[kernel] r21658 - in dists/sid/linux/debian: . patches patches/bugfix/mips

Aurelien Jarno aurel32 at moszumanska.debian.org
Wed Jul 30 20:28:24 UTC 2014 

Author: aurel32
Date: Wed Jul 30 20:28:23 2014
New Revision: 21658

Log:
[mips*] Prevent user from setting FCSR cause bits and cause possible
kernel oops.

Added:
   dists/sid/linux/debian/patches/bugfix/mips/MIPS-prevent-user-from-setting-FCSR-cause-bits.patch
Modified:
   dists/sid/linux/debian/changelog
   dists/sid/linux/debian/patches/series

Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog	Wed Jul 30 20:25:09 2014	(r21657)
+++ dists/sid/linux/debian/changelog	Wed Jul 30 20:28:23 2014	(r21658)
@@ -11,6 +11,8 @@
   * [mips,mipsel/4kc-malta] Fix bug which can cause incorrect system call
     restarts (fix hang on boot).
   * [mips*] Fix hugepage support on machines with R4K like TLB.
+  * [mips*] Prevent user from setting FCSR cause bits and cause possible
+    kernel oops.
 
   [ Ben Hutchings ]
   * [amd64] Reject x32 executables if x32 ABI not supported

Added: dists/sid/linux/debian/patches/bugfix/mips/MIPS-prevent-user-from-setting-FCSR-cause-bits.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/mips/MIPS-prevent-user-from-setting-FCSR-cause-bits.patch	Wed Jul 30 20:28:23 2014	(r21658)
@@ -0,0 +1,55 @@
+From: Paul Burton <paul.burton at imgtec.com>
+Date: Tue, 22 Jul 2014 14:21:21 +0100
+Subject: MIPS: prevent user from setting FCSR cause bits
+Origin: https://git.kernel.org/cgit/linux/kernel/git/jhogan/mips.git/commit?id=07d8a26cb44dbbbea721da0fd0b7f79ffffe7ab7
+
+If one or more matching FCSR cause & enable bits are set in saved thread
+context then when that context is restored the kernel will take an FP
+exception. This is of course undesirable and considered an oops, leading
+to the kernel writing a backtrace to the console and potentially
+rebooting depending upon the configuration. Thus the kernel avoids this
+situation by clearing the cause bits of the FCSR register when handling
+FP exceptions and after emulating FP instructions.
+
+However the kernel does not prevent userland from setting arbitrary FCSR
+cause & enable bits via ptrace, using either the PTRACE_POKEUSR or
+PTRACE_SETFPREGS requests. This means userland can trivially cause the
+kernel to oops on any system with an FPU. Prevent this from happening
+by clearing the cause bits when writing to the saved FCSR context via
+ptrace.
+
+This problem appears to exist at least back to the beginning of the git
+era in the PTRACE_POKEUSR case.
+
+Signed-off-by: Paul Burton <paul.burton at imgtec.com>
+Cc: stable at vger.kernel.org
+Patchwork: http://patchwork.linux-mips.org/patch/7438/
+Signed-off-by: James Hogan <james.hogan at imgtec.com>
+---
+ arch/mips/kernel/ptrace.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
+index f639ccd..3a7f7dd 100644
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -170,6 +170,7 @@ int ptrace_setfpregs(struct task_struct
+ 		__get_user(fregs[i], i + (__u64 __user *) data);
+ 
+ 	__get_user(child->thread.fpu.fcr31, data + 64);
++	child->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X;
+ 
+ 	/* FIR may not be written.  */
+ 
+@@ -593,7 +594,7 @@ long arch_ptrace(struct task_struct *chi
+ 			break;
+ #endif
+ 		case FPC_CSR:
+-			child->thread.fpu.fcr31 = data;
++			child->thread.fpu.fcr31 = data & ~FPU_CSR_ALL_X;
+ 			break;
+ 		case DSP_BASE ... DSP_BASE + 5: {
+ 			dspreg_t *dregs;
+-- 
+1.7.10.4
+

Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series	Wed Jul 30 20:25:09 2014	(r21657)
+++ dists/sid/linux/debian/patches/series	Wed Jul 30 20:28:23 2014	(r21658)
@@ -68,6 +68,7 @@
 bugfix/mips/MIPS-OCTEON-make-get_system_type-thread-safe.patch
 bugfix/mips/MIPS-O32-32-bit-Fix-bug-which-can-cause-incorrect-sy.patch
 bugfix/mips/MIPS-tlbex-fix-a-missing-statement-for-HUGETLB.patch
+bugfix/mips/MIPS-prevent-user-from-setting-FCSR-cause-bits.patch
 bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch
 
 # Miscellaneous bug fixes

More information about the Kernel-svn-changes mailing list