Commit ddc1d49e authored Dec 21, 2021 by John David Anglin Committed by Greg Kroah-Hartman Dec 29, 2021

parisc: Correct completer in lws start



commit 8f66fce0f46560b9e910787ff7ad0974441c4f9c upstream.

The completer in the "or,ev %r1,%r30,%r30" instruction is reversed, so we are
not clipping the LWS number when we are called from a 32-bit process (W=0).
We need to nulify the following depdi instruction when the least-significant
bit of %r30 is 1.

If the %r20 register is not clipped, a user process could perform a LWS call
that would branch to an undefined location in the kernel and potentially crash
the machine.

Signed-off-by: John David Anglin <dave.anglin@bell.net>
Cc: stable@vger.kernel.org # 4.19+
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 8467c8cb

arch/parisc/kernel/syscall.S

+1 −1

Original line number	Diff line number	Diff line
		@@ -478,7 +478,7 @@ lws_start:
		extrd,u %r1,PSW_W_BIT,1,%r1
		/* sp must be aligned on 4, so deposit the W bit setting into
		* the bottom of sp temporarily */
		or,ev %r1,%r30,%r30
		or,od %r1,%r30,%r30

		/* Clip LWS number to a 32-bit value for 32-bit processes */
		depdi 0, 31, 32, %r20