This is a note to let you know that I've just added the patch titled
h8300/ptrace: Fix incorrect register transfer count
to the 4.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
h8300-ptrace-fix-incorrect-register-transfer-count.patch
and it can be found in the queue-4.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 502585c7555083d4a949c08350306b9ec196779e Mon Sep 17 00:00:00 2001
From: Dave Martin <Dave.Martin@xxxxxxx>
Date: Mon, 27 Mar 2017 15:10:54 +0100
Subject: h8300/ptrace: Fix incorrect register transfer count
From: Dave Martin <Dave.Martin@xxxxxxx>
commit 502585c7555083d4a949c08350306b9ec196779e upstream.
regs_set() and regs_get() are vulnerable to an off-by-1 buffer overrun
if CONFIG_CPU_H8S is set, since this adds an extra entry to
register_offset[] but not to user_regs_struct.
So, iterate over user_regs_struct based on its actual size, not based on
the length of register_offset[].
Signed-off-by: Dave Martin <Dave.Martin@xxxxxxx>
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
arch/h8300/kernel/ptrace.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/arch/h8300/kernel/ptrace.c
+++ b/arch/h8300/kernel/ptrace.c
@@ -95,7 +95,8 @@ static int regs_get(struct task_struct *
long *reg = (long *)®s;
/* build user regs in buffer */
- for (r = 0; r < ARRAY_SIZE(register_offset); r++)
+ BUILD_BUG_ON(sizeof(regs) % sizeof(long) != 0);
+ for (r = 0; r < sizeof(regs) / sizeof(long); r++)
*reg++ = h8300_get_reg(target, r);
return user_regset_copyout(&pos, &count, &kbuf, &ubuf,
@@ -113,7 +114,8 @@ static int regs_set(struct task_struct *
long *reg;
/* build user regs in buffer */
- for (reg = (long *)®s, r = 0; r < ARRAY_SIZE(register_offset); r++)
+ BUILD_BUG_ON(sizeof(regs) % sizeof(long) != 0);
+ for (reg = (long *)®s, r = 0; r < sizeof(regs) / sizeof(long); r++)
*reg++ = h8300_get_reg(target, r);
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
@@ -122,7 +124,7 @@ static int regs_set(struct task_struct *
return ret;
/* write back to pt_regs */
- for (reg = (long *)®s, r = 0; r < ARRAY_SIZE(register_offset); r++)
+ for (reg = (long *)®s, r = 0; r < sizeof(regs) / sizeof(long); r++)
h8300_put_reg(target, r, *reg++);
return 0;
}
Patches currently in stable-queue which might be from Dave.Martin@xxxxxxx are
queue-4.4/metag-ptrace-reject-partial-nt_metag_rpipe-writes.patch
queue-4.4/metag-ptrace-preserve-previous-registers-for-short-regset-write.patch
queue-4.4/metag-ptrace-provide-default-txstatus-for-short-nt_prstatus.patch
queue-4.4/c6x-ptrace-remove-useless-ptrace_setregset-implementation.patch
queue-4.4/mips-ptrace-preserve-previous-registers-for-short-regset-write.patch
queue-4.4/h8300-ptrace-fix-incorrect-register-transfer-count.patch
queue-4.4/sparc-ptrace-preserve-previous-registers-for-short-regset-write.patch