kernel_optimize_test/arch/sparc/kernel
Mathieu Desnoyers 3ddc5b46a8 kernel-wide: fix missing validations on __get/__put/__copy_to/__copy_from_user()
I found the following pattern that leads in to interesting findings:

  grep -r "ret.*|=.*__put_user" *
  grep -r "ret.*|=.*__get_user" *
  grep -r "ret.*|=.*__copy" *

The __put_user() calls in compat_ioctl.c, ptrace compat, signal compat,
since those appear in compat code, we could probably expect the kernel
addresses not to be reachable in the lower 32-bit range, so I think they
might not be exploitable.

For the "__get_user" cases, I don't think those are exploitable: the worse
that can happen is that the kernel will copy kernel memory into in-kernel
buffers, and will fail immediately afterward.

The alpha csum_partial_copy_from_user() seems to be missing the
access_ok() check entirely.  The fix is inspired from x86.  This could
lead to information leak on alpha.  I also noticed that many architectures
map csum_partial_copy_from_user() to csum_partial_copy_generic(), but I
wonder if the latter is performing the access checks on every
architectures.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Matt Turner <mattst88@gmail.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-09-11 15:58:18 -07:00
..
.gitignore
apc.c sparc idle: rename pm_idle to sparc_idle 2013-02-17 23:36:56 -05:00
asm-offsets.c [PATCH] sparc32: vm_area_struct access for old Sun SPARCs. 2013-07-10 13:56:10 -07:00
audit.c
auxio_32.c
auxio_64.c sparc: remove __devinit, __devexit annotations 2013-01-12 15:28:45 -08:00
btext.c
central.c sparc: remove __devinit, __devexit annotations 2013-01-12 15:28:45 -08:00
cherrs.S
chmc.c sparc: remove __devinit, __devexit annotations 2013-01-12 15:28:45 -08:00
compat_audit.c
cpu.c sparc64: correctly recognize SPARC64-X chips 2013-03-11 05:06:27 -07:00
cpumap.c support sparc64x chip type in cpumap.c 2013-07-31 19:10:03 -07:00
cpumap.h
devices.c
dma.c
ds.c sparc: delete __cpuinit/__CPUINIT usage from all users 2013-07-14 19:36:52 -04:00
dtlb_miss.S
dtlb_prot.S
ebus.c
entry.h sparc: delete __cpuinit/__CPUINIT usage from all users 2013-07-14 19:36:52 -04:00
entry.S sparc32: Fix exit flag passed from traced sys_sigreturn 2013-07-31 19:10:04 -07:00
etrap_32.S
etrap_64.S sparc64: clear syscall_noerror on the entry to syscall, not on the exit 2012-10-14 19:26:52 -04:00
fpu_traps.S
ftrace.c
getsetcc.S
head_32.S
head_64.S sparc64: correctly recognize SPARC64-X chips 2013-03-11 05:06:27 -07:00
helpers.S
hvapi.c sparc: fix format string argument for prom_printf() 2012-10-02 23:20:34 -04:00
hvcalls.S sparc64: Add hypervisor interfaces for SPARC-T4 perf counter access. 2012-08-18 23:03:53 -07:00
hvtramp.S sparc: delete __cpuinit/__CPUINIT usage from all users 2013-07-14 19:36:52 -04:00
idprom.c
iommu_common.h
iommu.c
ioport.c procfs: new helper - PDE_DATA(inode) 2013-04-09 14:13:32 -04:00
irq_32.c
irq_64.c sparc: delete __cpuinit/__CPUINIT usage from all users 2013-07-14 19:36:52 -04:00
irq.h
itlb_miss.S
ivec.S
jump_label.c
kernel.h sparc32: refactor smp boot 2013-02-20 13:36:50 -08:00
kgdb_32.c sparc: explicitly include sched.h to get task_thread_info declaration 2013-02-06 11:04:10 -08:00
kgdb_64.c sparc64: cleanup: Rename ret_from_syscall to ret_from_fork 2013-07-31 19:10:04 -07:00
kprobes.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
kstack.h
ktlb.S sparc64: Fix ITLB handler of null page 2013-08-02 17:29:06 -07:00
ldc.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
led.c
leon_kernel.c sparc32, leon: Remove separate "ticker" timer for SMP 2013-06-19 02:10:29 -07:00
leon_pci_grpci1.c sparc,leon: Convert to use devm_ioremap_resource 2013-06-19 02:10:30 -07:00
leon_pci_grpci2.c sparc32,leon: add support for PCI busn resource for GRPCI2 2013-03-20 11:06:53 -07:00
leon_pci.c sparc32,leon: add support for PCI busn resource for GRPCI2 2013-03-20 11:06:53 -07:00
leon_pmc.c sparc32, leon: Enable interrupts before going idle to avoid getting stuck 2013-06-19 02:10:29 -07:00
leon_smp.c sparc: delete __cpuinit/__CPUINIT usage from all users 2013-07-14 19:36:52 -04:00
Makefile Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc 2013-05-04 18:34:13 -07:00
mdesc.c sparc: delete __cpuinit/__CPUINIT usage from all users 2013-07-14 19:36:52 -04:00
misctrap.S
module.c modules: don't hand 0 to vmalloc. 2012-12-14 13:06:43 +10:30
nmi.c sparc64: Abstract away the %pcr values used to enable/disable NMI 2012-08-18 23:26:19 -07:00
of_device_32.c
of_device_64.c
of_device_common.c
of_device_common.h
pci_common.c
pci_fire.c sparc: remove __devinit, __devexit annotations 2013-01-12 15:28:45 -08:00
pci_impl.h drivers/of: Constify device_node->name and ->path_component_name 2012-11-17 12:05:57 +00:00
pci_msi.c
pci_psycho.c sparc: remove __devinit, __devexit annotations 2013-01-12 15:28:45 -08:00
pci_sabre.c sparc: remove __devinit, __devexit annotations 2013-01-12 15:28:45 -08:00
pci_schizo.c sparc: remove __devinit, __devexit annotations 2013-01-12 15:28:45 -08:00
pci_sun4v_asm.S
pci_sun4v.c sparc: remove __devinit, __devexit annotations 2013-01-12 15:28:45 -08:00
pci_sun4v.h
pci.c PCI changes for the v3.11 merge window: 2013-07-03 16:31:35 -07:00
pcic.c sparc: remove __devinit, __devexit annotations 2013-01-12 15:28:45 -08:00
pcr.c sparc64: Add PCR ops for SPARC-T4. 2012-08-18 23:26:19 -07:00
perf_event.c sparc64: Make montmul/montsqr/mpmul usable in 32-bit threads. 2012-10-26 15:18:37 -07:00
pmc.c sparc idle: rename pm_idle to sparc_idle 2013-02-17 23:36:56 -05:00
power.c sparc: remove __devinit, __devexit annotations 2013-01-12 15:28:45 -08:00
process_32.c dump_stack: unify debug information printed by show_regs() 2013-04-30 17:04:02 -07:00
process_64.c sparc/sysrq: fix inconstistent help message of sysrq key 2013-04-30 17:04:10 -07:00
prom_32.c
prom_64.c sparc: fix format string argument for prom_printf() 2012-10-02 23:20:34 -04:00
prom_common.c of: Fix locking vs. interrupts 2013-06-13 22:12:14 +01:00
prom_irqtrans.c
prom.h
psycho_common.c
psycho_common.h
ptrace_32.c
ptrace_64.c sparc64: Export flush_ptrace_access() (needed by lustre) 2013-09-05 12:12:51 -07:00
reboot.c
rtrap_32.S
rtrap_64.S
sbus.c sparc: kernel/sbus.c: fix memory leakage 2013-01-21 14:33:00 -08:00
setup_32.c sparc: kernel: using strlcpy() instead of strcpy() 2013-06-19 02:10:29 -07:00
setup_64.c cpu hw caps support for sparc64x 2013-07-31 19:10:03 -07:00
signal_32.c sparc: convert to ksignal 2013-02-14 09:21:16 -05:00
signal_64.c sparc: convert to ksignal 2013-02-14 09:21:16 -05:00
signal32.c [regression] braino in "sparc: convert to ksignal" 2013-03-02 02:55:16 -05:00
sigutil_32.c
sigutil_64.c
sigutil.h
smp_32.c sparc: delete __cpuinit/__CPUINIT usage from all users 2013-07-14 19:36:52 -04:00
smp_64.c sparc: delete __cpuinit/__CPUINIT usage from all users 2013-07-14 19:36:52 -04:00
sparc_ksyms_32.c
sparc_ksyms_64.c
spiterrs.S
sstate.c
stacktrace.c
starfire.c
sun4d_irq.c Include missing linux/slab.h inclusions 2013-04-29 15:42:01 -04:00
sun4d_smp.c sparc: delete __cpuinit/__CPUINIT usage from all users 2013-07-14 19:36:52 -04:00
sun4m_irq.c
sun4m_smp.c sparc: delete __cpuinit/__CPUINIT usage from all users 2013-07-14 19:36:52 -04:00
sun4v_ivec.S
sun4v_tlb_miss.S sparc64: Support transparent huge pages. 2012-10-09 16:23:06 +09:00
sys_sparc_32.c sparc: switch to use of generic old sigaction 2013-02-03 22:43:35 -05:00
sys_sparc_64.c mm: remove free_area_cache 2013-07-10 18:11:34 -07:00
sys_sparc32.c kernel-wide: fix missing validations on __get/__put/__copy_to/__copy_from_user() 2013-09-11 15:58:18 -07:00
sys32.S unify compat fanotify_mark(2), switch to COMPAT_SYSCALL_DEFINE 2013-05-09 13:46:38 -04:00
syscalls.S sparc64: Fix not SRA'ed %o5 in 32-bit traced syscall 2013-07-31 19:10:04 -07:00
sysfs.c sparc: delete __cpuinit/__CPUINIT usage from all users 2013-07-14 19:36:52 -04:00
systbls_32.S sparc: switch to use of generic old sigaction 2013-02-03 22:43:35 -05:00
systbls_64.S unify compat fanotify_mark(2), switch to COMPAT_SYSCALL_DEFINE 2013-05-09 13:46:38 -04:00
systbls.h sparc: switch to generic old sigsuspend 2013-02-03 22:44:37 -05:00
tadpole.c
time_32.c sparc: remove __devinit, __devexit annotations 2013-01-12 15:28:45 -08:00
time_64.c sparc: remove __devinit, __devexit annotations 2013-01-12 15:28:45 -08:00
trampoline_32.S sparc: delete __cpuinit/__CPUINIT usage from all users 2013-07-14 19:36:52 -04:00
trampoline_64.S sparc64: Fix off by one in trampoline TLB mapping installation loop. 2013-08-22 16:38:46 -07:00
traps_32.c taint: add explicit flag to show whether lock dep is still OK. 2013-01-21 17:17:57 +10:30
traps_64.c dump_stack: consolidate dump_stack() implementations and unify their behaviors 2013-04-30 17:04:02 -07:00
tsb.S sparc64: Fix tsb_grow() in atomic context. 2013-02-20 09:46:08 -08:00
ttable_32.S
ttable_64.S
una_asm_32.S
una_asm_64.S
unaligned_32.c
unaligned_64.c sparc64: Make montmul/montsqr/mpmul usable in 32-bit threads. 2012-10-26 15:18:37 -07:00
utrap.S
vio.c sparc/kernel/vio.c: add put_device() after device_find_child() 2013-05-04 17:38:18 -07:00
viohs.c
visemul.c sparc64: Make montmul/montsqr/mpmul usable in 32-bit threads. 2012-10-26 15:18:37 -07:00
vmlinux.lds.S sparc64: Improvde documentation and readability of atomic backoff code. 2012-10-28 13:04:47 -07:00
windows.c
winfixup.S sparc64: Make montmul/montsqr/mpmul usable in 32-bit threads. 2012-10-26 15:18:37 -07:00
wof.S
wuf.S