With certain EVA configurations it is possible for the kernel address space to overlap user address space, which allows the user to set watchpoints on kernel addresses via ptrace. If a watchpoint is set in the watch exception handling code (after exception level has been cleared) then the system will hang in an infinite loop when hitting a watchpoint while trying to process it. To prevent that simply disallow placing any watchpoints at addresses above start of kernel that overlap userspace. Signed-off-by: Marcin Nowakowski <marcin.nowakowski@xxxxxxxxxx> --- This supersedes "protect watchpoint handling code from setting watchpoints" which originally would only protect part of the kernel code most vulnerable. However, that change was incomplete and it is really difficult to ensure all required sections are properly guarded. Having selective guards on parts of the kernel address space could also be used as a method to circumvent KASLR. --- arch/mips/kernel/ptrace.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c index c8ba260..7b87493 100644 --- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c @@ -253,6 +253,11 @@ int ptrace_set_watch_regs(struct task_struct *child, #ifdef CONFIG_32BIT if (lt[i] & __UA_LIMIT) return -EINVAL; + +#ifdef CONFIG_EVA + if (lt[i] >= PAGE_OFFSET) + return -EINVAL; +#endif /* CONFIG_EVA */ #else if (test_tsk_thread_flag(child, TIF_32BIT_ADDR)) { if (lt[i] & 0xffffffff80000000UL) -- 2.7.4