/x86_64/ia32/ia32entry.S
··· 38 38 movq %rax,R8(%rsp) 39 39 .endm 40 40 41 + .macro LOAD_ARGS32 offset 42 + movl \offset(%rsp),%r11d 43 + movl \offset+8(%rsp),%r10d 44 + movl \offset+16(%rsp),%r9d 45 + movl \offset+24(%rsp),%r8d 46 + movl \offset+40(%rsp),%ecx 47 + movl \offset+48(%rsp),%edx 48 + movl \offset+56(%rsp),%esi 49 + movl \offset+64(%rsp),%edi 50 + movl \offset+72(%rsp),%eax 51 + .endm 52 + 41 53 .macro CFI_STARTPROC32 simple 42 54 CFI_STARTPROC \simple 43 55 CFI_UNDEFINED r8 ··· 164 152 movq $-ENOSYS,RAX(%rsp) /* really needed? */ 165 153 movq %rsp,%rdi /* &pt_regs -> arg1 */ 166 154 call syscall_trace_enter 167 - LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */ 155 + LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ 168 156 RESTORE_REST 169 157 movl %ebp, %ebp 170 158 /* no need to do an access_ok check here because rbp has been ··· 267 255 movq $-ENOSYS,RAX(%rsp) /* really needed? */ 268 256 movq %rsp,%rdi /* &pt_regs -> arg1 */ 269 257 call syscall_trace_enter 270 - LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */ 258 + LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ 271 259 RESTORE_REST 272 260 movl RSP-ARGOFFSET(%rsp), %r8d 273 261 /* no need to do an access_ok check here because r8 has been ··· 346 334 movq $-ENOSYS,RAX(%rsp) /* really needed? */ 347 335 movq %rsp,%rdi /* &pt_regs -> arg1 */ 348 336 call syscall_trace_enter 349 - LOAD_ARGS ARGOFFSET /* reload args from stack in case ptrace changed it */ 337 + LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ 350 338 RESTORE_REST 351 339 jmp ia32_do_syscall 352 340 END(ia32_syscall)
-4
arch/x86_64/kernel/ptrace.c
··· 232 232 { 233 233 unsigned long tmp; 234 234 235 - /* Some code in the 64bit emulation may not be 64bit clean. 236 - Don't take any chances. */ 237 - if (test_tsk_thread_flag(child, TIF_IA32)) 238 - value &= 0xffffffff; 239 235 switch (regno) { 240 236 case offsetof(struct user_regs_struct,fs): 241 237 if (value && (value & 3) != 3)