Bugzilla – Attachment 32130 Details for
Bug 65236
VUL-0: kernel: ia64 ptrace local crash
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
[patch]
Patch against 2.6.5-SLES9_SP1_BRANCH_20050311102304
ptrace-sles9-sp1 (text/plain), 7.87 KB, created by
Keith Owens
on 2005-03-17 04:46:54 UTC
(
hide
)
Description:
Patch against 2.6.5-SLES9_SP1_BRANCH_20050311102304
Filename:
MIME Type:
Creator:
Keith Owens
Created:
2005-03-17 04:46:54 UTC
Size:
7.87 KB
patch
obsolete
>Index: linux-2.6.5-SLES9_SP1_BRANCH_20050311102304/arch/ia64/kernel/entry.S >=================================================================== >--- linux-2.6.5-SLES9_SP1_BRANCH_20050311102304.orig/arch/ia64/kernel/entry.S 2005-03-17 12:40:12.000000000 +1100 >+++ linux-2.6.5-SLES9_SP1_BRANCH_20050311102304/arch/ia64/kernel/entry.S 2005-03-17 12:09:04.000000000 +1100 >@@ -51,8 +51,11 @@ > * setup a null register window frame. > */ > ENTRY(ia64_execve) >- .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(3) >- alloc loc1=ar.pfs,3,2,4,0 >+ /* >+ * Allocate 8 input registers since ptrace() may clobber them >+ */ >+ .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(8) >+ alloc loc1=ar.pfs,8,2,4,0 > mov loc0=rp > .body > mov out0=in0 // filename >@@ -113,8 +116,11 @@ END(ia64_execve) > * u64 tls) > */ > GLOBAL_ENTRY(sys_clone2) >- .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(6) >- alloc r16=ar.pfs,6,2,6,0 >+ /* >+ * Allocate 8 input registers since ptrace() may clobber them >+ */ >+ .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(8) >+ alloc r16=ar.pfs,8,2,6,0 > DO_SAVE_SWITCH_STACK > adds r2=PT(R16)+IA64_SWITCH_STACK_SIZE+16,sp > mov loc0=rp >@@ -142,8 +148,11 @@ END(sys_clone2) > * Deprecated. Use sys_clone2() instead. > */ > GLOBAL_ENTRY(sys_clone) >- .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(5) >- alloc r16=ar.pfs,5,2,6,0 >+ /* >+ * Allocate 8 input registers since ptrace() may clobber them >+ */ >+ .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(8) >+ alloc r16=ar.pfs,8,2,6,0 > DO_SAVE_SWITCH_STACK > adds r2=PT(R16)+IA64_SWITCH_STACK_SIZE+16,sp > mov loc0=rp >@@ -1170,7 +1179,10 @@ END(sys_rt_sigsuspend) > > ENTRY(sys_rt_sigreturn) > PT_REGS_UNWIND_INFO(0) >- alloc r2=ar.pfs,0,0,1,0 >+ /* >+ * Allocate 8 input registers since ptrace() may clobber them >+ */ >+ alloc r2=ar.pfs,8,0,1,0 > .prologue > PT_REGS_SAVES(16) > adds sp=-16,sp >Index: linux-2.6.5-SLES9_SP1_BRANCH_20050311102304/arch/ia64/kernel/ivt.S >=================================================================== >--- linux-2.6.5-SLES9_SP1_BRANCH_20050311102304.orig/arch/ia64/kernel/ivt.S 2005-03-17 12:40:12.000000000 +1100 >+++ linux-2.6.5-SLES9_SP1_BRANCH_20050311102304/arch/ia64/kernel/ivt.S 2005-03-17 13:50:00.000000000 +1100 >@@ -51,6 +51,7 @@ > #include <asm/system.h> > #include <asm/thread_info.h> > #include <asm/unistd.h> >+#include <asm/errno.h> > > #if 1 > # define PSR_DEFAULT_BITS psr.ac >@@ -697,10 +698,12 @@ ENTRY(break_fault) > ssm psr.ic | PSR_DEFAULT_BITS > ;; > srlz.i // guarantee that interruption collection is on >+ mov r3=NR_syscalls - 1 > ;; > (p15) ssm psr.i // restore psr.i >+ // p10==true means out registers are more than 8 or r15's Nat is true >+(p10) br.cond.spnt.many ia64_ret_from_syscall > ;; >- mov r3=NR_syscalls - 1 > movl r16=sys_call_table > > adds r15=-1024,r15 // r15 contains the syscall number---subtract 1024 >@@ -799,8 +802,11 @@ END(interrupt) > * On exit: > * - executing on bank 1 registers > * - psr.ic enabled, interrupts restored >+ * - p10: TRUE if syscall is invoked with more than 8 out >+ * registers or r15's Nat is true > * - r1: kernel's gp > * - r3: preserved (same as on entry) >+ * - r8: -EINVAL if p10 is true > * - r12: points to kernel stack > * - r13: points to current task > * - p15: TRUE if interrupts need to be re-enabled >@@ -826,11 +832,14 @@ GLOBAL_ENTRY(ia64_syscall_setup) > st8 [r17]=r28,PT(AR_UNAT)-PT(CR_IIP) // save cr.iip > mov r28=b0 // save b0 (2 cyc) > (p8) mov in0=-1 >- ;; > > st8 [r16]=r0,PT(AR_PFS)-PT(CR_IFS) // clear cr.ifs >+ extr.u r11=r19,7,7 // get sol of ar.pfs >+ and r8=0x7f,r19 // get sof of ar.pfs >+ ;; > st8 [r17]=r25,PT(AR_RSC)-PT(AR_UNAT) // save ar.unat > (p9) mov in1=-1 >+ add r11=8,r11 > ;; > > st8 [r16]=r26,PT(AR_RNAT)-PT(AR_PFS) // save ar.pfs >@@ -850,16 +859,19 @@ GLOBAL_ENTRY(ia64_syscall_setup) > tnat.nz p13,p0=in5 > ;; > (pUStk) st8 [r16]=r24,PT(PR)-PT(AR_RNAT) // save ar.rnat >-(pUStk) st8 [r17]=r23,PT(B0)-PT(AR_BSPSTORE) // save ar.bspstore >+ cmp.lt p10,p9=r11,r8 // frame size can't be more than local+8 > shl r18=r18,16 // compute ar.rsc to be used for "loadrs" >+(pUStk) st8 [r17]=r23,PT(B0)-PT(AR_BSPSTORE) // save ar.bspstore > ;; >+(p12) mov in4=-1 >+(p9) tnat.nz p10,p0=r15 > st8 [r16]=r31,PT(LOADRS)-PT(PR) // save predicates > st8 [r17]=r28,PT(R1)-PT(B0) // save b0 >-(p12) mov in4=-1 >+(p13) mov in5=-1 > ;; > st8 [r16]=r18,PT(R12)-PT(LOADRS) // save ar.rsc value for "loadrs" > st8.spill [r17]=r20,PT(R13)-PT(R1) // save original r1 >-(p13) mov in5=-1 >+(p10) mov r8=-EINVAL > ;; > > .mem.offset 0,0; st8.spill [r16]=r12,PT(AR_FPSR)-PT(R12) // save r12 >@@ -876,15 +888,11 @@ GLOBAL_ENTRY(ia64_syscall_setup) > > mov r13=r2 // establish `current' > movl r1=__gp // establish kernel global pointer >- ;; > (p8) mov in7=-1 >- tnat.nz p9,p0=r15 >- >- cmp.eq pSys,pNonSys=r0,r0 // set pSys=1, pNonSys=0 > movl r17=FPSR_DEFAULT > ;; > mov.m ar.fpsr=r17 // set ar.fpsr to kernel default value >-(p9) mov r15=-1 >+ cmp.eq pSys,pNonSys=r0,r0 // set pSys=1, pNonSys=0 > br.ret.sptk.many b7 > END(ia64_syscall_setup) > >Index: linux-2.6.5-SLES9_SP1_BRANCH_20050311102304/arch/ia64/kernel/gate.S >=================================================================== >--- linux-2.6.5-SLES9_SP1_BRANCH_20050311102304.orig/arch/ia64/kernel/gate.S 2005-03-17 12:40:12.000000000 +1100 >+++ linux-2.6.5-SLES9_SP1_BRANCH_20050311102304/arch/ia64/kernel/gate.S 2005-03-17 12:15:14.000000000 +1100 >@@ -81,6 +81,7 @@ GLOBAL_ENTRY(__kernel_syscall_via_epc) > LOAD_FSYSCALL_TABLE(r14) > > mov r16=IA64_KR(CURRENT) // 12 cycle read latency >+ tnat.nz p10,p9=r15 > mov r19=NR_syscalls-1 > ;; > shladd r18=r17,3,r14 >@@ -119,7 +120,8 @@ GLOBAL_ENTRY(__kernel_syscall_via_epc) > #endif > > mov r10=-1 >- mov r8=ENOSYS >+(p10) mov r8=EINVAL >+(p9) mov r8=ENOSYS > FSYS_RETURN > END(__kernel_syscall_via_epc) > >Index: linux-2.6.5-SLES9_SP1_BRANCH_20050311102304/arch/ia64/kernel/fsys.S >=================================================================== >--- linux-2.6.5-SLES9_SP1_BRANCH_20050311102304.orig/arch/ia64/kernel/fsys.S 2005-03-17 12:40:12.000000000 +1100 >+++ linux-2.6.5-SLES9_SP1_BRANCH_20050311102304/arch/ia64/kernel/fsys.S 2005-03-17 12:12:23.000000000 +1100 >@@ -614,8 +614,9 @@ GLOBAL_ENTRY(fsys_bubble_down) > ;; > mov rp=r2 // set the real return addr > tbit.z p8,p0=r3,TIF_SYSCALL_TRACE >- >-(p8) br.call.sptk.many b6=b6 // ignore this return addr >+ ;; >+(p10) br.cond.spnt.many ia64_ret_from_syscall // p10==true means out registers are more than 8 >+(p8) br.call.sptk.many b6=b6 // ignore this return addr > br.cond.sptk ia64_trace_syscall > END(fsys_bubble_down) > >Index: linux-2.6.5-SLES9_SP1_BRANCH_20050311102304/arch/ia64/kernel/process.c >=================================================================== >--- linux-2.6.5-SLES9_SP1_BRANCH_20050311102304.orig/arch/ia64/kernel/process.c 2005-03-17 12:40:12.000000000 +1100 >+++ linux-2.6.5-SLES9_SP1_BRANCH_20050311102304/arch/ia64/kernel/process.c 2005-03-17 12:21:59.000000000 +1100 >@@ -561,7 +561,7 @@ dump_fpu (struct pt_regs *pt, elf_fpregs > return 1; /* f0-f31 are always valid so we always return 1 */ > } > >-asmlinkage long >+long > sys_execve (char *filename, char **argv, char **envp, struct pt_regs *regs) > { > int error; >Index: linux-2.6.5-SLES9_SP1_BRANCH_20050311102304/include/asm-ia64/unistd.h >=================================================================== >--- linux-2.6.5-SLES9_SP1_BRANCH_20050311102304.orig/include/asm-ia64/unistd.h 2005-03-17 12:40:12.000000000 +1100 >+++ linux-2.6.5-SLES9_SP1_BRANCH_20050311102304/include/asm-ia64/unistd.h 2005-03-17 12:23:30.000000000 +1100 >@@ -352,7 +352,7 @@ asmlinkage unsigned long sys_mmap2( > int fd, long pgoff); > struct pt_regs; > struct sigaction; >-asmlinkage long sys_execve(char *filename, char **argv, char **envp, >+long sys_execve(char *filename, char **argv, char **envp, > struct pt_regs *regs); > asmlinkage long sys_pipe(long arg0, long arg1, long arg2, long arg3, > long arg4, long arg5, long arg6, long arg7, long stack);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=32130">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 65236
:
28493
|
28648
|
31803
| 32130 |
32962
|
32963
|
37157