From patchwork Fri Sep 9 14:15:46 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Martin X-Patchwork-Id: 15447 Received: (qmail 114596 invoked by alias); 9 Sep 2016 14:19:20 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 114104 invoked by uid 89); 9 Sep 2016 14:19:19 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-3.2 required=5.0 tests=BAYES_00, RP_MATCHES_RCVD, SPF_PASS autolearn=ham version=3.3.2 spammy=harm, Hx-spam-relays-external:ESMTPA X-HELO: foss.arm.com From: Dave Martin To: linux-arm-kernel@lists.infradead.org, libc-alpha@sourceware.org Cc: Ard Biesheuvel Subject: [RFC PATCH 5/5] arm64: signal: Parse extra_context during sigreturn Date: Fri, 9 Sep 2016 15:15:46 +0100 Message-Id: <1473430576-20792-6-git-send-email-Dave.Martin@arm.com> In-Reply-To: <1473430576-20792-1-git-send-email-Dave.Martin@arm.com> References: <1473430576-20792-1-git-send-email-Dave.Martin@arm.com> If extra_context is present, parse it. To avoid abuse by userspace, this patch attempts to ensure that: * that no more than one extra_context is accepted; * that the extra_context is a sensible size; * that the extra context data is properly aligned. This patch relies on the user accessors in order to ensure that the user-supplied extra context data pointer is an honest userspace address. Other than that, the kernel doesn't care specially whether the pointer supplied is sensible (e.g., not garbage, doesn't overlap sigcontext.__reserved[], etc.) since this cannot harm the kernel. More checks may be added later in order to aid debugging of botched sigreturns from userspace. Signed-off-by: Dave Martin --- arch/arm64/kernel/signal.c | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c index d7cdb51..c5f18ef 100644 --- a/arch/arm64/kernel/signal.c +++ b/arch/arm64/kernel/signal.c @@ -221,6 +221,7 @@ static int parse_user_sigframe(struct user_ctxs *user, char __user *base = (char __user *)&sc->__reserved; size_t offset = 0; size_t limit = sizeof(sc->__reserved); + bool have_extra_context = false; user->fpsimd = NULL; @@ -230,6 +231,9 @@ static int parse_user_sigframe(struct user_ctxs *user, while (1) { int err = 0; u32 magic, size; + struct extra_context const __user *extra; + void __user *extra_data; + u32 extra_size; if (limit - offset < sizeof(*head)) goto invalid; @@ -267,6 +271,42 @@ static int parse_user_sigframe(struct user_ctxs *user, /* ignore */ break; + case EXTRA_MAGIC: + if (have_extra_context) + goto invalid; + + if (size < sizeof(*extra)) + goto invalid; + + extra = (struct extra_context const __user *)head; + __get_user_error(extra_data, &extra->data, err); + __get_user_error(extra_size, &extra->size, err); + if (err) + return err; + + /* Prevent looping/repeated parsing of extra_conext */ + have_extra_context = true; + + /* + * Rely on the __user accessors to reject bogus + * pointers. + */ + base = extra_data; + if (!IS_ALIGNED((unsigned long)base, 16)) + goto invalid; + + /* Reject "unreasonably large" frames: */ + limit = extra_size; + if (limit > SIGFRAME_MAXSZ - sizeof(sc->__reserved)) + goto invalid; + + /* + * Ignore trailing terminator in __reserved[] + * and start parsing extra_data: + */ + offset = 0; + continue; + default: goto invalid; }