Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6673e0c3 authored by Heiko Carstens's avatar Heiko Carstens
Browse files

[CVE-2009-0029] System call wrapper special cases 



System calls with an unsigned long long argument can't be converted with
the standard wrappers since that would include a cast to long, which in
turn means that we would lose the upper 32 bit on 32 bit architectures.
Also semctl can't use the standard wrapper since it has a 'union'
parameter.

So we handle them as special case and add some extra wrappers instead.

Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
parent ed6bb619

fs/dcookies.c

+8 −2
Original line number Diff line number Diff line
@@ -145,7 +145,7 @@ int get_dcookie(struct path *path, unsigned long *cookie) 
/* And here is where the userspace process can look up the cookie value

 * to retrieve the path.

 */

asmlinkage long sys_lookup_dcookie(u64 cookie64, char __user * buf, size_t len)

SYSCALL_DEFINE(lookup_dcookie)(u64 cookie64, char __user * buf, size_t len)

{

	unsigned long cookie = (unsigned long)cookie64;

	int err = -EINVAL;
@@ -198,7 +198,13 @@ asmlinkage long sys_lookup_dcookie(u64 cookie64, char __user * buf, size_t len) 
	mutex_unlock(&dcookie_mutex);

	return err;

}



#ifdef CONFIG_HAVE_SYSCALL_WRAPPERS

asmlinkage long SyS_lookup_dcookie(u64 cookie64, long buf, long len)

{

	return SYSC_lookup_dcookie(cookie64, (char __user *) buf, (size_t) len);

}

SYSCALL_ALIAS(sys_lookup_dcookie, SyS_lookup_dcookie);

#endif



static int dcookie_init(void)

{

fs/open.c

+24 −3
Original line number Diff line number Diff line
@@ -351,21 +351,35 @@ asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length) 


/* LFS versions of truncate are only needed on 32 bit machines */

#if BITS_PER_LONG == 32

asmlinkage long sys_truncate64(const char __user * path, loff_t length)

SYSCALL_DEFINE(truncate64)(const char __user * path, loff_t length)

{

	return do_sys_truncate(path, length);

}

#ifdef CONFIG_HAVE_SYSCALL_WRAPPERS

asmlinkage long SyS_truncate64(long path, loff_t length)

{

	return SYSC_truncate64((const char __user *) path, length);

}

SYSCALL_ALIAS(sys_truncate64, SyS_truncate64);

#endif



asmlinkage long sys_ftruncate64(unsigned int fd, loff_t length)

SYSCALL_DEFINE(ftruncate64)(unsigned int fd, loff_t length)

{

	long ret = do_sys_ftruncate(fd, length, 0);

	/* avoid REGPARM breakage on x86: */

	asmlinkage_protect(2, ret, fd, length);

	return ret;

}

#ifdef CONFIG_HAVE_SYSCALL_WRAPPERS

asmlinkage long SyS_ftruncate64(long fd, loff_t length)

{

	return SYSC_ftruncate64((unsigned int) fd, length);

}

SYSCALL_ALIAS(sys_ftruncate64, SyS_ftruncate64);

#endif

#endif /* BITS_PER_LONG == 32 */



asmlinkage long sys_fallocate(int fd, int mode, loff_t offset, loff_t len)

SYSCALL_DEFINE(fallocate)(int fd, int mode, loff_t offset, loff_t len)

{

	struct file *file;

	struct inode *inode;
@@ -422,6 +436,13 @@ asmlinkage long sys_fallocate(int fd, int mode, loff_t offset, loff_t len) 
out:

	return ret;

}

#ifdef CONFIG_HAVE_SYSCALL_WRAPPERS

asmlinkage long SyS_fallocate(long fd, long mode, loff_t offset, loff_t len)

{

	return SYSC_fallocate((int)fd, (int)mode, offset, len);

}

SYSCALL_ALIAS(sys_fallocate, SyS_fallocate);

#endif



/*

 * access() needs to use the real uid/gid, not the effective uid/gid.

fs/read_write.c

+20 −4
Original line number Diff line number Diff line
@@ -403,7 +403,7 @@ asmlinkage long sys_write(unsigned int fd, const char __user * buf, size_t count 
	return ret;

}



asmlinkage long sys_pread64(unsigned int fd, char __user *buf,

SYSCALL_DEFINE(pread64)(unsigned int fd, char __user *buf,

			size_t count, loff_t pos)

{

	struct file *file;
@@ -423,8 +423,16 @@ asmlinkage long sys_pread64(unsigned int fd, char __user *buf, 


	return ret;

}

#ifdef CONFIG_HAVE_SYSCALL_WRAPPERS

asmlinkage long SyS_pread64(long fd, long buf, long count, loff_t pos)

{

	return SYSC_pread64((unsigned int) fd, (char __user *) buf,

			    (size_t) count, pos);

}

SYSCALL_ALIAS(sys_pread64, SyS_pread64);

#endif



asmlinkage long sys_pwrite64(unsigned int fd, const char __user *buf,

SYSCALL_DEFINE(pwrite64)(unsigned int fd, const char __user *buf,

			 size_t count, loff_t pos)

{

	struct file *file;
@@ -444,6 +452,14 @@ asmlinkage long sys_pwrite64(unsigned int fd, const char __user *buf, 


	return ret;

}

#ifdef CONFIG_HAVE_SYSCALL_WRAPPERS

asmlinkage long SyS_pwrite64(long fd, long buf, long count, loff_t pos)

{

	return SYSC_pwrite64((unsigned int) fd, (const char __user *) buf,

			     (size_t) count, pos);

}

SYSCALL_ALIAS(sys_pwrite64, SyS_pwrite64);

#endif



/*

 * Reduce an iovec's length in-place.  Return the resulting number of segments

fs/sync.c

+22 −4
Original line number Diff line number Diff line
@@ -201,7 +201,7 @@ asmlinkage long sys_fdatasync(unsigned int fd) 
 * already-instantiated disk blocks, there are no guarantees here that the data

 * will be available after a crash.

 */

asmlinkage long sys_sync_file_range(int fd, loff_t offset, loff_t nbytes,

SYSCALL_DEFINE(sync_file_range)(int fd, loff_t offset, loff_t nbytes,

				unsigned int flags)

{

	int ret;
@@ -262,14 +262,32 @@ asmlinkage long sys_sync_file_range(int fd, loff_t offset, loff_t nbytes, 
out:

	return ret;

}

#ifdef CONFIG_HAVE_SYSCALL_WRAPPERS

asmlinkage long SyS_sync_file_range(long fd, loff_t offset, loff_t nbytes,

				    long flags)

{

	return SYSC_sync_file_range((int) fd, offset, nbytes,

				    (unsigned int) flags);

}

SYSCALL_ALIAS(sys_sync_file_range, SyS_sync_file_range);

#endif



/* It would be nice if people remember that not all the world's an i386

   when they introduce new system calls */

asmlinkage long sys_sync_file_range2(int fd, unsigned int flags,

SYSCALL_DEFINE(sync_file_range2)(int fd, unsigned int flags,

				 loff_t offset, loff_t nbytes)

{

	return sys_sync_file_range(fd, offset, nbytes, flags);

}

#ifdef CONFIG_HAVE_SYSCALL_WRAPPERS

asmlinkage long SyS_sync_file_range2(long fd, long flags,

				     loff_t offset, loff_t nbytes)

{

	return SYSC_sync_file_range2((int) fd, (unsigned int) flags,

				     offset, nbytes);

}

SYSCALL_ALIAS(sys_sync_file_range2, SyS_sync_file_range2);

#endif



/*

 * `endbyte' is inclusive

ipc/sem.c

+8 −1
Original line number Diff line number Diff line
@@ -887,7 +887,7 @@ static int semctl_down(struct ipc_namespace *ns, int semid, 
	return err;

}



asmlinkage long sys_semctl (int semid, int semnum, int cmd, union semun arg)

SYSCALL_DEFINE(semctl)(int semid, int semnum, int cmd, union semun arg)

{

	int err = -EINVAL;

	int version;
@@ -923,6 +923,13 @@ asmlinkage long sys_semctl (int semid, int semnum, int cmd, union semun arg) 
		return -EINVAL;

	}

}

#ifdef CONFIG_HAVE_SYSCALL_WRAPPERS

asmlinkage long SyS_semctl(int semid, int semnum, int cmd, union semun arg)

{

	return SYSC_semctl((int) semid, (int) semnum, (int) cmd, arg);

}

SYSCALL_ALIAS(sys_semctl, SyS_semctl);

#endif



/* If the task doesn't already have a undo_list, then allocate one

 * here.  We guarantee there is only one thread using this undo list,