Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-01 10:45:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f5d7129184
linux-stable/arch/arm64/kernel
History
Mark Rutland f5d7129184 arm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR 
Currently fpmr_set() doesn't initialize the temporary 'fpmr' variable,
and a SETREGSET call with a length of zero will leave this
uninitialized. Consequently an arbitrary value will be written back to
target->thread.uw.fpmr, potentially leaking up to 64 bits of memory from
the kernel stack. The read is limited to a specific slot on the stack,
and the issue does not provide a write mechanism.

Fix this by initializing the temporary value before copying the regset
from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG,
NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing
contents of FPMR will be retained.

Before this patch:

| # ./fpmr-test
| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d
| SETREGSET(nt=0x40e, len=8) wrote 8 bytes
|
| Attempting to read NT_ARM_FPMR::fpmr
| GETREGSET(nt=0x40e, len=8) read 8 bytes
| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d
|
| Attempting to write NT_ARM_FPMR (zero length)
| SETREGSET(nt=0x40e, len=0) wrote 0 bytes
|
| Attempting to read NT_ARM_FPMR::fpmr
| GETREGSET(nt=0x40e, len=8) read 8 bytes
| Read NT_ARM_FPMR::fpmr = 0xffff800083963d50

After this patch:

| # ./fpmr-test
| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d
| SETREGSET(nt=0x40e, len=8) wrote 8 bytes
|
| Attempting to read NT_ARM_FPMR::fpmr
| GETREGSET(nt=0x40e, len=8) read 8 bytes
| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d
|
| Attempting to write NT_ARM_FPMR (zero length)
| SETREGSET(nt=0x40e, len=0) wrote 0 bytes
|
| Attempting to read NT_ARM_FPMR::fpmr
| GETREGSET(nt=0x40e, len=8) read 8 bytes
| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d

Fixes: 4035c22ef7 ("arm64/ptrace: Expose FPMR via ptrace")
Cc: <stable@vger.kernel.org> # 6.9.x
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Will Deacon <will@kernel.org>
Reviewed-by: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/r/20241205121655.1824269-3-mark.rutland@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2024-12-05 18:04:06 +00:00
..
pi Merge branches 'for-next/gcs', 'for-next/probes', 'for-next/asm-offsets', 'for-next/tlb', 'for-next/misc', 'for-next/mte', 'for-next/sysreg', 'for-next/stacktrace', 'for-next/hwcap3', 'for-next/kselftest', 'for-next/crc32', 'for-next/guest-cca', 'for-next/haft' and 'for-next/scs', remote-tracking branch 'arm64/for-next/perf' into for-next/core 2024-11-14 12:07:16 +00:00
probes - The series "zram: optimal post-processing target selection" from 2024-11-23 09:58:07 -08:00
vdso arm64: vdso: Drop LBASE_VDSO 2024-11-02 12:37:33 +01:00
vdso32 arm64: vdso: Drop LBASE_VDSO 2024-11-02 12:37:33 +01:00
.gitignore .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
acpi_numa.c arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE 2024-08-14 17:51:39 +01:00
acpi_parking_protocol.c arm64: smp: Remove dedicated wakeup IPI 2023-09-25 17:15:28 +01:00
acpi.c Merge branch 'for-next/vcpu-hotplug' into for-next/core 2024-07-11 19:10:02 +01:00
alternative.c Merge branches 'for-next/kpti', 'for-next/missing-proto-warn', 'for-next/iss2-decode', 'for-next/kselftest', 'for-next/misc', 'for-next/feat_mops', 'for-next/module-alloc', 'for-next/sysreg', 'for-next/cpucap', 'for-next/acpi', 'for-next/kdump', 'for-next/acpi-doc', 'for-next/doc' and 'for-next/tpidr2-fix', remote-tracking branch 'arm64/for-next/perf' into for-next/core 2023-06-23 18:32:20 +01:00
armv8_deprecated.c sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
asm-offsets.c ftrace updates for v6.13: 2024-11-20 11:34:10 -08:00
cacheinfo.c cacheinfo: Add arm64 early level initializer implementation 2023-04-13 09:32:33 +01:00
compat_alignment.c arm64: compat: Work around uninitialized variable warning 2023-04-05 17:51:47 +01:00
cpu_errata.c arm64: Subscribe Microsoft Azure Cobalt 100 to erratum 3194386 2024-10-04 12:38:03 +01:00
cpu_ops.c arm64: Introduce get_cpu_ops() helper function 2020-03-24 17:24:19 +00:00
cpu-reset.S arm64: kernel: remove SHF_WRITE|SHF_EXECINSTR from .idmap.text 2023-05-02 12:42:22 +01:00
cpufeature.c The biggest change here is eliminating the awful idea that KVM had, of 2024-11-23 16:00:50 -08:00
cpuinfo.c The biggest change here is eliminating the awful idea that KVM had, of 2024-11-23 16:00:50 -08:00
crash_dump.c vmcore: convert copy_oldmem_page() to take an iov_iter 2022-04-29 14:37:59 -07:00
debug-monitors.c Merge branch 'for-next/mops' into for-next/core 2024-11-14 12:07:28 +00:00
efi-header.S arm64: efi: Enable BTI codegen and add PE/COFF annotation 2023-04-20 15:43:45 +02:00
efi-rt-wrapper.S arm64: efi: Avoid workqueue to check whether EFI runtime is live 2023-01-16 15:27:31 +01:00
efi.c efi: arm64: Map Device with Prot Shared 2024-10-23 10:19:32 +01:00
elfcore.c arm64: mte: Avoid the racy walk of the vma list during core dump 2023-01-05 15:12:12 +00:00
entry-common.c Merge branch 'for-next/mops' into for-next/core 2024-11-14 12:07:28 +00:00
entry-fpsimd.S arm64/sme: Implement context switching for ZT0 2023-01-20 12:23:06 +00:00
entry-ftrace.S arm64: ftrace: Enable HAVE_FUNCTION_GRAPH_RETVAL 2023-06-20 18:38:37 -04:00
entry.S arm64: stacktrace: unwind exception boundaries 2024-10-17 18:06:25 +01:00
fpsimd.c arm64 updates for 6.13: 2024-11-18 18:10:37 -08:00
ftrace.c - The series "zram: optimal post-processing target selection" from 2024-11-23 09:58:07 -08:00
head.S arm64: stacktrace: unwind exception boundaries 2024-10-17 18:06:25 +01:00
hibernate-asm.S arm64: kexec: install a copy of the linear-map 2021-10-01 13:31:00 +01:00
hibernate.c hugetlb: arm64: add mte support 2024-10-16 14:50:47 +01:00
hw_breakpoint.c perf/bpf: Remove unneeded uses_default_overflow_handler() 2024-04-12 11:49:50 +02:00
hyp-stub.S ARM64: 2023-07-03 15:32:22 -07:00
idle.c arm64: idle: Tag the arm64 idle functions as __cpuidle 2023-09-25 17:15:28 +01:00
image-vars.h arm64: irqchip/gic-v3: Select priorities at boot time 2024-06-24 18:16:45 +01:00
image.h arm64: get rid of TEXT_OFFSET 2020-09-07 15:00:52 +01:00
io.c arm64: Use new fallback IO memcpy/memset 2024-10-28 21:44:29 +00:00
irq.c arm64: irq: set the correct node for shadow call stack 2023-12-13 12:09:00 +00:00
jump_label.c asm-generic: introduce text-patching.h 2024-11-07 14:25:15 -08:00
kaslr.c arm64: kaslr: Use feature override instead of parsing the cmdline again 2024-02-16 12:42:31 +00:00
kexec_image.c kexec_file, arm64: print out debugging message if required 2023-12-20 15:02:57 -08:00
kgdb.c asm-generic: introduce text-patching.h 2024-11-07 14:25:15 -08:00
kuser32.S arm64: Update Documentation/arm references 2023-06-12 06:33:48 -06:00
machine_kexec_file.c arm64, crash: wrap crash dumping code into crash related ifdefs 2024-02-23 17:48:23 -08:00
machine_kexec.c arm64, crash: wrap crash dumping code into crash related ifdefs 2024-02-23 17:48:23 -08:00
Makefile arm64: Detect if in a realm and set RIPAS RAM 2024-10-23 10:19:32 +01:00
Makefile.syscalls syscalls: fix syscall macros for newfstat/newfstatat 2024-08-02 15:20:47 +02:00
module-plts.c Merge branch 'for-next/cpus_have_const_cap' into for-next/core 2023-10-26 17:10:18 +01:00
module.c arm64/scs: Fix handling of DWARF augmentation data in CIE/FDE frames 2024-11-08 16:37:55 +00:00
mte.c hugetlb: arm64: add mte support 2024-10-16 14:50:47 +01:00
paravirt.c arm64: paravirt: remove conduit check in has_pv_steal_clock 2022-11-09 18:11:56 +00:00
patching.c arm64: patching: avoid early page_to_phys() 2024-12-03 18:05:42 +00:00
pci.c arm64: PCI: Migrate ACPI related functions to pci-acpi.c 2024-08-27 15:48:34 +02:00
perf_callchain.c perf/core: Correct perf sampling with guest VMs 2024-11-14 10:40:01 +01:00
perf_regs.c perf: arm64: Add SVE vector granule register to user regs 2022-09-22 15:06:02 +01:00
pointer_auth.c arm64: move preemption disablement to prctl handlers 2021-07-28 18:33:49 +01:00
process.c Merge branch 'for-next/pkey-signal' into for-next/core 2024-11-14 12:07:30 +00:00
proton-pack.c arm64: errata: Unify speculative SSBS errata logic 2024-06-12 16:07:21 +01:00
psci.c arm64: psci: Ignore DENIED CPUs 2024-06-28 18:38:31 +01:00
ptrace.c arm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR 2024-12-05 18:04:06 +00:00
reloc_test_core.c ARM64: reloc_test: add missing MODULE_DESCRIPTION() macro 2024-06-13 10:23:54 +01:00
reloc_test_syms.S arm64: kernel: Convert to modern annotations for assembly functions 2020-05-04 12:46:03 +01:00
relocate_kernel.S arm64: kexec: load from kimage prior to clobbering 2022-05-17 14:25:35 +01:00
return_address.c arm64: Make return_address() use arch_stack_walk() 2021-12-10 14:06:04 +00:00
rsi.c arm64: Enable memory encrypt for Realms 2024-10-23 10:19:33 +01:00
sdei.c arm64: sdei: abort running SDEI handlers during crash 2023-08-04 17:35:33 +01:00
setup.c Devicetree updates for v6.13: 2024-11-20 13:19:25 -08:00
signal32.c arm64: rework compat syscall macros 2024-07-10 14:23:38 +02:00
signal.c Merge branch 'for-next/pkey-signal' into for-next/core 2024-11-14 12:07:30 +00:00
sigreturn32.S arm64: rework compat syscall macros 2024-07-10 14:23:38 +02:00
sleep.S arm64: mm: Handle LVA support as a CPU feature 2024-02-16 12:42:36 +00:00
smccc-call.S arm64: smccc: Remove broken support for SMCCCv1.3 SVE discard hint 2024-11-07 11:18:52 +00:00
smp_spin_table.c treewide: Drop function_nocfi 2022-09-26 10:13:14 -07:00
smp.c arm64 updates for 6.12 2024-09-16 06:55:07 +02:00
stacktrace.c arm64: stacktrace: unwind exception boundaries 2024-10-17 18:06:25 +01:00
suspend.c arm64/sme: Restore SME registers on exit from suspend 2024-02-20 12:19:15 +00:00
sys32.c arm64: convert unistd_32.h to syscall.tbl format 2024-07-10 14:23:38 +02:00
sys_compat.c arm64: Avoid cpus_have_const_cap() for ARM64_WORKAROUND_1542419 2023-10-16 14:17:06 +01:00
sys.c arm64: generate 64-bit syscall.tbl 2024-07-10 14:23:38 +02:00
syscall.c arm64: convert unistd_32.h to syscall.tbl format 2024-07-10 14:23:38 +02:00
time.c arm64: Make profile_pc() use arch_stack_walk() 2021-12-10 14:06:04 +00:00
topology.c arm64/amu: Use capacity_ref_freq() to set AMU ratio 2023-12-23 15:52:36 +01:00
trace-events-emulation.h tracing/treewide: Remove second parameter of __assign_str() 2024-05-22 20:14:47 -04:00
traps.c - The series "zram: optimal post-processing target selection" from 2024-11-23 09:58:07 -08:00
vdso32-wrap.S arm64: do not descend to vdso directories twice 2021-01-20 12:18:46 +00:00
vdso-wrap.S arm64: do not descend to vdso directories twice 2021-01-20 12:18:46 +00:00
vdso.c arm64: vdso: Use only one single vvar mapping 2024-11-02 12:37:33 +01:00
vmcore_info.c crash: split vmcoreinfo exporting code out from crash_core.c 2024-02-23 17:48:22 -08:00
vmlinux.lds.S arm64: fix .data.rel.ro size assertion when CONFIG_LTO_CLANG 2024-11-07 11:33:06 +00:00
watchdog_hld.c arm64: enable perf events based hard lockup detector 2023-06-09 17:44:22 -07:00