Hi Everyone,
I'm seeing some weird memory corruption that I have been able to isolate
to arch_ptrace() [arch/powerpc/kernel/ptrace.c] and PTRACE_POKEUSR. I am
on PowerPC 32 (MPC8378), kernel 4.9.179.
It's not very easy for me to test on the latest kernel, but I guess
little has changed since 4.9 in either the architecture specific ptrace
code or PowerPC register data structures.
What happens is that gdb calls ptrace(PTRACE_POKEUSER) with addr=0x158.
This goes down to arch_ptrace() [arch/powerpc/kernel/ptrace.c], inside
`case PTRACE_POKEUSR`, on the branch that does this:
memcpy(&child->thread.TS_FPR(fpidx), &data,
sizeof(long));
where:
index = addr >> 2 = 0x56 = 86
fpidx = index - PT_FPR0 = 86 - 48 = 38
&child->thread.TS_FPR(fpidx) = (void *)child + 1296
offsetof(struct task_struct, thread) = 960
sizeof(struct thread_struct) = 336
sizeof(struct task_struct) = 1296
In other words, the memcpy() call writes just beyond thread_struct
(which is also beyond task_struct, for that matter).
This should never get past the bounds checks for `index`, so perhaps
there is a mismatch between ptrace macros and the actual register data
structures layout.
I will continue to investigate, but I'm not familiar with the PowerPC
registers so it will take a while before I make sense of all the data
structures and macros. Hopefully this rings a bell to someone who is
already familiar with those and could figure out quickly what the
problem is.
Best regards,
Radu Rendec
