LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [2.6.22.y] {06/17} - handle-bogus-%cs-selector-in-single-step-instruction-decoding - series for stable kernel #2
@ 2008-02-02  1:33 Oliver Pinter (Pintér Olivér)
  2008-02-06 23:07 ` Oliver Pinter
  0 siblings, 1 reply; 2+ messages in thread
From: Oliver Pinter (Pintér Olivér) @ 2008-02-02  1:33 UTC (permalink / raw)
  To: Linux Kernel, stable, stable-commits
  Cc: chrisw, Greg KH, Willy Tarreau, Adrian Bunk, Roland McGrath,
	Jeff Mahoney, Linus Torvalds

[-- Attachment #1: Type: text/plain, Size: 72 bytes --]

mainline: 29eb51101c02df517ca64ec472d7501127ad1da8


-- 
Thanks,
Oliver

[-- Attachment #2: handle-bogus-%cs-selector-in-single-step-instruction-decoding --]
[-- Type: message/rfc822, Size: 2766 bytes --]



bCAyMDA3IDA4OjAzOjE2ICswMDAwICgtMDcwMCkKU3ViamVjdDogSGFuZGxlIGJvZ3VzICVjcyBz
ZWxlY3RvciBpbiBzaW5nbGUtc3RlcCBpbnN0cnVjdGlvbiBkZWNvZGluZwpQYXRjaC1tYWlubGlu
ZTogMi42LjIzLXJjMQpSZWZlcmVuY2VzOiAzMjYyNzAsIENWRS0yMDA3LTM3MzEKCkhhbmRsZSBi
b2d1cyAlY3Mgc2VsZWN0b3IgaW4gc2luZ2xlLXN0ZXAgaW5zdHJ1Y3Rpb24gZGVjb2RpbmcKClRo
ZSBjb2RlIGZvciBMRFQgc2VnbWVudCBzZWxlY3RvcnMgd2FzIG5vdCByb2J1c3QgaW4gdGhlIGZh
Y2Ugb2YgYSBib2d1cwpzZWxlY3RvciBzZXQgaW4gJWNzIHZpYSBwdHJhY2UgYmVmb3JlIHRoZSBz
aW5nbGUtc3RlcCB3YXMgZG9uZS4KClNpZ25lZC1vZmYtYnk6IFJvbGFuZCBNY0dyYXRoIDxyb2xh
bmRAcmVkaGF0LmNvbT4KU2lnbmVkLW9mZi1ieTogTGludXMgVG9ydmFsZHMgPHRvcnZhbGRzQGxp
bnV4LWZvdW5kYXRpb24ub3JnPgpBY2tlZC1ieTogSmVmZiBNYWhvbmV5IDxqZWZmbUBzdXNlLmNv
bT4KLS0tCgogYXJjaC9pMzg2L2tlcm5lbC9wdHJhY2UuYyAgIHwgICAyMiArKysrKysrKysrKysr
KystLS0tLS0tCiBhcmNoL3g4Nl82NC9rZXJuZWwvcHRyYWNlLmMgfCAgIDIzICsrKysrKysrKysr
KysrKystLS0tLS0tCiAyIGZpbGVzIGNoYW5nZWQsIDMxIGluc2VydGlvbnMoKyksIDE0IGRlbGV0
aW9ucygtKQoKZGlmZiAtLWdpdCBhL2FyY2gvaTM4Ni9rZXJuZWwvcHRyYWNlLmMgYi9hcmNoL2kz
ODYva2VybmVsL3B0cmFjZS5jCmluZGV4IDFjMDc1ZjUuLjBjOGYwMGUgMTAwNjQ0Ci0tLSBhL2Fy
Y2gvaTM4Ni9rZXJuZWwvcHRyYWNlLmMKKysrIGIvYXJjaC9pMzg2L2tlcm5lbC9wdHJhY2UuYwpA
QCAtMTY0LDE0ICsxNjQsMjIgQEAgc3RhdGljIHVuc2lnbmVkIGxvbmcgY29udmVydF9laXBfdG9f
bGluZWFyKHN0cnVjdCB0YXNrX3N0cnVjdCAqY2hpbGQsIHN0cnVjdCBwdF8KIAkJdTMyICpkZXNj
OwogCQl1bnNpZ25lZCBsb25nIGJhc2U7CiAKLQkJZG93bigmY2hpbGQtPm1tLT5jb250ZXh0LnNl
bSk7Ci0JCWRlc2MgPSBjaGlsZC0+bW0tPmNvbnRleHQubGR0ICsgKHNlZyAmIH43KTsKLQkJYmFz
ZSA9IChkZXNjWzBdID4+IDE2KSB8ICgoZGVzY1sxXSAmIDB4ZmYpIDw8IDE2KSB8IChkZXNjWzFd
ICYgMHhmZjAwMDAwMCk7CisJCXNlZyAmPSB+N1VMOwogCi0JCS8qIDE2LWJpdCBjb2RlIHNlZ21l
bnQ/ICovCi0JCWlmICghKChkZXNjWzFdID4+IDIyKSAmIDEpKQotCQkJYWRkciAmPSAweGZmZmY7
Ci0JCWFkZHIgKz0gYmFzZTsKKwkJZG93bigmY2hpbGQtPm1tLT5jb250ZXh0LnNlbSk7CisJCWlm
ICh1bmxpa2VseSgoc2VnID4+IDMpID49IGNoaWxkLT5tbS0+Y29udGV4dC5zaXplKSkKKwkJCWFk
ZHIgPSAtMUw7IC8qIGJvZ3VzIHNlbGVjdG9yLCBhY2Nlc3Mgd291bGQgZmF1bHQgKi8KKwkJZWxz
ZSB7CisJCQlkZXNjID0gY2hpbGQtPm1tLT5jb250ZXh0LmxkdCArIHNlZzsKKwkJCWJhc2UgPSAo
KGRlc2NbMF0gPj4gMTYpIHwKKwkJCQkoKGRlc2NbMV0gJiAweGZmKSA8PCAxNikgfAorCQkJCShk
ZXNjWzFdICYgMHhmZjAwMDAwMCkpOworCisJCQkvKiAxNi1iaXQgY29kZSBzZWdtZW50PyAqLwor
CQkJaWYgKCEoKGRlc2NbMV0gPj4gMjIpICYgMSkpCisJCQkJYWRkciAmPSAweGZmZmY7CisJCQlh
ZGRyICs9IGJhc2U7CisJCX0KIAkJdXAoJmNoaWxkLT5tbS0+Y29udGV4dC5zZW0pOwogCX0KIAly
ZXR1cm4gYWRkcjsKZGlmZiAtLWdpdCBhL2FyY2gveDg2XzY0L2tlcm5lbC9wdHJhY2UuYyBiL2Fy
Y2gveDg2XzY0L2tlcm5lbC9wdHJhY2UuYwppbmRleCBmYTY3NzVlLi5lODNjYzY3IDEwMDY0NAot
LS0gYS9hcmNoL3g4Nl82NC9rZXJuZWwvcHRyYWNlLmMKKysrIGIvYXJjaC94ODZfNjQva2VybmVs
L3B0cmFjZS5jCkBAIC0xMDIsMTYgKzEwMiwyNSBAQCB1bnNpZ25lZCBsb25nIGNvbnZlcnRfcmlw
X3RvX2xpbmVhcihzdHJ1Y3QgdGFza19zdHJ1Y3QgKmNoaWxkLCBzdHJ1Y3QgcHRfcmVncyAqcgog
CQl1MzIgKmRlc2M7CiAJCXVuc2lnbmVkIGxvbmcgYmFzZTsKIAotCQlkb3duKCZjaGlsZC0+bW0t
PmNvbnRleHQuc2VtKTsKLQkJZGVzYyA9IGNoaWxkLT5tbS0+Y29udGV4dC5sZHQgKyAoc2VnICYg
fjcpOwotCQliYXNlID0gKGRlc2NbMF0gPj4gMTYpIHwgKChkZXNjWzFdICYgMHhmZikgPDwgMTYp
IHwgKGRlc2NbMV0gJiAweGZmMDAwMDAwKTsKKwkJc2VnICY9IH43VUw7CiAKLQkJLyogMTYtYml0
IGNvZGUgc2VnbWVudD8gKi8KLQkJaWYgKCEoKGRlc2NbMV0gPj4gMjIpICYgMSkpCi0JCQlhZGRy
ICY9IDB4ZmZmZjsKLQkJYWRkciArPSBiYXNlOworCQlkb3duKCZjaGlsZC0+bW0tPmNvbnRleHQu
c2VtKTsKKwkJaWYgKHVubGlrZWx5KChzZWcgPj4gMykgPj0gY2hpbGQtPm1tLT5jb250ZXh0LnNp
emUpKQorCQkJYWRkciA9IC0xTDsgLyogYm9ndXMgc2VsZWN0b3IsIGFjY2VzcyB3b3VsZCBmYXVs
dCAqLworCQllbHNlIHsKKwkJCWRlc2MgPSBjaGlsZC0+bW0tPmNvbnRleHQubGR0ICsgc2VnOwor
CQkJYmFzZSA9ICgoZGVzY1swXSA+PiAxNikgfAorCQkJCSgoZGVzY1sxXSAmIDB4ZmYpIDw8IDE2
KSB8CisJCQkJKGRlc2NbMV0gJiAweGZmMDAwMDAwKSk7CisKKwkJCS8qIDE2LWJpdCBjb2RlIHNl
Z21lbnQ/ICovCisJCQlpZiAoISgoZGVzY1sxXSA+PiAyMikgJiAxKSkKKwkJCQlhZGRyICY9IDB4
ZmZmZjsKKwkJCWFkZHIgKz0gYmFzZTsKKwkJfQogCQl1cCgmY2hpbGQtPm1tLT5jb250ZXh0LnNl
bSk7CiAJfQorCiAJcmV0dXJuIGFkZHI7CiB9CiAK

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [2.6.22.y] {06/17} - handle-bogus-%cs-selector-in-single-step-instruction-decoding - series for stable kernel #2
  2008-02-02  1:33 [2.6.22.y] {06/17} - handle-bogus-%cs-selector-in-single-step-instruction-decoding - series for stable kernel #2 Oliver Pinter (Pintér Olivér)
@ 2008-02-06 23:07 ` Oliver Pinter
  0 siblings, 0 replies; 2+ messages in thread
From: Oliver Pinter @ 2008-02-06 23:07 UTC (permalink / raw)
  To: Linux Kernel, stable, stable-commits

From: Roland McGrath <roland@redhat.com>
Date: Mon, 16 Jul 2007 08:03:16 +0000 (-0700)
Subject: Handle bogus %cs selector in single-step instruction decoding
Patch-mainline: 2.6.23-rc1
References: 326270, CVE-2007-3731

Handle bogus %cs selector in single-step instruction decoding

The code for LDT segment selectors was not robust in the face of a bogus
selector set in %cs via ptrace before the single-step was done.

Signed-off-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Jeff Mahoney <jeffm@suse.com>
---

 arch/i386/kernel/ptrace.c   |   22 +++++++++++++++-------
 arch/x86_64/kernel/ptrace.c |   23 ++++++++++++++++-------
 2 files changed, 31 insertions(+), 14 deletions(-)

diff --git a/arch/i386/kernel/ptrace.c b/arch/i386/kernel/ptrace.c
index 1c075f5..0c8f00e 100644
--- a/arch/i386/kernel/ptrace.c
+++ b/arch/i386/kernel/ptrace.c
@@ -164,14 +164,22 @@ static unsigned long
convert_eip_to_linear(struct task_struct *child, struct pt_
 		u32 *desc;
 		unsigned long base;

-		down(&child->mm->context.sem);
-		desc = child->mm->context.ldt + (seg & ~7);
-		base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000);
+		seg &= ~7UL;

-		/* 16-bit code segment? */
-		if (!((desc[1] >> 22) & 1))
-			addr &= 0xffff;
-		addr += base;
+		down(&child->mm->context.sem);
+		if (unlikely((seg >> 3) >= child->mm->context.size))
+			addr = -1L; /* bogus selector, access would fault */
+		else {
+			desc = child->mm->context.ldt + seg;
+			base = ((desc[0] >> 16) |
+				((desc[1] & 0xff) << 16) |
+				(desc[1] & 0xff000000));
+
+			/* 16-bit code segment? */
+			if (!((desc[1] >> 22) & 1))
+				addr &= 0xffff;
+			addr += base;
+		}
 		up(&child->mm->context.sem);
 	}
 	return addr;
diff --git a/arch/x86_64/kernel/ptrace.c b/arch/x86_64/kernel/ptrace.c
index fa6775e..e83cc67 100644
--- a/arch/x86_64/kernel/ptrace.c
+++ b/arch/x86_64/kernel/ptrace.c
@@ -102,16 +102,25 @@ unsigned long convert_rip_to_linear(struct
task_struct *child, struct pt_regs *r
 		u32 *desc;
 		unsigned long base;

-		down(&child->mm->context.sem);
-		desc = child->mm->context.ldt + (seg & ~7);
-		base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000);
+		seg &= ~7UL;

-		/* 16-bit code segment? */
-		if (!((desc[1] >> 22) & 1))
-			addr &= 0xffff;
-		addr += base;
+		down(&child->mm->context.sem);
+		if (unlikely((seg >> 3) >= child->mm->context.size))
+			addr = -1L; /* bogus selector, access would fault */
+		else {
+			desc = child->mm->context.ldt + seg;
+			base = ((desc[0] >> 16) |
+				((desc[1] & 0xff) << 16) |
+				(desc[1] & 0xff000000));
+
+			/* 16-bit code segment? */
+			if (!((desc[1] >> 22) & 1))
+				addr &= 0xffff;
+			addr += base;
+		}
 		up(&child->mm->context.sem);
 	}
+
 	return addr;
 }



On 2/2/08, Oliver Pinter (Pintér Olivér) <oliver.pntr@gmail.com> wrote:
> mainline: 29eb51101c02df517ca64ec472d7501127ad1da8
>
>
> --
> Thanks,
> Oliver
>


-- 
Thanks,
Oliver

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2008-02-06 23:12 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-02-02  1:33 [2.6.22.y] {06/17} - handle-bogus-%cs-selector-in-single-step-instruction-decoding - series for stable kernel #2 Oliver Pinter (Pintér Olivér)
2008-02-06 23:07 ` Oliver Pinter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).