Re: [PATCH 3/5] powerpc: Fix TAR leak across exec() syscalls

Thu, 24 Mar 2016 01:45:07 -0700 

On Wed, 2016-03-23 at 16:47 +1100, Cyril Bur wrote:
> Currently start_thread() doesn't sanitise TAR.
> 
> The TAR SPR register is a register that can be set and branched to, not
> sanitising it presents an information leak to the new executable.
> 
> Other SPR registers such as the Performance registers used by perf (and are
> managed entirely by perf) as well as the Event Based Branch (EBB) registers 
> are
> left alone by design as these fall into the same category as leaving file
> descriptors open across exec(), it is up the parent thread to sanitise what it
> deems necessary.
> 
> Signed-off-by: Cyril Bur <cyril...@gmail.com>
> ---
>  arch/powerpc/kernel/process.c | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
> 
> diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
> index d7a9df5..56444a6 100644
> --- a/arch/powerpc/kernel/process.c
> +++ b/arch/powerpc/kernel/process.c
> @@ -1577,6 +1577,8 @@ void start_thread(struct pt_regs *regs, unsigned long 
> start, unsigned long sp)
>       current->thread.vr_state.vscr.u[3] = 0x00010000; /* Java mode disabled 
> */
>       current->thread.vr_save_area = NULL;
>       current->thread.vrsave = 0;
> +     if (cpu_has_feature(CPU_FTR_ALTIVEC))
> +             mtspr(SPRN_VRSAVE, 0);

VRSAVE is not mentioned in the commit message.

>       current->thread.used_vr = 0;
>  #endif /* CONFIG_ALTIVEC */
>  #ifdef CONFIG_SPE
> @@ -1592,6 +1594,18 @@ void start_thread(struct pt_regs *regs, unsigned long 
> start, unsigned long sp)
>       current->thread.tm_texasr = 0;
>       current->thread.tm_tfiar = 0;
>  #endif /* CONFIG_PPC_TRANSACTIONAL_MEM */
> +#ifdef CONFIG_PPC_BOOK3S_64
> +     /*
> +      * Zero out the SPRs.
> +      * Don't touch the ones use by perf, it controls them.
> +      * Don't touch the EBB regs. This falls into the same category of
> +      *   responsibly as open file descriptors across exec(), the parent 
> should
> +      *   sanitise if it feels it would be a problem
> +      */
> +     current->thread.tar = 0;
> +     if (cpu_has_feature(CPU_FTR_ARCH_206))
> +             mtspr(SPRN_TAR, 0);
> +#endif /* CONFIG_PPC_BOOK3S_64 */
>  }
>  EXPORT_SYMBOL(start_thread);
>  
_______________________________________________
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev

Reply via email to