# git rev-parse -q --verify 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9^{commit} 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9 already have revision, skipping fetch # git checkout -q -f -B kisskb 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9 # git clean -qxdf # < git log -1 # commit 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9 # Author: Michael Ellerman # Date: Tue Jun 7 00:34:56 2022 +1000 # # powerpc/32: Fix overread/overwrite of thread_struct via ptrace # # The ptrace PEEKUSR/POKEUSR (aka PEEKUSER/POKEUSER) API allows a process # to read/write registers of another process. # # To get/set a register, the API takes an index into an imaginary address # space called the "USER area", where the registers of the process are # laid out in some fashion. # # The kernel then maps that index to a particular register in its own data # structures and gets/sets the value. # # The API only allows a single machine-word to be read/written at a time. # So 4 bytes on 32-bit kernels and 8 bytes on 64-bit kernels. # # The way floating point registers (FPRs) are addressed is somewhat # complicated, because double precision float values are 64-bit even on # 32-bit CPUs. That means on 32-bit kernels each FPR occupies two # word-sized locations in the USER area. On 64-bit kernels each FPR # occupies one word-sized location in the USER area. # # Internally the kernel stores the FPRs in an array of u64s, or if VSX is # enabled, an array of pairs of u64s where one half of each pair stores # the FPR. Which half of the pair stores the FPR depends on the kernel's # endianness. # # To handle the different layouts of the FPRs depending on VSX/no-VSX and # big/little endian, the TS_FPR() macro was introduced. # # Unfortunately the TS_FPR() macro does not take into account the fact # that the addressing of each FPR differs between 32-bit and 64-bit # kernels. It just takes the index into the "USER area" passed from # userspace and indexes into the fp_state.fpr array. # # On 32-bit there are 64 indexes that address FPRs, but only 32 entries in # the fp_state.fpr array, meaning the user can read/write 256 bytes past # the end of the array. Because the fp_state sits in the middle of the # thread_struct there are various fields than can be overwritten, # including some pointers. As such it may be exploitable. # # It has also been observed to cause systems to hang or otherwise # misbehave when using gdbserver, and is probably the root cause of this # report which could not be easily reproduced: # https://lore.kernel.org/linuxppc-dev/dc38afe9-6b78-f3f5-666b-986939e40fc6@keymile.com/ # # Rather than trying to make the TS_FPR() macro even more complicated to # fix the bug, or add more macros, instead add a special-case for 32-bit # kernels. This is more obvious and hopefully avoids a similar bug # happening again in future. # # Note that because 32-bit kernels never have VSX enabled the code doesn't # need to consider TS_FPRWIDTH/OFFSET at all. Add a BUILD_BUG_ON() to # ensure that 32-bit && VSX is never enabled. # # Fixes: 87fec0514f61 ("powerpc: PTRACE_PEEKUSR/PTRACE_POKEUSER of FPR registers in little endian builds") # Cc: stable@vger.kernel.org # v3.13+ # Reported-by: Ariel Miculas # Tested-by: Christophe Leroy # Signed-off-by: Michael Ellerman # Link: https://lore.kernel.org/r/20220609133245.573565-1-mpe@ellerman.id.au # < /opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux-gcc --version # < /opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux-ld --version # < git log --format=%s --max-count=1 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9 # < make -s -j 32 ARCH=powerpc O=/kisskb/build/powerpc-fixes_ppc64_defconfig+NO_TM_powerpc-gcc5 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux- ppc64_defconfig # Added to kconfig CONFIG_PPC_TRANSACTIONAL_MEM=n # < make -s -j 32 ARCH=powerpc O=/kisskb/build/powerpc-fixes_ppc64_defconfig+NO_TM_powerpc-gcc5 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux- help # make -s -j 32 ARCH=powerpc O=/kisskb/build/powerpc-fixes_ppc64_defconfig+NO_TM_powerpc-gcc5 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux- olddefconfig # make -s -j 32 ARCH=powerpc O=/kisskb/build/powerpc-fixes_ppc64_defconfig+NO_TM_powerpc-gcc5 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-5.5.0-nolibc/powerpc64-linux/bin/powerpc64-linux- Completed OK # rm -rf /kisskb/build/powerpc-fixes_ppc64_defconfig+NO_TM_powerpc-gcc5 # Build took: 0:02:17.888224