Bugzilla – Attachment 32963 Details for
Bug 65236
VUL-0: kernel: ia64 ptrace local crash
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
[patch]
2.4.21-286 version of patch (demine_args moved)
65236-2.patch (text/plain), 5.11 KB, created by
Jan Beulich
on 2005-03-31 08:03:29 UTC
(
hide
)
Description:
2.4.21-286 version of patch (demine_args moved)
Filename:
MIME Type:
Creator:
Jan Beulich
Created:
2005-03-31 08:03:29 UTC
Size:
5.11 KB
patch
obsolete
>diff -apru /usr/src/linux-2.4.21-286/arch/ia64/kernel/entry.S build/linux/2.4.21-286/arch/ia64/kernel/entry.S >--- /usr/src/linux-2.4.21-286/arch/ia64/kernel/entry.S 2005-03-29 14:33:28.000000000 +0200 >+++ build/linux/2.4.21-286/arch/ia64/kernel/entry.S 2005-03-31 08:25:19.000000000 +0200 >@@ -46,8 +46,11 @@ > * setup a null register window frame. > */ > ENTRY(ia64_execve) >- .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(3) >- alloc loc1=ar.pfs,3,2,4,0 >+ /* >+ * Allocate 8 input registers since ptrace() may clobber them >+ */ >+ .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(8) >+ alloc loc1=ar.pfs,8,2,4,0 > mov loc0=rp > .body > mov out0=in0 // filename >@@ -89,8 +92,11 @@ ENTRY(ia64_execve) > END(ia64_execve) > > GLOBAL_ENTRY(sys_clone2) >- .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(2) >- alloc r16=ar.pfs,3,2,4,0 >+ /* >+ * Allocate 8 input registers since ptrace() may clobber them >+ */ >+ .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(8) >+ alloc r16=ar.pfs,8,2,4,0 > DO_SAVE_SWITCH_STACK > mov loc0=rp > mov loc1=r16 // save ar.pfs across do_fork >@@ -108,8 +114,11 @@ GLOBAL_ENTRY(sys_clone2) > END(sys_clone2) > > GLOBAL_ENTRY(sys_clone) >- .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(2) >- alloc r16=ar.pfs,2,2,4,0 >+ /* >+ * Allocate 8 input registers since ptrace() may clobber them >+ */ >+ .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(8) >+ alloc r16=ar.pfs,8,2,4,0 > DO_SAVE_SWITCH_STACK > mov loc0=rp > mov loc1=r16 // save ar.pfs across do_fork >@@ -938,7 +947,10 @@ END(sys_rt_sigsuspend) > > ENTRY(sys_rt_sigreturn) > PT_REGS_UNWIND_INFO(0) >- alloc r2=ar.pfs,0,0,1,0 >+ /* >+ * Allocate 8 input registers since ptrace() may clobber them >+ */ >+ alloc r2=ar.pfs,8,0,1,0 > .prologue > PT_REGS_SAVES(16) > adds sp=-16,sp >diff -apru /usr/src/linux-2.4.21-286/arch/ia64/kernel/ivt.S build/linux/2.4.21-286/arch/ia64/kernel/ivt.S >--- /usr/src/linux-2.4.21-286/arch/ia64/kernel/ivt.S 2005-03-29 14:33:28.000000000 +0200 >+++ build/linux/2.4.21-286/arch/ia64/kernel/ivt.S 2005-03-31 09:49:04.755573495 +0200 >@@ -647,13 +647,20 @@ ENTRY(break_fault) > SAVE_REST > br.call.sptk.many rp=demine_args // clear NaT bits in (potential) syscall args > >+// demine_args exits with r2 containing the frame marker when the syscall was issued. >+ and r18=0x7f,r2 // get sof of issuer's cfm >+ extr.u r17=r2,7,7 // get sol of issuer's cfm >+ > mov r3=255 > adds r15=-1024,r15 // r15 contains the syscall number---subtract 1024 > adds r2=IA64_TASK_PTRACE_OFFSET,r13 // r2 = ¤t->ptrace > ;; >+ add r17=8,r17 // sol + 8 > cmp.geu p6,p7=r3,r15 // (syscall > 0 && syscall <= 1024+255) ? > movl r16=sys_call_table > ;; >+(p6) cmp.lt p7,p6=r17,r18 // frame size can't be more than local+8 >+ ;; > (p6) shladd r16=r15,3,r16 > movl r15=ia64_ret_from_syscall > (p7) adds r16=(__NR_ni_syscall-1024)*8,r16 // force __NR_ni_syscall >@@ -693,35 +700,6 @@ ENTRY(break_fault) > // NOT REACHED > END(break_fault) > >-ENTRY(demine_args) >- alloc r2=ar.pfs,8,0,0,0 >- tnat.nz p8,p0=in0 >- tnat.nz p9,p0=in1 >- ;; >-(p8) mov in0=-1 >- tnat.nz p10,p0=in2 >- tnat.nz p11,p0=in3 >- >-(p9) mov in1=-1 >- tnat.nz p12,p0=in4 >- tnat.nz p13,p0=in5 >- ;; >-(p10) mov in2=-1 >- tnat.nz p14,p0=in6 >- tnat.nz p15,p0=in7 >- >-(p11) mov in3=-1 >- tnat.nz p8,p0=r15 // demining r15 is not a must, but it is safer >- >-(p12) mov in4=-1 >-(p13) mov in5=-1 >- ;; >-(p14) mov in6=-1 >-(p15) mov in7=-1 >-(p8) mov r15=-1 >- br.ret.sptk.many rp >-END(demine_args) >- > .align 1024 > ///////////////////////////////////////////////////////////////////////////////////////// > // 0x3000 Entry 12 (size 64 bundles) External Interrupt (4) >@@ -755,6 +733,39 @@ END(interrupt) > DBG_FAULT(13) > FAULT(13) > >+// Ensure that the syscall arguments plus r15 (syscall number) are valid. >+// Exit with r2 containing the frame size when the syscall was issued. >+// This function belongs to break_fault and can live anywhere (even outside >+// the IVT); it's being placed here just to save a little space. >+ENTRY(demine_args) >+ alloc r2=ar.pfs,8,0,0,0 >+ tnat.nz p8,p0=in0 >+ tnat.nz p9,p0=in1 >+ ;; >+(p8) mov in0=-1 >+ tnat.nz p10,p0=in2 >+ tnat.nz p11,p0=in3 >+ >+(p9) mov in1=-1 >+ tnat.nz p12,p0=in4 >+ tnat.nz p13,p0=in5 >+ ;; >+(p10) mov in2=-1 >+ tnat.nz p14,p0=in6 >+ tnat.nz p15,p0=in7 >+ >+(p11) mov in3=-1 >+ tnat.nz p8,p0=r15 // demining r15 is not a must, but it is safer >+ >+(p12) mov in4=-1 >+(p13) mov in5=-1 >+ ;; >+(p14) mov in6=-1 >+(p15) mov in7=-1 >+(p8) mov r15=-1 >+ br.ret.sptk.many rp >+END(demine_args) >+ > .align 1024 > ///////////////////////////////////////////////////////////////////////////////////////// > // 0x3800 Entry 14 (size 64 bundles) Reserved >diff -apru /usr/src/linux-2.4.21-286/arch/ia64/kernel/process.c build/linux/2.4.21-286/arch/ia64/kernel/process.c >--- /usr/src/linux-2.4.21-286/arch/ia64/kernel/process.c 2005-03-29 14:33:28.000000000 +0200 >+++ build/linux/2.4.21-286/arch/ia64/kernel/process.c 2005-03-31 08:25:19.000000000 +0200 >@@ -455,7 +455,7 @@ dump_fpu (struct pt_regs *pt, elf_fpregs > return 1; /* f0-f31 are always valid so we always return 1 */ > } > >-asmlinkage long >+long > sys_execve (char *filename, char **argv, char **envp, struct pt_regs *regs) > { > int error;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=32963">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 65236
:
28493
|
28648
|
31803
|
32130
|
32962
| 32963 |
37157