From 0f981a71fa1bd582415f9f83523d88e2593c6f7c Mon Sep 17 00:00:00 2001 From: Konrad Rzeszutek Wilk Date: Tue, 9 Jan 2018 12:40:25 -0500 Subject: [PATCH] x86/ia32: Adds code hygiene for 32bit SYSCALL instruction entry. This is a followup on the 111ba91464f2e29fc6417b50a1c1425e2080bc59 (*INCOMPLETE* x86/syscall: Clear unused extra registers on syscall entrance) where we didn't completely finish adding the clearing of these registers. This fixes it on the 32-bit system call entrances. The movq R8(%rsp),%r8 is there to update the r8 as the CLEAR_R8_TO_R15 clears that register so we have to fetch it from the pt_regs->r8. We also remove the SAVE_EXTRA_REGS from the ptrace code as we clear them (r8->r15) so the extra SAVE_EXTRA_REGS ends up putting NULLs in the pt->regs->[r8->r15]. Orabug: 27344012 CVE:CVE-2017-5715 Reviewed-by: Kris Van Hees Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Brian Maly Signed-off-by: Kirtikar Kashyap --- arch/x86/ia32/ia32entry.S | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S index 7b268913340f..5aead52c7d4e 100644 --- a/arch/x86/ia32/ia32entry.S +++ b/arch/x86/ia32/ia32entry.S @@ -399,11 +399,14 @@ ENTRY(ia32_cstar_target) sub $(10*8),%rsp /* pt_regs->r8-11,bp,bx,r12-15 not saved */ CFI_ADJUST_CFA_OFFSET 10*8 + SAVE_EXTRA_REGS + CLEAR_R8_TO_R15 /* * no need to do an access_ok check here because r8 has been * 32bit zero extended */ ASM_STAC + movq R8(%rsp),%r8 1: movl (%r8),%r9d _ASM_EXTABLE(1b,ia32_badarg) ASM_CLAC @@ -476,7 +479,6 @@ cstar_tracesys: jz cstar_auditsys #endif xchgl %r9d,%ebp - SAVE_EXTRA_REGS CLEAR_RREGS r9 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */ movq %rsp,%rdi /* &pt_regs -> arg1 */ @@ -576,7 +578,6 @@ ia32_ret_from_sys_call: jmp int_ret_from_sys_call ia32_tracesys: - SAVE_EXTRA_REGS CLEAR_RREGS movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */ movq %rsp,%rdi /* &pt_regs -> arg1 */ -- 2.50.1