evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[PATCH] x86_64: Fix access check in ptrace compat

Browse source 
We can't safely directly access an compat_alloc_user_space() pointer
with the siginfo copy functions. Bounce it through the stack.

Noticed by Al Viro using sparse

[ This was only added post 2.6.17, not in any released kernel ]

Cc: Al Viro <viro@ftp.linux.org.uk>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
Andi Kleen 2006-07-10 17:06:24 +02:00 committed by Linus Torvalds
parent 1cfcea1b2d
commit 2c87e2cd0b
1 changed files with 10 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
arch/x86_64/ia32/ptrace32.c
View file

@ -202,17 +202,24 @@ static long ptrace32_siginfo(unsigned request, u32 pid, u32 addr, u32 data)
{ {
int ret; int ret;
compat_siginfo_t *si32 = (compat_siginfo_t *)compat_ptr(data); compat_siginfo_t *si32 = (compat_siginfo_t *)compat_ptr(data);
siginfo_t ssi;
siginfo_t *si = compat_alloc_user_space(sizeof(siginfo_t)); siginfo_t *si = compat_alloc_user_space(sizeof(siginfo_t));
if (request == PTRACE_SETSIGINFO) { if (request == PTRACE_SETSIGINFO) {
ret = copy_siginfo_from_user32(si, si32); memset(&ssi, 0, sizeof(siginfo_t));
ret = copy_siginfo_from_user32(&ssi, si32);
if (ret) if (ret)
return ret; return ret;
if (copy_to_user(si, &ssi, sizeof(siginfo_t)))
return -EFAULT;
} }
ret = sys_ptrace(request, pid, addr, (unsigned long)si); ret = sys_ptrace(request, pid, addr, (unsigned long)si);
if (ret) if (ret)
return ret; return ret;
if (request == PTRACE_GETSIGINFO) if (request == PTRACE_GETSIGINFO) {
ret = copy_siginfo_to_user32(si32, si); if (copy_from_user(&ssi, si, sizeof(siginfo_t)))
return -EFAULT;
ret = copy_siginfo_to_user32(si32, &ssi);
}
return ret; return ret;
} }