linux-toradex.git/arch/tile/kernel/compat_signal.c, branch v4.2.7 Linux kernel for Apalis and Colibri modules signal: fix information leak in copy_siginfo_from_user32 2015-08-07T01:39:40+00:00 Amanieu d'Antras amanieu@gmail.com 2015-08-06T22:46:26+00:00 3c00cb5e68dc719f2fc73a33b1b230aadfcb1309 This function can leak kernel stack data when the user siginfo_t has a positive si_code value. The top 16 bits of si_code descibe which fields in the siginfo_t union are active, but they are treated inconsistently between copy_siginfo_from_user32, copy_siginfo_to_user32 and copy_siginfo_to_user. copy_siginfo_from_user32 is called from rt_sigqueueinfo and rt_tgsigqueueinfo in which the user has full control overthe top 16 bits of si_code. This fixes the following information leaks: x86: 8 bytes leaked when sending a signal from a 32-bit process to itself. This leak grows to 16 bytes if the process uses x32. (si_code = __SI_CHLD) x86: 100 bytes leaked when sending a signal from a 32-bit process to a 64-bit process. (si_code = -1) sparc: 4 bytes leaked when sending a signal from a 32-bit process to a 64-bit process. (si_code = any) parsic and s390 have similar bugs, but they are not vulnerable because rt_[tg]sigqueueinfo have checks that prevent sending a positive si_code to a different process. These bugs are also fixed for consistency. Signed-off-by: Amanieu d'Antras <amanieu@gmail.com> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Ingo Molnar <mingo@kernel.org> Cc: Russell King <rmk@arm.linux.org.uk> Cc: Ralf Baechle <ralf@linux-mips.org> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Chris Metcalf <cmetcalf@ezchip.com> Cc: Paul Mackerras <paulus@samba.org> Cc: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
This function can leak kernel stack data when the user siginfo_t has a
positive si_code value.  The top 16 bits of si_code descibe which fields
in the siginfo_t union are active, but they are treated inconsistently
between copy_siginfo_from_user32, copy_siginfo_to_user32 and
copy_siginfo_to_user.

copy_siginfo_from_user32 is called from rt_sigqueueinfo and
rt_tgsigqueueinfo in which the user has full control overthe top 16 bits
of si_code.

This fixes the following information leaks:
x86:   8 bytes leaked when sending a signal from a 32-bit process to
       itself. This leak grows to 16 bytes if the process uses x32.
       (si_code = __SI_CHLD)
x86:   100 bytes leaked when sending a signal from a 32-bit process to
       a 64-bit process. (si_code = -1)
sparc: 4 bytes leaked when sending a signal from a 32-bit process to a
       64-bit process. (si_code = any)

parsic and s390 have similar bugs, but they are not vulnerable because
rt_[tg]sigqueueinfo have checks that prevent sending a positive si_code
to a different process.  These bugs are also fixed for consistency.

Signed-off-by: Amanieu d'Antras <amanieu@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Russell King <rmk@arm.linux.org.uk>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Merge git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile 2015-04-17T20:03:05+00:00 Linus Torvalds torvalds@linux-foundation.org 2015-04-17T20:03:05+00:00 6b6e177d632ee251c7c78d8f266a851ab9704879 Pull arch/tile updates from Chris Metcalf: "These are mostly nohz_full changes, plus a smattering of minor fixes (notably a couple for ftrace)" * git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile: tile: nohz: warn if nohz_full uses hypervisor shared cores tile: ftrace: fix function_graph tracer issues tile: map data region shadow of kernel as R/W tile: support CONTEXT_TRACKING and thus NOHZ_FULL tile: support arch_irq_work_raise arch: tile: fix null pointer dereference on pt_regs pointer tile/elf: reorganize notify_exec() tile: use si_int instead of si_ptr for compat_siginfo 
Pull arch/tile updates from Chris Metcalf:
 "These are mostly nohz_full changes, plus a smattering of minor fixes
  (notably a couple for ftrace)"

* git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile:
  tile: nohz: warn if nohz_full uses hypervisor shared cores
  tile: ftrace: fix function_graph tracer issues
  tile: map data region shadow of kernel as R/W
  tile: support CONTEXT_TRACKING and thus NOHZ_FULL
  tile: support arch_irq_work_raise
  arch: tile: fix null pointer dereference on pt_regs pointer
  tile/elf: reorganize notify_exec()
  tile: use si_int instead of si_ptr for compat_siginfo
tile: use si_int instead of si_ptr for compat_siginfo 2015-04-17T16:56:42+00:00 Chris Metcalf cmetcalf@ezchip.com 2015-03-16T19:04:05+00:00 89067c2daf3d9e0ce51c768589e79e845e6fda42 To be compatible with the generic get_compat_sigevent(), the copy_siginfo_to_user32() and thus copy_siginfo_from_user32() have to use si_int instead of si_ptr. Using si_ptr means that for the case of ILP32 compat code running in big-endian mode, we would end up copying the high 32 bits of the pointer value into si_int instead of the desired low 32 bits. Signed-off-by: Chris Metcalf <cmetcalf@ezchip.com> Cc: Catalin Marinas <catalin.marinas@arm.com> 
To be compatible with the generic get_compat_sigevent(), the
copy_siginfo_to_user32() and thus copy_siginfo_from_user32()
have to use si_int instead of si_ptr.  Using si_ptr means that
for the case of ILP32 compat code running in big-endian mode,
we would end up copying the high 32 bits of the pointer value
into si_int instead of the desired low 32 bits.

Signed-off-by: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
tile: Remove signal translation and exec_domain 2015-04-12T19:03:27+00:00 Richard Weinberger richard@nod.at 2014-07-13T15:40:49+00:00 89f191b31ceeb8e79c46815533b7d96c15e83720 As execution domain support is gone we can remove signal translation from the signal code and remove exec_domain from thread_info. Signed-off-by: Richard Weinberger <richard@nod.at> 
As execution domain support is gone we can remove
signal translation from the signal code and remove
exec_domain from thread_info.

Signed-off-by: Richard Weinberger <richard@nod.at>
tile: Use get_signal() signal_setup_done() 2014-08-06T11:03:20+00:00 Richard Weinberger richard@nod.at 2013-10-07T13:01:08+00:00 b3707c7ed013d36752272ca2f9ed20dc8aed92e4 Use the more generic functions get_signal() signal_setup_done() for signal delivery. Signed-off-by: Richard Weinberger <richard@nod.at> Acked-by: Chris Metcalf <cmetcalf@tilera.com> 
Use the more generic functions get_signal() signal_setup_done()
for signal delivery.

Signed-off-by: Richard Weinberger <richard@nod.at>
Acked-by: Chris Metcalf <cmetcalf@tilera.com>
constify copy_siginfo_to_user{,32}() 2013-11-09T05:16:29+00:00 Al Viro viro@zeniv.linux.org.uk 2013-10-13T21:23:53+00:00 ce3959604878c1c693979ec552069dc8bdb5ccde Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
tile: implement gettimeofday() via vDSO 2013-08-13T20:26:21+00:00 Chris Metcalf cmetcalf@tilera.com 2013-08-07T19:33:32+00:00 4a556f4f56da3110b27e265b79f0e7582115445c This change creates the framework for vDSO calls, makes the existing rt_sigreturn() mechanism use it, and adds a fast gettimeofday(). Now that we need to expose the vDSO address to userspace, we add AT_SYSINFO_EHDR to the set of aux entries provided to userspace. (You can disable any extra vDSO support by booting with vdso=0, but the rt_sigreturn vDSO page will still be provided.) Note that glibc has supported the tile vDSO since release 2.17. Signed-off-by: Chris Metcalf <cmetcalf@tilera.com> 
This change creates the framework for vDSO calls, makes the existing
rt_sigreturn() mechanism use it, and adds a fast gettimeofday().
Now that we need to expose the vDSO address to userspace, we add
AT_SYSINFO_EHDR to the set of aux entries provided to userspace.
(You can disable any extra vDSO support by booting with vdso=0,
but the rt_sigreturn vDSO page will still be provided.)

Note that glibc has supported the tile vDSO since release 2.17.

Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
tile: switch to generic compat rt_sigaction() 2013-02-03T23:16:22+00:00 Al Viro viro@zeniv.linux.org.uk 2012-12-25T23:43:46+00:00 a402922bff5f28469ec6bbc5066bda3556299f52 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
tile: switch to generic compat rt_sigqueueinfo() 2013-02-03T23:16:22+00:00 Al Viro viro@zeniv.linux.org.uk 2012-12-25T20:28:39+00:00 7b5d3c1d112d040b9eda239ec4ff247cf7102bd2 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
tile: switch to generic sigaltstack 2013-02-03T23:16:21+00:00 Al Viro viro@zeniv.linux.org.uk 2012-12-23T08:50:34+00:00 47669ab0361558a734e42f78196636d70201e44f Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>