diff options
| author | Al Viro <viro@zeniv.linux.org.uk> | 2021-09-24 00:35:42 +0000 |
|---|---|---|
| committer | Guo Ren <guoren@linux.alibaba.com> | 2021-10-16 07:20:12 +0800 |
| commit | fbd63c08cdcca5fb1315aca3172b3c9c272cfb4f (patch) | |
| tree | 9f452d718901cf5786f42de5f8401ba295a65970 /arch/csky | |
| parent | 64570fbc14f8d7cb3fe3995f20e26bc25ce4b2cc (diff) | |
| download | linux-fbd63c08cdcca5fb1315aca3172b3c9c272cfb4f.tar.gz linux-fbd63c08cdcca5fb1315aca3172b3c9c272cfb4f.tar.bz2 linux-fbd63c08cdcca5fb1315aca3172b3c9c272cfb4f.zip | |
csky: don't let sigreturn play with priveleged bits of status register
csky restore_sigcontext() blindly overwrites regs->sr with the value
it finds in sigcontext. Attacker can store whatever they want in there,
which includes things like S-bit. Userland shouldn't be able to set
that, or anything other than C flag (bit 0).
Do the same thing other architectures with protected bits in flags
register do - preserve everything that shouldn't be settable in
user mode, picking the rest from the value saved is sigcontext.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Guo Ren <guoren@kernel.org>
Cc: stable@vger.kernel.org
Diffstat (limited to 'arch/csky')
| -rw-r--r-- | arch/csky/kernel/signal.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/arch/csky/kernel/signal.c b/arch/csky/kernel/signal.c index bc4238b9f709..c7b763d2f526 100644 --- a/arch/csky/kernel/signal.c +++ b/arch/csky/kernel/signal.c @@ -52,10 +52,14 @@ static long restore_sigcontext(struct pt_regs *regs, struct sigcontext __user *sc) { int err = 0; + unsigned long sr = regs->sr; /* sc_pt_regs is structured the same as the start of pt_regs */ err |= __copy_from_user(regs, &sc->sc_pt_regs, sizeof(struct pt_regs)); + /* BIT(0) of regs->sr is Condition Code/Carry bit */ + regs->sr = (sr & ~1) | (regs->sr & 1); + /* Restore the floating-point state. */ err |= restore_fpu_state(sc); |