Bugzilla – Attachment 37157 Details for
Bug 65236
VUL-0: kernel: ia64 ptrace local crash
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
[patch]
The patch against kernel suse8_2.4.21-277
ia64_ptrace_suse8_2.4.21-277.patch (text/plain), 5.50 KB, created by
yanmin zhang
on 2005-05-16 01:18:38 UTC
(
hide
)
Description:
The patch against kernel suse8_2.4.21-277
Filename:
MIME Type:
Creator:
yanmin zhang
Created:
2005-05-16 01:18:38 UTC
Size:
5.50 KB
patch
obsolete
>diff -Nraup linux-2.4.21-277/arch/ia64/kernel/entry.S linux-2.4.21-277_fix/arch/ia64/kernel/entry.S >--- linux-2.4.21-277/arch/ia64/kernel/entry.S 2005-04-26 23:26:31.000000000 -0700 >+++ linux-2.4.21-277_fix/arch/ia64/kernel/entry.S 2005-04-27 00:14:24.000000000 -0700 >@@ -46,8 +46,11 @@ > * setup a null register window frame. > */ > ENTRY(ia64_execve) >- .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(3) >- alloc loc1=ar.pfs,3,2,4,0 >+ /* >+ * Allocate 8 input registers since ptrace() may clobber them >+ */ >+ .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(8) >+ alloc loc1=ar.pfs,8,2,4,0 > mov loc0=rp > .body > mov out0=in0 // filename >@@ -89,8 +92,11 @@ ENTRY(ia64_execve) > END(ia64_execve) > > GLOBAL_ENTRY(sys_clone2) >- .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(2) >- alloc r16=ar.pfs,3,2,4,0 >+ /* >+ * Allocate 8 input registers since ptrace() may clobber them >+ */ >+ .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(8) >+ alloc r16=ar.pfs,8,2,4,0 > DO_SAVE_SWITCH_STACK > mov loc0=rp > mov loc1=r16 // save ar.pfs across do_fork >@@ -108,8 +114,11 @@ GLOBAL_ENTRY(sys_clone2) > END(sys_clone2) > > GLOBAL_ENTRY(sys_clone) >- .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(2) >- alloc r16=ar.pfs,2,2,4,0 >+ /* >+ * Allocate 8 input registers since ptrace() may clobber them >+ */ >+ .prologue ASM_UNW_PRLG_RP|ASM_UNW_PRLG_PFS, ASM_UNW_PRLG_GRSAVE(8) >+ alloc r16=ar.pfs,8,2,4,0 > DO_SAVE_SWITCH_STACK > mov loc0=rp > mov loc1=r16 // save ar.pfs across do_fork >@@ -938,7 +947,10 @@ END(sys_rt_sigsuspend) > > ENTRY(sys_rt_sigreturn) > PT_REGS_UNWIND_INFO(0) >- alloc r2=ar.pfs,0,0,1,0 >+ /* >+ * Allocate 8 input registers since ptrace() may clobber them >+ */ >+ alloc r2=ar.pfs,8,0,1,0 > .prologue > PT_REGS_SAVES(16) > adds sp=-16,sp >diff -Nraup linux-2.4.21-277/arch/ia64/kernel/ivt.S linux-2.4.21-277_fix/arch/ia64/kernel/ivt.S >--- linux-2.4.21-277/arch/ia64/kernel/ivt.S 2005-04-26 23:26:31.000000000 -0700 >+++ linux-2.4.21-277_fix/arch/ia64/kernel/ivt.S 2005-04-27 00:14:24.000000000 -0700 >@@ -44,6 +44,7 @@ > #include <asm/ptrace.h> > #include <asm/system.h> > #include <asm/unistd.h> >+#include <asm/errno.h> > > #if 1 > # define PSR_DEFAULT_BITS psr.ac >@@ -658,12 +659,12 @@ ENTRY(break_fault) > movl r15=ia64_ret_from_syscall > (p7) adds r16=(__NR_ni_syscall-1024)*8,r16 // force __NR_ni_syscall > ;; >- ld8 r16=[r16] // load address of syscall entry point >+(p9) ld8 r16=[r16] // load address of syscall entry point > mov rp=r15 // set the real return addr > ;; > ld8 r2=[r2] // r2 = current->ptrace > mov r19=PT_TRACEAUDITMASK // r19 = PT_TRACESYS|PT_AUDITED >- mov b6=r16 >+(p9) mov b6=r16 > > // arrange things so we skip over break instruction when returning: > >@@ -687,41 +688,12 @@ ENTRY(break_fault) > dep r18=r20,r18,41,2 // insert new ei into cr.isr > ;; > st8 [r16]=r18 // store new value for cr.isr >- >+(p10) br.cond.spnt.many ia64_ret_from_syscall > (p8) br.call.sptk.many b6=b6 // ignore this return addr > br.cond.sptk ia64_trace_syscall > // NOT REACHED > END(break_fault) > >-ENTRY(demine_args) >- alloc r2=ar.pfs,8,0,0,0 >- tnat.nz p8,p0=in0 >- tnat.nz p9,p0=in1 >- ;; >-(p8) mov in0=-1 >- tnat.nz p10,p0=in2 >- tnat.nz p11,p0=in3 >- >-(p9) mov in1=-1 >- tnat.nz p12,p0=in4 >- tnat.nz p13,p0=in5 >- ;; >-(p10) mov in2=-1 >- tnat.nz p14,p0=in6 >- tnat.nz p15,p0=in7 >- >-(p11) mov in3=-1 >- tnat.nz p8,p0=r15 // demining r15 is not a must, but it is safer >- >-(p12) mov in4=-1 >-(p13) mov in5=-1 >- ;; >-(p14) mov in6=-1 >-(p15) mov in7=-1 >-(p8) mov r15=-1 >- br.ret.sptk.many rp >-END(demine_args) >- > .align 1024 > ///////////////////////////////////////////////////////////////////////////////////////// > // 0x3000 Entry 12 (size 64 bundles) External Interrupt (4) >@@ -755,6 +727,46 @@ END(interrupt) > DBG_FAULT(13) > FAULT(13) > >+// Ensure that the syscall arguments plus r15 (syscall number) are valid. >+// Exit with r2 containing the frame size when the syscall was issued. >+// This function belongs to break_fault and can live anywhere (even outside >+// the IVT); it's being placed here just to save a little space. >+// On exit: >+// - p10: TRUE if syscall is invoked with more than 8 out >+// Registers or r15's Nat is true >+// - p9: !(p10) >+ENTRY(demine_args) >+ alloc r2=ar.pfs,8,0,0,0 >+ tnat.nz p8,p0=in0 >+ tnat.nz p9,p0=in1 >+ ;; >+ and r18=0x7f,r2 // get sof of issuer's cfm >+ extr.u r17=r2,7,7 // get sol of issuer's cfm >+ tnat.nz p10,p0=in2 >+(p8) mov in0=-1 >+ tnat.nz p11,p0=in3 >+ tnat.nz p12,p0=in4 >+ ;; >+(p9) mov in1=-1 >+ tnat.nz p13,p0=in5 >+ add r17=8,r17 // sol + 8 >+(p10) mov in2=-1 >+ tnat.nz p14,p0=in6 >+ tnat.nz p15,p0=in7 >+ ;; >+ cmp.lt p10,p9=r17,r18 // frame size can't be more than local+8 >+(p11) mov in3=-1 >+(p12) mov in4=-1 >+ ;; >+(p13) mov in5=-1 >+(p9) tnat.nz p10,p9=r15 // demining r15 is not a must, but it is safer >+(p14) mov in6=-1 >+ ;; >+(p15) mov in7=-1 >+(p10) mov r8=-EINVAL >+ br.ret.sptk.many rp >+END(demine_args) >+ > .align 1024 > ///////////////////////////////////////////////////////////////////////////////////////// > // 0x3800 Entry 14 (size 64 bundles) Reserved >diff -Nraup linux-2.4.21-277/arch/ia64/kernel/process.c linux-2.4.21-277_fix/arch/ia64/kernel/process.c >--- linux-2.4.21-277/arch/ia64/kernel/process.c 2005-04-26 23:26:31.000000000 -0700 >+++ linux-2.4.21-277_fix/arch/ia64/kernel/process.c 2005-04-27 00:14:24.000000000 -0700 >@@ -455,7 +455,7 @@ dump_fpu (struct pt_regs *pt, elf_fpregs > return 1; /* f0-f31 are always valid so we always return 1 */ > } > >-asmlinkage long >+long > sys_execve (char *filename, char **argv, char **envp, struct pt_regs *regs) > { > int error;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=37157">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 65236
:
28493
|
28648
|
31803
|
32130
|
32962
|
32963
| 37157