From: Andi Kleen Date: Mon, 10 Jul 2006 15:06:24 +0000 (+0200) Subject: [PATCH] x86_64: Fix access check in ptrace compat X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=2c87e2cd0b57f63c226cd51f55ccc36867541a24;p=GitHub%2FLineageOS%2Fandroid_kernel_samsung_universal7580.git [PATCH] x86_64: Fix access check in ptrace compat We can't safely directly access an compat_alloc_user_space() pointer with the siginfo copy functions. Bounce it through the stack. Noticed by Al Viro using sparse [ This was only added post 2.6.17, not in any released kernel ] Cc: Al Viro Signed-off-by: Andi Kleen Signed-off-by: Linus Torvalds --- diff --git a/arch/x86_64/ia32/ptrace32.c b/arch/x86_64/ia32/ptrace32.c index a590b7a0d92..659c0722f6b 100644 --- a/arch/x86_64/ia32/ptrace32.c +++ b/arch/x86_64/ia32/ptrace32.c @@ -202,17 +202,24 @@ static long ptrace32_siginfo(unsigned request, u32 pid, u32 addr, u32 data) { int ret; compat_siginfo_t *si32 = (compat_siginfo_t *)compat_ptr(data); + siginfo_t ssi; siginfo_t *si = compat_alloc_user_space(sizeof(siginfo_t)); if (request == PTRACE_SETSIGINFO) { - ret = copy_siginfo_from_user32(si, si32); + memset(&ssi, 0, sizeof(siginfo_t)); + ret = copy_siginfo_from_user32(&ssi, si32); if (ret) return ret; + if (copy_to_user(si, &ssi, sizeof(siginfo_t))) + return -EFAULT; } ret = sys_ptrace(request, pid, addr, (unsigned long)si); if (ret) return ret; - if (request == PTRACE_GETSIGINFO) - ret = copy_siginfo_to_user32(si32, si); + if (request == PTRACE_GETSIGINFO) { + if (copy_from_user(&ssi, si, sizeof(siginfo_t))) + return -EFAULT; + ret = copy_siginfo_to_user32(si32, &ssi); + } return ret; }