Commit 7c85d1f9 authored by Paul Mackerras's avatar Paul Mackerras

powerpc: Fix machine check problem on 32-bit kernels

This fixes a bug found by Dave Jones that means that it is possible
for userspace to provoke a machine check on 32-bit kernels.  This
also fixes a couple of other places where I found similar problems
by inspection.
Signed-off-by: default avatarPaul Mackerras <paulus@samba.org>
parent 1def630a
...@@ -803,10 +803,13 @@ static int do_setcontext(struct ucontext __user *ucp, struct pt_regs *regs, int ...@@ -803,10 +803,13 @@ static int do_setcontext(struct ucontext __user *ucp, struct pt_regs *regs, int
if (__get_user(cmcp, &ucp->uc_regs)) if (__get_user(cmcp, &ucp->uc_regs))
return -EFAULT; return -EFAULT;
mcp = (struct mcontext __user *)(u64)cmcp; mcp = (struct mcontext __user *)(u64)cmcp;
/* no need to check access_ok(mcp), since mcp < 4GB */
} }
#else #else
if (__get_user(mcp, &ucp->uc_regs)) if (__get_user(mcp, &ucp->uc_regs))
return -EFAULT; return -EFAULT;
if (!access_ok(VERIFY_READ, mcp, sizeof(*mcp)))
return -EFAULT;
#endif #endif
restore_sigmask(&set); restore_sigmask(&set);
if (restore_user_regs(regs, mcp, sig)) if (restore_user_regs(regs, mcp, sig))
...@@ -908,13 +911,14 @@ int sys_debug_setcontext(struct ucontext __user *ctx, ...@@ -908,13 +911,14 @@ int sys_debug_setcontext(struct ucontext __user *ctx,
{ {
struct sig_dbg_op op; struct sig_dbg_op op;
int i; int i;
unsigned char tmp;
unsigned long new_msr = regs->msr; unsigned long new_msr = regs->msr;
#if defined(CONFIG_4xx) || defined(CONFIG_BOOKE) #if defined(CONFIG_4xx) || defined(CONFIG_BOOKE)
unsigned long new_dbcr0 = current->thread.dbcr0; unsigned long new_dbcr0 = current->thread.dbcr0;
#endif #endif
for (i=0; i<ndbg; i++) { for (i=0; i<ndbg; i++) {
if (__copy_from_user(&op, dbg, sizeof(op))) if (copy_from_user(&op, dbg + i, sizeof(op)))
return -EFAULT; return -EFAULT;
switch (op.dbg_type) { switch (op.dbg_type) {
case SIG_DBG_SINGLE_STEPPING: case SIG_DBG_SINGLE_STEPPING:
...@@ -959,6 +963,11 @@ int sys_debug_setcontext(struct ucontext __user *ctx, ...@@ -959,6 +963,11 @@ int sys_debug_setcontext(struct ucontext __user *ctx,
current->thread.dbcr0 = new_dbcr0; current->thread.dbcr0 = new_dbcr0;
#endif #endif
if (!access_ok(VERIFY_READ, ctx, sizeof(*ctx))
|| __get_user(tmp, (u8 __user *) ctx)
|| __get_user(tmp, (u8 __user *) (ctx + 1) - 1))
return -EFAULT;
/* /*
* If we get a fault copying the context into the kernel's * If we get a fault copying the context into the kernel's
* image of the user's registers, we can't just return -EFAULT * image of the user's registers, we can't just return -EFAULT
......
...@@ -182,6 +182,8 @@ static long restore_sigcontext(struct pt_regs *regs, sigset_t *set, int sig, ...@@ -182,6 +182,8 @@ static long restore_sigcontext(struct pt_regs *regs, sigset_t *set, int sig,
err |= __get_user(msr, &sc->gp_regs[PT_MSR]); err |= __get_user(msr, &sc->gp_regs[PT_MSR]);
if (err) if (err)
return err; return err;
if (v_regs && !access_ok(VERIFY_READ, v_regs, 34 * sizeof(vector128)))
return -EFAULT;
/* Copy 33 vec registers (vr0..31 and vscr) from the stack */ /* Copy 33 vec registers (vr0..31 and vscr) from the stack */
if (v_regs != 0 && (msr & MSR_VEC) != 0) if (v_regs != 0 && (msr & MSR_VEC) != 0)
err |= __copy_from_user(current->thread.vr, v_regs, err |= __copy_from_user(current->thread.vr, v_regs,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment