[PATCH] x86_64: Fix access check in ptrace compat
authorAndi Kleen <ak@suse.de>
Mon, 10 Jul 2006 15:06:24 +0000 (17:06 +0200)
committerLinus Torvalds <torvalds@g5.osdl.org>
Mon, 10 Jul 2006 22:12:33 +0000 (15:12 -0700)
We can't safely directly access an compat_alloc_user_space() pointer
with the siginfo copy functions. Bounce it through the stack.

Noticed by Al Viro using sparse

[ This was only added post 2.6.17, not in any released kernel ]

Cc: Al Viro <viro@ftp.linux.org.uk>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
arch/x86_64/ia32/ptrace32.c

index a590b7a0d92d46f009b1eab519fa5effe7185279..659c0722f6b825c75ca7d86743a872630cd9c45f 100644 (file)
@@ -202,17 +202,24 @@ static long ptrace32_siginfo(unsigned request, u32 pid, u32 addr, u32 data)
 {
        int ret;
        compat_siginfo_t *si32 = (compat_siginfo_t *)compat_ptr(data);
+       siginfo_t ssi; 
        siginfo_t *si = compat_alloc_user_space(sizeof(siginfo_t));
        if (request == PTRACE_SETSIGINFO) {
-               ret = copy_siginfo_from_user32(si, si32);
+               memset(&ssi, 0, sizeof(siginfo_t));
+               ret = copy_siginfo_from_user32(&ssi, si32);
                if (ret)
                        return ret;
+               if (copy_to_user(si, &ssi, sizeof(siginfo_t)))
+                       return -EFAULT;
        }
        ret = sys_ptrace(request, pid, addr, (unsigned long)si);
        if (ret)
                return ret;
-       if (request == PTRACE_GETSIGINFO)
-               ret = copy_siginfo_to_user32(si32, si);
+       if (request == PTRACE_GETSIGINFO) {
+               if (copy_from_user(&ssi, si, sizeof(siginfo_t)))
+                       return -EFAULT;
+               ret = copy_siginfo_to_user32(si32, &ssi);
+       }
        return ret;
 }