Buildresult: powerpc-fixes/m68k-defconfig/m68k-gcc11 built on Jun 10 2022, 00:52
kisskb
Revisions
|
Branches
|
Compilers
|
Configs
|
Build Results
|
Build Failures
|
Status:
OK
Date/Time:
Jun 10 2022, 00:52
Duration:
0:03:08.852868
Builder:
blade46
Revision:
powerpc/32: Fix overread/overwrite of thread_struct via ptrace (
8e1278444446fc97778a5e5c99bca1ce0bbc5ec9)
Target:
powerpc-fixes/m68k-defconfig/m68k-gcc11
Branch:
powerpc-fixes
Compiler:
m68k-gcc11
(m68k-linux-gcc (GCC) 11.1.0 / GNU ld (GNU Binutils) 2.36.1)
Config:
defconfig
(
download
)
Log:
Download original
Possible warnings (1)
arch/m68k/configs/multi_defconfig:61:warning: symbol value 'm' invalid for ZPOOL
Full Log
# git rev-parse -q --verify 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9^{commit} # git fetch -q -n -f git://gitlab.ozlabs.ibm.com/linuxppc/linux.git fixes-test # git rev-parse -q --verify 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9^{commit} 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9 # git checkout -q -f -B kisskb 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9 # git clean -qxdf # < git log -1 # commit 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9 # Author: Michael Ellerman <mpe@ellerman.id.au> # Date: Tue Jun 7 00:34:56 2022 +1000 # # powerpc/32: Fix overread/overwrite of thread_struct via ptrace # # The ptrace PEEKUSR/POKEUSR (aka PEEKUSER/POKEUSER) API allows a process # to read/write registers of another process. # # To get/set a register, the API takes an index into an imaginary address # space called the "USER area", where the registers of the process are # laid out in some fashion. # # The kernel then maps that index to a particular register in its own data # structures and gets/sets the value. # # The API only allows a single machine-word to be read/written at a time. # So 4 bytes on 32-bit kernels and 8 bytes on 64-bit kernels. # # The way floating point registers (FPRs) are addressed is somewhat # complicated, because double precision float values are 64-bit even on # 32-bit CPUs. That means on 32-bit kernels each FPR occupies two # word-sized locations in the USER area. On 64-bit kernels each FPR # occupies one word-sized location in the USER area. # # Internally the kernel stores the FPRs in an array of u64s, or if VSX is # enabled, an array of pairs of u64s where one half of each pair stores # the FPR. Which half of the pair stores the FPR depends on the kernel's # endianness. # # To handle the different layouts of the FPRs depending on VSX/no-VSX and # big/little endian, the TS_FPR() macro was introduced. # # Unfortunately the TS_FPR() macro does not take into account the fact # that the addressing of each FPR differs between 32-bit and 64-bit # kernels. It just takes the index into the "USER area" passed from # userspace and indexes into the fp_state.fpr array. # # On 32-bit there are 64 indexes that address FPRs, but only 32 entries in # the fp_state.fpr array, meaning the user can read/write 256 bytes past # the end of the array. Because the fp_state sits in the middle of the # thread_struct there are various fields than can be overwritten, # including some pointers. As such it may be exploitable. # # It has also been observed to cause systems to hang or otherwise # misbehave when using gdbserver, and is probably the root cause of this # report which could not be easily reproduced: # https://lore.kernel.org/linuxppc-dev/dc38afe9-6b78-f3f5-666b-986939e40fc6@keymile.com/ # # Rather than trying to make the TS_FPR() macro even more complicated to # fix the bug, or add more macros, instead add a special-case for 32-bit # kernels. This is more obvious and hopefully avoids a similar bug # happening again in future. # # Note that because 32-bit kernels never have VSX enabled the code doesn't # need to consider TS_FPRWIDTH/OFFSET at all. Add a BUILD_BUG_ON() to # ensure that 32-bit && VSX is never enabled. # # Fixes: 87fec0514f61 ("powerpc: PTRACE_PEEKUSR/PTRACE_POKEUSER of FPR registers in little endian builds") # Cc: stable@vger.kernel.org # v3.13+ # Reported-by: Ariel Miculas <ariel.miculas@belden.com> # Tested-by: Christophe Leroy <christophe.leroy@csgroup.eu> # Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> # Link: https://lore.kernel.org/r/20220609133245.573565-1-mpe@ellerman.id.au # < /opt/cross/kisskb/korg/gcc-11.1.0-nolibc/m68k-linux/bin/m68k-linux-gcc --version # < /opt/cross/kisskb/korg/gcc-11.1.0-nolibc/m68k-linux/bin/m68k-linux-ld --version # < git log --format=%s --max-count=1 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9 # < make -s -j 32 ARCH=m68k O=/kisskb/build/powerpc-fixes_m68k-defconfig_m68k-gcc11 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-11.1.0-nolibc/m68k-linux/bin/m68k-linux- defconfig arch/m68k/configs/multi_defconfig:61:warning: symbol value 'm' invalid for ZPOOL # < make -s -j 32 ARCH=m68k O=/kisskb/build/powerpc-fixes_m68k-defconfig_m68k-gcc11 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-11.1.0-nolibc/m68k-linux/bin/m68k-linux- help # make -s -j 32 ARCH=m68k O=/kisskb/build/powerpc-fixes_m68k-defconfig_m68k-gcc11 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-11.1.0-nolibc/m68k-linux/bin/m68k-linux- olddefconfig # make -s -j 32 ARCH=m68k O=/kisskb/build/powerpc-fixes_m68k-defconfig_m68k-gcc11 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-11.1.0-nolibc/m68k-linux/bin/m68k-linux- Completed OK # rm -rf /kisskb/build/powerpc-fixes_m68k-defconfig_m68k-gcc11 # Build took: 0:03:08.852868
© Michael Ellerman 2006-2018.