| Message ID | 20220306064435.256328-3-jcmvbkbc@gmail.com (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | 5b835d4cade1723c5944a231cc685801f5a5cc6c |
| Headers | show |
| Series | xtensa: fix pt_regs to cover user exception frame | expand |
On Sat, Mar 05, 2022 at 10:44:35PM -0800, Max Filippov wrote: > struct pt_regs is used to access both kernel and user exception frames. > User exception frames may contain up to XCHAL_NUM_AREG registers that > task creation and signal delivery code may access, but pt_regs::areg > array has only 16 entries that cover only the kernel exception frame. > This results in the following build error: > > arch/xtensa/kernel/process.c: In function 'copy_thread': > arch/xtensa/kernel/process.c:262:52: error: array subscript 53 is above > array bounds of 'long unsigned int[16]' [-Werror=array-bounds] > 262 | put_user(regs->areg[caller_ars+1], > > Change struct pt_regs::areg size to XCHAL_NUM_AREGS so that it covers > the whole user exception frame. Adjust task_pt_regs and drop additional > register copying code from copy_thread now that the whole user exception > stack frame is copied. > > Reported-by: Kees Cook <keescook@chromium.org> > Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> > --- > arch/xtensa/include/asm/ptrace.h | 7 +++---- > arch/xtensa/kernel/process.c | 10 ---------- > 2 files changed, 3 insertions(+), 14 deletions(-) ^^^^^^^^^^^^ Well that's always nice to see in a fix. :) Thanks for digging into this! Reviewed-by: Kees Cook <keescook@chromium.org>
diff --git a/arch/xtensa/include/asm/ptrace.h b/arch/xtensa/include/asm/ptrace.h index b109416dc07e..308f209a4740 100644 --- a/arch/xtensa/include/asm/ptrace.h +++ b/arch/xtensa/include/asm/ptrace.h @@ -44,6 +44,7 @@ #ifndef __ASSEMBLY__ #include <asm/coprocessor.h> +#include <asm/core.h> /* * This struct defines the way the registers are stored on the @@ -77,14 +78,12 @@ struct pt_regs { /* current register frame. * Note: The ESF for kernel exceptions ends after 16 registers! */ - unsigned long areg[16]; + unsigned long areg[XCHAL_NUM_AREGS]; }; -#include <asm/core.h> - # define arch_has_single_step() (1) # define task_pt_regs(tsk) ((struct pt_regs*) \ - (task_stack_page(tsk) + KERNEL_STACK_SIZE - (XCHAL_NUM_AREGS-16)*4) - 1) + (task_stack_page(tsk) + KERNEL_STACK_SIZE) - 1) # define user_mode(regs) (((regs)->ps & 0x00000020)!=0) # define instruction_pointer(regs) ((regs)->pc) # define return_pointer(regs) (MAKE_PC_FROM_RA((regs)->areg[0], \ diff --git a/arch/xtensa/kernel/process.c b/arch/xtensa/kernel/process.c index bd80df890b1e..e8bfbca5f001 100644 --- a/arch/xtensa/kernel/process.c +++ b/arch/xtensa/kernel/process.c @@ -232,10 +232,6 @@ int copy_thread(unsigned long clone_flags, unsigned long usp_thread_fn, p->thread.ra = MAKE_RA_FOR_CALL( (unsigned long)ret_from_fork, 0x1); - /* This does not copy all the regs. - * In a bout of brilliance or madness, - * ARs beyond a0-a15 exist past the end of the struct. - */ *childregs = *regs; childregs->areg[1] = usp; childregs->areg[2] = 0; @@ -265,14 +261,8 @@ int copy_thread(unsigned long clone_flags, unsigned long usp_thread_fn, childregs->wmask = 1; childregs->windowstart = 1; childregs->windowbase = 0; - } else { - int len = childregs->wmask & ~0xf; - memcpy(&childregs->areg[XCHAL_NUM_AREGS - len/4], - ®s->areg[XCHAL_NUM_AREGS - len/4], len); } - childregs->syscall = regs->syscall; - if (clone_flags & CLONE_SETTLS) childregs->threadptr = tls; } else {
struct pt_regs is used to access both kernel and user exception frames. User exception frames may contain up to XCHAL_NUM_AREG registers that task creation and signal delivery code may access, but pt_regs::areg array has only 16 entries that cover only the kernel exception frame. This results in the following build error: arch/xtensa/kernel/process.c: In function 'copy_thread': arch/xtensa/kernel/process.c:262:52: error: array subscript 53 is above array bounds of 'long unsigned int[16]' [-Werror=array-bounds] 262 | put_user(regs->areg[caller_ars+1], Change struct pt_regs::areg size to XCHAL_NUM_AREGS so that it covers the whole user exception frame. Adjust task_pt_regs and drop additional register copying code from copy_thread now that the whole user exception stack frame is copied. Reported-by: Kees Cook <keescook@chromium.org> Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> --- arch/xtensa/include/asm/ptrace.h | 7 +++---- arch/xtensa/kernel/process.c | 10 ---------- 2 files changed, 3 insertions(+), 14 deletions(-)