From: Chris Wright Date: Wed, 1 Jun 2005 15:46:07 +0000 (-0700) Subject: add x86_64: Fix ptrace boundary check from Andi X-Git-Tag: v2.6.11.12~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c0d6706bd0fc8966a09787c6a7c87694efdbddd1;p=thirdparty%2Fkernel%2Fstable-queue.git add x86_64: Fix ptrace boundary check from Andi --- diff --git a/queue/series b/queue/series index c38cc254b4e..b8562d7f570 100644 --- a/queue/series +++ b/queue/series @@ -2,3 +2,4 @@ fix-pte_unmap.patch netfilter-ip_queue-deadlock-fix.patch hfsplus-oops-hfs-leak-fix.patch x86_64-avoid-SMP-bootup-race.patch +x86_64-fix-ptrace-boundary-check.patch diff --git a/queue/x86_64-fix-ptrace-boundary-check.patch b/queue/x86_64-fix-ptrace-boundary-check.patch new file mode 100644 index 00000000000..9578c6bf7d8 --- /dev/null +++ b/queue/x86_64-fix-ptrace-boundary-check.patch @@ -0,0 +1,40 @@ +From stable-bounces@linux.kernel.org Wed Jun 1 03:47:52 2005 +Date: Wed, 1 Jun 2005 12:47:30 +0200 +From: Andi Kleen +To: stable@kernel.org +Subject: [PATCH] x86_64: Fix ptrace boundary check + +Don't allow accesses below register frame in ptrace + +There was a "off by one quad word" error in there. + +Found and fixed by John Blackwood + +Signed-off-by: Andi Kleen +Signed-off-by: Chris Wright + + arch/x86_64/kernel/ptrace.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +Index: release-2.6.11/arch/x86_64/kernel/ptrace.c +=================================================================== +--- release-2.6.11.orig/arch/x86_64/kernel/ptrace.c ++++ release-2.6.11/arch/x86_64/kernel/ptrace.c +@@ -252,7 +252,7 @@ asmlinkage long sys_ptrace(long request, + break; + + switch (addr) { +- case 0 ... sizeof(struct user_regs_struct): ++ case 0 ... sizeof(struct user_regs_struct) - sizeof(long): + tmp = getreg(child, addr); + break; + case offsetof(struct user, u_debugreg[0]): +@@ -297,7 +297,7 @@ asmlinkage long sys_ptrace(long request, + break; + + switch (addr) { +- case 0 ... sizeof(struct user_regs_struct): ++ case 0 ... sizeof(struct user_regs_struct) - sizeof(long): + ret = putreg(child, addr, data); + break; + /* Disallows to set a breakpoint into the vsyscall */