From patchwork Thu Mar 8 16:08:53 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 145564 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id CCDECB6F9F for ; Fri, 9 Mar 2012 03:09:07 +1100 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1S5fti-0002T2-Td; Thu, 08 Mar 2012 16:08:58 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1S5fth-0002SL-0i for kernel-team@lists.ubuntu.com; Thu, 08 Mar 2012 16:08:57 +0000 Received: from 79-78-213-47.dynamic.dsl.as9105.com ([79.78.213.47] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1S5ftg-00040L-MQ; Thu, 08 Mar 2012 16:08:56 +0000 From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [lucid, lucid/fsl-imx51, maverick, maverick/ti-omap4, natty, natty/ti-omap4, oneiric, precise CVE 1/2] regset: Prevent null pointer reference on readonly regsets Date: Thu, 8 Mar 2012 16:08:53 +0000 Message-Id: <1331222934-18007-2-git-send-email-apw@canonical.com> X-Mailer: git-send-email 1.7.9 In-Reply-To: <1331222934-18007-1-git-send-email-apw@canonical.com> References: <1331222934-18007-1-git-send-email-apw@canonical.com> Cc: Andy Whitcroft X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com From: "H. Peter Anvin" The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds (cherry picked from commit c8e252586f8d5de906385d8cf6385fee289a825e) CVE-2012-1097 BugLink: http://bugs.launchpad.net/bugs/949905 Signed-off-by: Andy Whitcroft --- fs/binfmt_elf.c | 2 +- include/linux/regset.h | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletions(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 5ba4a56..a13983b 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1460,7 +1460,7 @@ static int fill_thread_core_info(struct elf_thread_core_info *t, for (i = 1; i < view->n; ++i) { const struct user_regset *regset = &view->regsets[i]; do_thread_regset_writeback(t->task, regset); - if (regset->core_note_type && + if (regset->core_note_type && regset->get && (!regset->active || regset->active(t->task, regset))) { int ret; size_t size = regset->n * regset->size; diff --git a/include/linux/regset.h b/include/linux/regset.h index 8abee65..5150fd1 100644 --- a/include/linux/regset.h +++ b/include/linux/regset.h @@ -335,6 +335,9 @@ static inline int copy_regset_to_user(struct task_struct *target, { const struct user_regset *regset = &view->regsets[setno]; + if (!regset->get) + return -EOPNOTSUPP; + if (!access_ok(VERIFY_WRITE, data, size)) return -EIO; @@ -358,6 +361,9 @@ static inline int copy_regset_from_user(struct task_struct *target, { const struct user_regset *regset = &view->regsets[setno]; + if (!regset->set) + return -EOPNOTSUPP; + if (!access_ok(VERIFY_READ, data, size)) return -EIO;