On Sat, Apr 1, 2017 at 12:41 AM, Richard Weinberger <richard@xxxxxx> wrote: > This is broken since ever but sadly nobody noticed. > Recent versions of GDB set DR_CONTROL unconditionally and > UML dies due to a heap corruption. It turns out that > the PTRACE_POKEUSER was copy&pasted from i386 and assumes > that addresses are 4 bytes long. > > Fix that by using 8 as address size in the calculation. > > Cc: <stable@xxxxxxxxxxxxxxx> > Reported-by: jie cao <cj3054@xxxxxxxxx> > Signed-off-by: Richard Weinberger <richard@xxxxxx> > --- > arch/x86/um/ptrace_64.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/x86/um/ptrace_64.c b/arch/x86/um/ptrace_64.c > index a5c9910d234f..09a085bde0d4 100644 > --- a/arch/x86/um/ptrace_64.c > +++ b/arch/x86/um/ptrace_64.c > @@ -125,7 +125,7 @@ int poke_user(struct task_struct *child, long addr, long data) > else if ((addr >= offsetof(struct user, u_debugreg[0])) && > (addr <= offsetof(struct user, u_debugreg[7]))) { > addr -= offsetof(struct user, u_debugreg[0]); > - addr = addr >> 2; > + addr = addr >> 3; > if ((addr == 4) || (addr == 5)) > return -EIO; > child->thread.arch.debugregs[addr] = data; Applied. -- Thanks, //richard