[PATCH] x86-64: fix another kernel data leak to 32-bit processes

From: Jan Beulich
Date: Mon Oct 19 2009 - 07:42:57 EST

Next message: Ingo Molnar: "Re: [PATCH] perf stat: add branch performance counters to default"
Previous message: Ben Dooks: "Re: [PATCH 13/14] arch/arm/plat-s3c24xx: Move dereference afterNULL test"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Unfortunately I didn't realize that the other instances of branches to
int_ret_from_sys_call also need fixing when preparing the previous
similar patch. The issue fixed here was in fact introduced by an
earlier patch of mine (295286a89107c353b9677bc604361c537fd6a1c0, i.e.
in 2.6.28, but through stable now also present in 2.6.27), making
kernel stack contents potentially visible through R8...R11 when an
this or earlier syscall got interrupted prior to the handler being able
to decrement the stack pointer (such that the space normally used by
those registers within pt_regs would get overwritten by the interrupt
handler stub).

While touching the code, I also swapped the branch pairs so that the
static branch prediction logic would consider the syscall-number-in-
range case the taken path.

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxxxx>
Cc: stable@xxxxxxxxxx

---
arch/x86/ia32/ia32entry.S | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)

--- linux-2.6.32-rc5/arch/x86/ia32/ia32entry.S 2009-10-19 13:12:43.000000000 +0200
+++ 2.6.32-rc5-x86_64-ia32-syscall-trace-reg-leak/arch/x86/ia32/ia32entry.S 2009-10-19 09:36:39.000000000 +0200
@@ -249,9 +249,9 @@ sysenter_tracesys:
call syscall_trace_enter
LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
RESTORE_REST
- cmpl $(IA32_NR_syscalls-1),%eax
- ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
- jmp sysenter_do_call
+ cmpl $IA32_NR_syscalls,%eax
+ jb sysenter_do_call
+ jmp ia32_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */
CFI_ENDPROC
ENDPROC(ia32_sysenter_target)

@@ -368,9 +368,9 @@ cstar_tracesys:
LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
RESTORE_REST
xchgl %ebp,%r9d
- cmpl $(IA32_NR_syscalls-1),%eax
- ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
- jmp cstar_do_call
+ cmpl $IA32_NR_syscalls,%eax
+ jb cstar_do_call
+ jmp ia32_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */
END(ia32_cstar_target)

ia32_badarg:
@@ -445,9 +445,9 @@ ia32_tracesys:
call syscall_trace_enter
LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
RESTORE_REST
- cmpl $(IA32_NR_syscalls-1),%eax
- ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */
- jmp ia32_do_call
+ cmpl $IA32_NR_syscalls,%eax
+ jb ia32_do_call
+ jmp ia32_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */
END(ia32_syscall)

ia32_badsys:

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ingo Molnar: "Re: [PATCH] perf stat: add branch performance counters to default"
Previous message: Ben Dooks: "Re: [PATCH 13/14] arch/arm/plat-s3c24xx: Move dereference afterNULL test"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]