Re: [patch 08/11] Modify Ptrace routines to access breakpointregisters

From: Ingo Molnar
Date: Tue Mar 10 2009 - 10:41:09 EST

Next message: Ingo Molnar: "Re: [patch 09/11] Cleanup HW Breakpoint registers before kexec"
Previous message: Akinobu Mita: "[PATCH 2/2 -mmotm] debug-pagealloc: cannot depend on hibernation"
Next in thread: Alan Stern: "Re: [patch 08/11] Modify Ptrace routines to access breakpointregisters"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* prasad@xxxxxxxxxxxxxxxxxx <prasad@xxxxxxxxxxxxxxxxxx> wrote:

> -static unsigned long debugreg_addr_limit(struct task_struct *task)
> -{
> -#ifdef CONFIG_IA32_EMULATION
> - if (test_tsk_thread_flag(task, TIF_IA32))
> - return IA32_PAGE_OFFSET - 3;
> -#endif
> - return TASK_SIZE_MAX - 7;
> -}
> -

I dont see where this security check has been carried over into
the generic code. The new code has:

+int arch_check_va_in_userspace(unsigned long va, struct task_struct *tsk)
+{
+ return (va < TASK_SIZE);
+}

but i think that misses the detail that it's not just the start
address of an x86 breakpoint that has to be considered, but also
the end addess of it.

For example a hardware breakpoint can be at 0xbfffffff with a
length of 4 bytes - thus overlapping into kernel-space by 3
bytes. It is important to not let that happen.

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ingo Molnar: "Re: [patch 09/11] Cleanup HW Breakpoint registers before kexec"
Previous message: Akinobu Mita: "[PATCH 2/2 -mmotm] debug-pagealloc: cannot depend on hibernation"
Next in thread: Alan Stern: "Re: [patch 08/11] Modify Ptrace routines to access breakpointregisters"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]