[PATCH 2/5] riscv: ptrace: Fix register corruption in compat_riscv_gpr_set on error

Next message: Michael Neuling: "[PATCH 4/5] riscv: mm: Fix NULL dereferences in napot hugetlb functions"
Previous message: Michael Neuling: "[PATCH 1/5] riscv: errata: Fix bitwise vs logical AND in MIPS errata patching"
In reply to: Michael Neuling: "[PATCH 1/5] riscv: errata: Fix bitwise vs logical AND in MIPS errata patching"
Next in thread: Michael Neuling: "[PATCH 4/5] riscv: mm: Fix NULL dereferences in napot hugetlb functions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michael Neuling

Date: Thu Apr 09 2026 - 05:19:37 EST

compat_riscv_gpr_set() calls cregs_to_regs() unconditionally, even when
user_regset_copyin() fails. Since cregs is an uninitialized stack
variable, a copyin failure causes uninitialized stack data to be written
into the target task's pt_regs, corrupting its register state and
potentially leaking kernel stack contents.

Only call cregs_to_regs() when user_regset_copyin() succeeds.

Fixes: 4608c15959 ("riscv: compat: ptrace: Add compat_arch_ptrace implement")
Signed-off-by: Michael Neuling <mikey@xxxxxxxxxxx>
Assisted-by: Cursor:claude-4.6-opus-high-thinking
---
arch/riscv/kernel/ptrace.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/riscv/kernel/ptrace.c b/arch/riscv/kernel/ptrace.c
index 93de2e7a30..793bcee461 100644
--- a/arch/riscv/kernel/ptrace.c
+++ b/arch/riscv/kernel/ptrace.c
@@ -577,8 +577,8 @@ static int compat_riscv_gpr_set(struct task_struct *target,
struct compat_user_regs_struct cregs;

ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &cregs, 0, -1);
-
- cregs_to_regs(&cregs, task_pt_regs(target));
+ if (!ret)
+ cregs_to_regs(&cregs, task_pt_regs(target));

return ret;
}
--
2.43.0