[thirdparty/kernel/stable-queue.git] / releases / 3.16.3 / mips-prevent-user-from-setting-fcsr-cause-bits.patch

From b1442d39fac2fcfbe6a4814979020e993ca59c9e Mon Sep 17 00:00:00 2001
From: Paul Burton <paul.burton@imgtec.com>
Date: Tue, 22 Jul 2014 14:21:21 +0100
Subject: MIPS: Prevent user from setting FCSR cause bits

From: Paul Burton <paul.burton@imgtec.com>

commit b1442d39fac2fcfbe6a4814979020e993ca59c9e upstream.

If one or more matching FCSR cause & enable bits are set in saved thread
context then when that context is restored the kernel will take an FP
exception. This is of course undesirable and considered an oops, leading
to the kernel writing a backtrace to the console and potentially
rebooting depending upon the configuration. Thus the kernel avoids this
situation by clearing the cause bits of the FCSR register when handling
FP exceptions and after emulating FP instructions.

However the kernel does not prevent userland from setting arbitrary FCSR
cause & enable bits via ptrace, using either the PTRACE_POKEUSR or
PTRACE_SETFPREGS requests. This means userland can trivially cause the
kernel to oops on any system with an FPU. Prevent this from happening
by clearing the cause bits when writing to the saved FCSR context via
ptrace.

This problem appears to exist at least back to the beginning of the git
era in the PTRACE_POKEUSR case.

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: stable@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/7438/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/mips/kernel/ptrace.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -151,6 +151,7 @@ int ptrace_setfpregs(struct task_struct
 	}
 
 	__get_user(child->thread.fpu.fcr31, data + 64);
+	child->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X;
 
 	/* FIR may not be written.  */
 
@@ -696,7 +697,7 @@ long arch_ptrace(struct task_struct *chi
 			break;
 #endif
 		case FPC_CSR:
-			child->thread.fpu.fcr31 = data;
+			child->thread.fpu.fcr31 = data & ~FPU_CSR_ALL_X;
 			break;
 		case DSP_BASE ... DSP_BASE + 5: {
 			dspreg_t *dregs;
Commit	Line	Data
c8fb49aa GKH	1	From b1442d39fac2fcfbe6a4814979020e993ca59c9e Mon Sep 17 00:00:00 2001
	2	From: Paul Burton <paul.burton@imgtec.com>
	3	Date: Tue, 22 Jul 2014 14:21:21 +0100
	4	Subject: MIPS: Prevent user from setting FCSR cause bits
	5
	6	From: Paul Burton <paul.burton@imgtec.com>
	7
	8	commit b1442d39fac2fcfbe6a4814979020e993ca59c9e upstream.
	9
	10	If one or more matching FCSR cause & enable bits are set in saved thread
	11	context then when that context is restored the kernel will take an FP
	12	exception. This is of course undesirable and considered an oops, leading
	13	to the kernel writing a backtrace to the console and potentially
	14	rebooting depending upon the configuration. Thus the kernel avoids this
	15	situation by clearing the cause bits of the FCSR register when handling
	16	FP exceptions and after emulating FP instructions.
	17
	18	However the kernel does not prevent userland from setting arbitrary FCSR
	19	cause & enable bits via ptrace, using either the PTRACE_POKEUSR or
	20	PTRACE_SETFPREGS requests. This means userland can trivially cause the
	21	kernel to oops on any system with an FPU. Prevent this from happening
	22	by clearing the cause bits when writing to the saved FCSR context via
	23	ptrace.
	24
	25	This problem appears to exist at least back to the beginning of the git
	26	era in the PTRACE_POKEUSR case.
	27
	28	Signed-off-by: Paul Burton <paul.burton@imgtec.com>
	29	Cc: linux-mips@linux-mips.org
	30	Cc: Paul Burton <paul.burton@imgtec.com>
	31	Cc: stable@vger.kernel.org
	32	Patchwork: https://patchwork.linux-mips.org/patch/7438/
	33	Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
	34	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	35
	36	---
	37	arch/mips/kernel/ptrace.c \| 3 ++-
	38	1 file changed, 2 insertions(+), 1 deletion(-)
	39
	40	--- a/arch/mips/kernel/ptrace.c
	41	+++ b/arch/mips/kernel/ptrace.c
	42	@@ -151,6 +151,7 @@ int ptrace_setfpregs(struct task_struct
	43	}
	44
	45	__get_user(child->thread.fpu.fcr31, data + 64);
	46	+ child->thread.fpu.fcr31 &= ~FPU_CSR_ALL_X;
	47
	48	/* FIR may not be written. */
	49
	50	@@ -696,7 +697,7 @@ long arch_ptrace(struct task_struct *chi
	51	break;
	52	#endif
	53	case FPC_CSR:
	54	- child->thread.fpu.fcr31 = data;
	55	+ child->thread.fpu.fcr31 = data & ~FPU_CSR_ALL_X;
	56	break;
	57	case DSP_BASE ... DSP_BASE + 5: {
	58	dspreg_t *dregs;