[mips*] Prevent user from setting FCSR cause bits and cause possible

kernel oops. svn path=/dists/sid/linux/; revision=21658
2014-07-30 20:28:23 +00:00 · 2014-07-30 20:28:23 +00:00 · 9c51370af1
parent 15b4edcb43
commit 9c51370af1
3 changed files with 58 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -11,6 +11,8 @@ linux (3.14.13-3) UNRELEASED; urgency=medium
  * [mips,mipsel/4kc-malta] Fix bug which can cause incorrect system call
    restarts (fix hang on boot).
  * [mips*] Fix hugepage support on machines with R4K like TLB.
+  * [mips*] Prevent user from setting FCSR cause bits and cause possible
+    kernel oops.

  [ Ben Hutchings ]
  * [amd64] Reject x32 executables if x32 ABI not supported
--- a/debian/patches/bugfix/mips/MIPS-prevent-user-from-setting-FCSR-cause-bits.patch
+++ b/debian/patches/bugfix/mips/MIPS-prevent-user-from-setting-FCSR-cause-bits.patch
@ -0,0 +1,55 @@
+From: Paul Burton <paul.burton@imgtec.com>
+Date: Tue, 22 Jul 2014 14:21:21 +0100
+Subject: MIPS: prevent user from setting FCSR cause bits
+Origin: https://git.kernel.org/cgit/linux/kernel/git/jhogan/mips.git/commit?id=07d8a26cb44dbbbea721da0fd0b7f79ffffe7ab7
+
+If one or more matching FCSR cause & enable bits are set in saved thread
+context then when that context is restored the kernel will take an FP
+exception. This is of course undesirable and considered an oops, leading
+to the kernel writing a backtrace to the console and potentially
+rebooting depending upon the configuration. Thus the kernel avoids this
+situation by clearing the cause bits of the FCSR register when handling
+FP exceptions and after emulating FP instructions.
+
+However the kernel does not prevent userland from setting arbitrary FCSR
+cause & enable bits via ptrace, using either the PTRACE_POKEUSR or
+PTRACE_SETFPREGS requests. This means userland can trivially cause the
+kernel to oops on any system with an FPU. Prevent this from happening
+by clearing the cause bits when writing to the saved FCSR context via
+ptrace.
+
+This problem appears to exist at least back to the beginning of the git
+era in the PTRACE_POKEUSR case.
+
+Signed-off-by: Paul Burton <paul.burton@imgtec.com>
+Cc: stable@vger.kernel.org
+Patchwork: http://patchwork.linux-mips.org/patch/7438/
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+---
+ arch/mips/kernel/ptrace.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
+index f639ccd..3a7f7dd 100644
+--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
+@@ -170,6 +170,7 @@ int ptrace_setfpregs(struct task_struct
+ 		__get_user(fregs[i], i + (__u64 __user *) data);
+ 
+ 	__get_user(child->thread.fpu.fcr31, data + 64);
+	child->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X;
+ 
+ 	/* FIR may not be written.  */
+ 
+@@ -593,7 +594,7 @@ long arch_ptrace(struct task_struct *chi
+ 			break;
+ #endif
+ 		case FPC_CSR:
+-			child->thread.fpu.fcr31 = data;
+			child->thread.fpu.fcr31 = data & ~FPU_CSR_ALL_X;
+ 			break;
+ 		case DSP_BASE ... DSP_BASE + 5: {
+ 			dspreg_t *dregs;
+-- 
+1.7.10.4
+
--- a/debian/patches/series
+++ b/debian/patches/series
@ -68,6 +68,7 @@ bugfix/mips/MIPS-ptrace-Avoid-smp_processor_id-in-preemptible-co.patch
 bugfix/mips/MIPS-OCTEON-make-get_system_type-thread-safe.patch
 bugfix/mips/MIPS-O32-32-bit-Fix-bug-which-can-cause-incorrect-sy.patch
 bugfix/mips/MIPS-tlbex-fix-a-missing-statement-for-HUGETLB.patch
+bugfix/mips/MIPS-prevent-user-from-setting-FCSR-cause-bits.patch
 bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch

 # Miscellaneous bug fixes