Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2c87e2cd authored by Andi Kleen's avatar Andi Kleen Committed by Linus Torvalds
Browse files

[PATCH] x86_64: Fix access check in ptrace compat 



We can't safely directly access an compat_alloc_user_space() pointer
with the siginfo copy functions. Bounce it through the stack.

Noticed by Al Viro using sparse

[ This was only added post 2.6.17, not in any released kernel ]

Cc: Al Viro <viro@ftp.linux.org.uk>
Signed-off-by: default avatarAndi Kleen <ak@suse.de>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 1cfcea1b

arch/x86_64/ia32/ptrace32.c

+10 −3
Original line number Diff line number Diff line
@@ -202,17 +202,24 @@ static long ptrace32_siginfo(unsigned request, u32 pid, u32 addr, u32 data) 
{

	int ret;

	compat_siginfo_t *si32 = (compat_siginfo_t *)compat_ptr(data);

	siginfo_t ssi; 

	siginfo_t *si = compat_alloc_user_space(sizeof(siginfo_t));

	if (request == PTRACE_SETSIGINFO) {

		ret = copy_siginfo_from_user32(si, si32);

		memset(&ssi, 0, sizeof(siginfo_t));

		ret = copy_siginfo_from_user32(&ssi, si32);

		if (ret)

			return ret;

		if (copy_to_user(si, &ssi, sizeof(siginfo_t)))

			return -EFAULT;

	}

	ret = sys_ptrace(request, pid, addr, (unsigned long)si);

	if (ret)

		return ret;

	if (request == PTRACE_GETSIGINFO)

		ret = copy_siginfo_to_user32(si32, si);

	if (request == PTRACE_GETSIGINFO) {

		if (copy_from_user(&ssi, si, sizeof(siginfo_t)))

			return -EFAULT;

		ret = copy_siginfo_to_user32(si32, &ssi);

	}

	return ret;

}