Re: [Security] [PATCH] xtensa: prevent arbitrary read in ptrace

[Dan Rosenberg]

Sorry for the top post and any email mangling (mobile).

I only used EIO to mirror the existing behavior in ptrace_getxregs(). EFAULT seems better.

-Dan

------Original Message------
From: Andrew Morton
To: Dan Rosenberg
Cc: chris@xxxxxxxxxx
Cc: security@xxxxxxxxxx
Cc: linux-kernel@xxxxxxxxxxxxxxx
Cc: Oleg Nesterov
Subject: Re: [Security] [PATCH] xtensa: prevent arbitrary read in ptrace
Sent: Jul 8, 2011 2:27 PM

On Thu, 07 Jul 2011 20:03:54 -0400
Dan Rosenberg <drosenberg@xxxxxxxxxxxxx> wrote:

> Prevent an arbitrary kernel read. Check the user pointer with
> access_ok() before copying data in.
> 
> Signed-off-by: Dan Rosenberg <drosenberg@xxxxxxxxxxxxx>
> Cc: stable@xxxxxxxxxx
> ---
>  arch/xtensa/kernel/ptrace.c |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/arch/xtensa/kernel/ptrace.c b/arch/xtensa/kernel/ptrace.c
> index c72c947..ddce75e 100644
> --- a/arch/xtensa/kernel/ptrace.c
> +++ b/arch/xtensa/kernel/ptrace.c
> @@ -147,6 +147,9 @@ int ptrace_setxregs(struct task_struct *child, void __user *uregs)
>  	elf_xtregs_t *xtregs = uregs;
>  	int ret = 0;
>  
> +	if (!access_ok(VERIFY_READ, uregs, sizeof(elf_xtregs_t)))
> +		return -EIO;

This should be -EFAULT, methinks?

> +
>  #if XTENSA_HAVE_COPROCESSORS
>  	/* Flush all coprocessors before we overwrite them. */
>  	coprocessor_flush_all(ti);N?§²æìr¸?yúè?Øb²X¬¶Ç§vØ^?)Þº{.nÇ+?·¥?{±?êçzX§¶?¡Ü¨}©?²Æ zÚ&j:+v?¨¾«?êçzZ+?Ê+zf£¢·h??§~?­?Ûiÿûàz¹®w¥¢¸??¨è­Ú&¢)ߢf?ù^jÇ«y§m?á@A«a¶Úÿ0¶ìh®å?i