From 3a459756810912d2c2bf188cef566af255936b4d Mon Sep 17 00:00:00 2001 From: Kirill Korotaev Date: Thu, 7 Sep 2006 14:17:04 +0400 Subject: [PATCH] IA64,sparc: local DoS with corrupted ELFs This prevents cross-region mappings on IA64 and SPARC which could lead to system crash. They were correctly trapped for normal mmap() calls, but not for the kernel internal calls generated by executable loading. This code just moves the architecture-specific cross-region checks into an arch-specific "arch_mmap_check()" macro, and defines that for the architectures that needed it (ia64, sparc and sparc64). Architectures that don't have any special requirements can just ignore the new cross-region check, since the mmap() code will just notice on its own when the macro isn't defined. Signed-off-by: Pavel Emelianov Signed-off-by: Kirill Korotaev Acked-by: David Miller Signed-off-by: Greg Kroah-Hartman [ Cleaned up to not affect architectures that don't need it ] Signed-off-by: Linus Torvalds --- arch/ia64/kernel/sys_ia64.c | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) (limited to 'arch/ia64/kernel') diff --git a/arch/ia64/kernel/sys_ia64.c b/arch/ia64/kernel/sys_ia64.c index 40722d88607a..9ef62a3fbfad 100644 --- a/arch/ia64/kernel/sys_ia64.c +++ b/arch/ia64/kernel/sys_ia64.c @@ -163,10 +163,25 @@ sys_pipe (void) return retval; } +int ia64_mmap_check(unsigned long addr, unsigned long len, + unsigned long flags) +{ + unsigned long roff; + + /* + * Don't permit mappings into unmapped space, the virtual page table + * of a region, or across a region boundary. Note: RGN_MAP_LIMIT is + * equal to 2^n-PAGE_SIZE (for some integer n <= 61) and len > 0. + */ + roff = REGION_OFFSET(addr); + if ((len > RGN_MAP_LIMIT) || (roff > (RGN_MAP_LIMIT - len))) + return -EINVAL; + return 0; +} + static inline unsigned long do_mmap2 (unsigned long addr, unsigned long len, int prot, int flags, int fd, unsigned long pgoff) { - unsigned long roff; struct file *file = NULL; flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE); @@ -188,17 +203,6 @@ do_mmap2 (unsigned long addr, unsigned long len, int prot, int flags, int fd, un goto out; } - /* - * Don't permit mappings into unmapped space, the virtual page table of a region, - * or across a region boundary. Note: RGN_MAP_LIMIT is equal to 2^n-PAGE_SIZE - * (for some integer n <= 61) and len > 0. - */ - roff = REGION_OFFSET(addr); - if ((len > RGN_MAP_LIMIT) || (roff > (RGN_MAP_LIMIT - len))) { - addr = -EINVAL; - goto out; - } - down_write(¤t->mm->mmap_sem); addr = do_mmap_pgoff(file, addr, len, prot, flags, pgoff); up_write(¤t->mm->mmap_sem); -- cgit From b8444d00762703e1b6146fce12ce2684885f8bf6 Mon Sep 17 00:00:00 2001 From: Stephane Eranian Date: Fri, 25 Aug 2006 14:00:19 -0700 Subject: [IA64] correct file descriptor reference counting in perfmon Fix a bug in sys_perfmonctl() whereby it was not correctly decrementing the file descriptor reference count. Signed-off-by: stephane eranian Signed-off-by: Tony Luck --- arch/ia64/kernel/perfmon.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'arch/ia64/kernel') diff --git a/arch/ia64/kernel/perfmon.c b/arch/ia64/kernel/perfmon.c index c7ccd6ee1ddf..84a7e52f56f6 100644 --- a/arch/ia64/kernel/perfmon.c +++ b/arch/ia64/kernel/perfmon.c @@ -4936,13 +4936,15 @@ abort_locked: if (likely(ctx)) { DPRINT(("context unlocked\n")); UNPROTECT_CTX(ctx, flags); - fput(file); } /* copy argument back to user, if needed */ if (call_made && PFM_CMD_RW_ARG(cmd) && copy_to_user(arg, args_k, base_sz*count)) ret = -EFAULT; error_args: + if (file) + fput(file); + kfree(args_k); DPRINT(("cmd=%s ret=%ld\n", PFM_CMD_NAME(cmd), ret)); -- cgit From 2636255488484e04d6d54303d2b0ec30f7ef7e02 Mon Sep 17 00:00:00 2001 From: Andreas Schwab Date: Mon, 4 Sep 2006 21:56:09 +0200 Subject: [IA64] Unwire set/get_robust_list The syscalls set/get_robust_list must not be wired up until futex_atomic_cmpxchg_inatomic is implemented. Otherwise the kernel will hang in handle_futex_death. Signed-off-by: Andreas Schwab Signed-off-by: Tony Luck --- arch/ia64/kernel/entry.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'arch/ia64/kernel') diff --git a/arch/ia64/kernel/entry.S b/arch/ia64/kernel/entry.S index 12701cf32d99..fef06571be99 100644 --- a/arch/ia64/kernel/entry.S +++ b/arch/ia64/kernel/entry.S @@ -1605,8 +1605,8 @@ sys_call_table: data8 sys_ni_syscall // 1295 reserved for ppoll data8 sys_unshare data8 sys_splice - data8 sys_set_robust_list - data8 sys_get_robust_list + data8 sys_ni_syscall // reserved for set_robust_list + data8 sys_ni_syscall // reserved for get_robust_list data8 sys_sync_file_range // 1300 data8 sys_tee data8 sys_vmsplice -- cgit From 1c7d67073e2d196597f541351bc9b109c8a93528 Mon Sep 17 00:00:00 2001 From: Jack Steiner Date: Thu, 31 Aug 2006 11:34:47 -0500 Subject: [IA64] Save register stack contents on cpu start The SN PROM uses the register stack in the slave loop. The contents must be preserved for the OS to return to the slave loop via offlining a cpu or for kexec. A 'flushrs" is needed to force the stack to be written to memory prior to changing bspstore. Signed-off-by: Jack Steiner Signed-off-by: Tony Luck --- arch/ia64/kernel/head.S | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'arch/ia64/kernel') diff --git a/arch/ia64/kernel/head.S b/arch/ia64/kernel/head.S index 29236f0c62b5..44d540efa6d1 100644 --- a/arch/ia64/kernel/head.S +++ b/arch/ia64/kernel/head.S @@ -197,6 +197,11 @@ start_ap: ;; srlz.i ;; + { + flushrs // must be first insn in group + srlz.i + } + ;; /* * Save the region registers, predicate before they get clobbered */ -- cgit From dc104fb3231f11e95b5a0f09ae3ab27a8fd5b2e8 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Thu, 31 Aug 2006 19:05:56 -0400 Subject: [PATCH] audit: more syscall classes added Signed-off-by: Al Viro --- arch/ia64/kernel/audit.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'arch/ia64/kernel') diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c index f2512931ccaf..99488cdbf5cd 100644 --- a/arch/ia64/kernel/audit.c +++ b/arch/ia64/kernel/audit.c @@ -8,6 +8,16 @@ static unsigned dir_class[] = { ~0U }; +static unsigned read_class[] = { +#include +~0U +}; + +static unsigned write_class[] = { +#include +~0U +}; + static unsigned chattr_class[] = { #include ~0U @@ -17,10 +27,16 @@ static int __init audit_classes_init(void) { #ifdef CONFIG_IA32_SUPPORT extern __u32 ia32_dir_class[]; + extern __u32 ia32_write_class[]; + extern __u32 ia32_read_class[]; extern __u32 ia32_chattr_class[]; + audit_register_class(AUDIT_CLASS_WRITE_32, ia32_write_class); + audit_register_class(AUDIT_CLASS_READ_32, ia32_read_class); audit_register_class(AUDIT_CLASS_DIR_WRITE_32, ia32_dir_class); audit_register_class(AUDIT_CLASS_CHATTR_32, ia32_chattr_class); #endif + audit_register_class(AUDIT_CLASS_WRITE, write_class); + audit_register_class(AUDIT_CLASS_READ, read_class); audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class); audit_register_class(AUDIT_CLASS_CHATTR, chattr_class); return 0; -- cgit From 55669bfa141b488be865341ed12e188967d11308 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Thu, 31 Aug 2006 19:26:40 -0400 Subject: [PATCH] audit: AUDIT_PERM support add support for AUDIT_PERM predicate Signed-off-by: Al Viro --- arch/ia64/kernel/audit.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'arch/ia64/kernel') diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c index 99488cdbf5cd..04682555a28c 100644 --- a/arch/ia64/kernel/audit.c +++ b/arch/ia64/kernel/audit.c @@ -23,6 +23,25 @@ static unsigned chattr_class[] = { ~0U }; +int audit_classify_syscall(int abi, unsigned syscall) +{ +#ifdef CONFIG_IA32_SUPPORT + extern int ia32_classify_syscall(unsigned); + if (abi == AUDIT_ARCH_I386) + return ia32_classify_syscall(syscall); +#endif + switch(syscall) { + case __NR_open: + return 2; + case __NR_openat: + return 3; + case __NR_execve: + return 5; + default: + return 0; + } +} + static int __init audit_classes_init(void) { #ifdef CONFIG_IA32_SUPPORT -- cgit