Re: [Security] [PATCH] xtensa: prevent arbitrary read in ptrace

From: Dan Rosenberg
Date: Fri Jul 08 2011 - 14:45:59 EST


Sorry for the top post and any email mangling (mobile).

I only used EIO to mirror the existing behavior in ptrace_getxregs(). EFAULT seems better.

-Dan

------Original Message------
From: Andrew Morton
To: Dan Rosenberg
Cc: chris@xxxxxxxxxx
Cc: security@xxxxxxxxxx
Cc: linux-kernel@xxxxxxxxxxxxxxx
Cc: Oleg Nesterov
Subject: Re: [Security] [PATCH] xtensa: prevent arbitrary read in ptrace
Sent: Jul 8, 2011 2:27 PM

On Thu, 07 Jul 2011 20:03:54 -0400
Dan Rosenberg <drosenberg@xxxxxxxxxxxxx> wrote:

> Prevent an arbitrary kernel read. Check the user pointer with
> access_ok() before copying data in.
>
> Signed-off-by: Dan Rosenberg <drosenberg@xxxxxxxxxxxxx>
> Cc: stable@xxxxxxxxxx
> ---
> arch/xtensa/kernel/ptrace.c | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/arch/xtensa/kernel/ptrace.c b/arch/xtensa/kernel/ptrace.c
> index c72c947..ddce75e 100644
> --- a/arch/xtensa/kernel/ptrace.c
> +++ b/arch/xtensa/kernel/ptrace.c
> @@ -147,6 +147,9 @@ int ptrace_setxregs(struct task_struct *child, void __user *uregs)
> elf_xtregs_t *xtregs = uregs;
> int ret = 0;
>
> + if (!access_ok(VERIFY_READ, uregs, sizeof(elf_xtregs_t)))
> + return -EIO;

This should be -EFAULT, methinks?

> +
> #if XTENSA_HAVE_COPROCESSORS
> /* Flush all coprocessors before we overwrite them. */
> coprocessor_flush_all(ti);N?§²æìr¸?yúè?Øb²X¬¶Ç§vØ^?)Þº{.nÇ+?·¥?{±?êçzX§¶?¡Ü¨}©?²Æ zÚ&j:+v?¨¾«?êçzZ+?Ê+zf£¢·h??§~?­?Ûiÿûàz¹®w¥¢¸??¨è­Ú&¢)ߢf?ù^jÇ«y§m?á@A«a¶Úÿ 0¶ìh®å?i