Buildresult: powerpc-fixes/sparc64-defconfig/sparc64-gcc11 built on Jun 10 2022, 02:08

kisskb

Revisions | Branches | Compilers | Configs | Build Results | Build Failures |

Status:	OK
Date/Time:	Jun 10 2022, 02:08
Duration:	0:01:02.642096
Builder:	ka7
Revision:	powerpc/32: Fix overread/overwrite of thread_struct via ptrace (`8e1278444446fc97778a5e5c99bca1ce0bbc5ec9)`
Target:	powerpc-fixes/sparc64-defconfig/sparc64-gcc11
Branch:	powerpc-fixes
Compiler:	sparc64-gcc11 (sparc64-linux-gcc (GCC) 11.1.0 / GNU ld (GNU Binutils) 2.36.1)
Config:	defconfig (download)
Log:	Download original Possible warnings (2) <stdin>:1517:2: warning: #warning syscall clone3 not implemented [-Wcpp] WARNING: modpost: EXPORT symbol "_mcount" [vmlinux] version generation failed, symbol will not be versioned. Full Log # git rev-parse -q --verify 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9^{commit} 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9 already have revision, skipping fetch # git checkout -q -f -B kisskb 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9 # git clean -qxdf # < git log -1 # commit 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9 # Author: Michael Ellerman <mpe@ellerman.id.au> # Date: Tue Jun 7 00:34:56 2022 +1000 # # powerpc/32: Fix overread/overwrite of thread_struct via ptrace # # The ptrace PEEKUSR/POKEUSR (aka PEEKUSER/POKEUSER) API allows a process # to read/write registers of another process. # # To get/set a register, the API takes an index into an imaginary address # space called the "USER area", where the registers of the process are # laid out in some fashion. # # The kernel then maps that index to a particular register in its own data # structures and gets/sets the value. # # The API only allows a single machine-word to be read/written at a time. # So 4 bytes on 32-bit kernels and 8 bytes on 64-bit kernels. # # The way floating point registers (FPRs) are addressed is somewhat # complicated, because double precision float values are 64-bit even on # 32-bit CPUs. That means on 32-bit kernels each FPR occupies two # word-sized locations in the USER area. On 64-bit kernels each FPR # occupies one word-sized location in the USER area. # # Internally the kernel stores the FPRs in an array of u64s, or if VSX is # enabled, an array of pairs of u64s where one half of each pair stores # the FPR. Which half of the pair stores the FPR depends on the kernel's # endianness. # # To handle the different layouts of the FPRs depending on VSX/no-VSX and # big/little endian, the TS_FPR() macro was introduced. # # Unfortunately the TS_FPR() macro does not take into account the fact # that the addressing of each FPR differs between 32-bit and 64-bit # kernels. It just takes the index into the "USER area" passed from # userspace and indexes into the fp_state.fpr array. # # On 32-bit there are 64 indexes that address FPRs, but only 32 entries in # the fp_state.fpr array, meaning the user can read/write 256 bytes past # the end of the array. Because the fp_state sits in the middle of the # thread_struct there are various fields than can be overwritten, # including some pointers. As such it may be exploitable. # # It has also been observed to cause systems to hang or otherwise # misbehave when using gdbserver, and is probably the root cause of this # report which could not be easily reproduced: # https://lore.kernel.org/linuxppc-dev/dc38afe9-6b78-f3f5-666b-986939e40fc6@keymile.com/ # # Rather than trying to make the TS_FPR() macro even more complicated to # fix the bug, or add more macros, instead add a special-case for 32-bit # kernels. This is more obvious and hopefully avoids a similar bug # happening again in future. # # Note that because 32-bit kernels never have VSX enabled the code doesn't # need to consider TS_FPRWIDTH/OFFSET at all. Add a BUILD_BUG_ON() to # ensure that 32-bit && VSX is never enabled. # # Fixes: 87fec0514f61 ("powerpc: PTRACE_PEEKUSR/PTRACE_POKEUSER of FPR registers in little endian builds") # Cc: stable@vger.kernel.org # v3.13+ # Reported-by: Ariel Miculas <ariel.miculas@belden.com> # Tested-by: Christophe Leroy <christophe.leroy@csgroup.eu> # Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> # Link: https://lore.kernel.org/r/20220609133245.573565-1-mpe@ellerman.id.au # < /opt/cross/kisskb/korg/gcc-11.1.0-nolibc/sparc64-linux/bin/sparc64-linux-gcc --version # < /opt/cross/kisskb/korg/gcc-11.1.0-nolibc/sparc64-linux/bin/sparc64-linux-ld --version # < git log --format=%s --max-count=1 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9 # < make -s -j 32 ARCH=sparc64 O=/kisskb/build/powerpc-fixes_sparc64-defconfig_sparc64-gcc11 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-11.1.0-nolibc/sparc64-linux/bin/sparc64-linux- defconfig # < make -s -j 32 ARCH=sparc64 O=/kisskb/build/powerpc-fixes_sparc64-defconfig_sparc64-gcc11 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-11.1.0-nolibc/sparc64-linux/bin/sparc64-linux- help # make -s -j 32 ARCH=sparc64 O=/kisskb/build/powerpc-fixes_sparc64-defconfig_sparc64-gcc11 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-11.1.0-nolibc/sparc64-linux/bin/sparc64-linux- olddefconfig # make -s -j 32 ARCH=sparc64 O=/kisskb/build/powerpc-fixes_sparc64-defconfig_sparc64-gcc11 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-11.1.0-nolibc/sparc64-linux/bin/sparc64-linux- <stdin>:1517:2: warning: #warning syscall clone3 not implemented [-Wcpp] WARNING: modpost: EXPORT symbol "_mcount" [vmlinux] version generation failed, symbol will not be versioned. Is "_mcount" prototyped in <asm/asm-prototypes.h>? kernel: arch/sparc/boot/image is ready kernel: arch/sparc/boot/zImage is ready Completed OK # rm -rf /kisskb/build/powerpc-fixes_sparc64-defconfig_sparc64-gcc11 # Build took: 0:01:02.642096

© Michael Ellerman 2006-2018.