summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2021-09-24 00:35:42 +0000
committerGuo Ren <guoren@linux.alibaba.com>2021-10-16 07:20:12 +0800
commitfbd63c08cdcca5fb1315aca3172b3c9c272cfb4f (patch)
tree9f452d718901cf5786f42de5f8401ba295a65970
parent64570fbc14f8d7cb3fe3995f20e26bc25ce4b2cc (diff)
downloadlinux-fbd63c08cdcca5fb1315aca3172b3c9c272cfb4f.tar.gz
linux-fbd63c08cdcca5fb1315aca3172b3c9c272cfb4f.tar.bz2
linux-fbd63c08cdcca5fb1315aca3172b3c9c272cfb4f.zip
csky: don't let sigreturn play with priveleged bits of status register
csky restore_sigcontext() blindly overwrites regs->sr with the value it finds in sigcontext. Attacker can store whatever they want in there, which includes things like S-bit. Userland shouldn't be able to set that, or anything other than C flag (bit 0). Do the same thing other architectures with protected bits in flags register do - preserve everything that shouldn't be settable in user mode, picking the rest from the value saved is sigcontext. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Guo Ren <guoren@kernel.org> Cc: stable@vger.kernel.org
-rw-r--r--arch/csky/kernel/signal.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/arch/csky/kernel/signal.c b/arch/csky/kernel/signal.c
index bc4238b9f709..c7b763d2f526 100644
--- a/arch/csky/kernel/signal.c
+++ b/arch/csky/kernel/signal.c
@@ -52,10 +52,14 @@ static long restore_sigcontext(struct pt_regs *regs,
struct sigcontext __user *sc)
{
int err = 0;
+ unsigned long sr = regs->sr;
/* sc_pt_regs is structured the same as the start of pt_regs */
err |= __copy_from_user(regs, &sc->sc_pt_regs, sizeof(struct pt_regs));
+ /* BIT(0) of regs->sr is Condition Code/Carry bit */
+ regs->sr = (sr & ~1) | (regs->sr & 1);
+
/* Restore the floating-point state. */
err |= restore_fpu_state(sc);