Hi Andi,
We have noticed a small hole in the x86_64 version of sys_ptrace() for
the PTRACE_PEEKUSR and PTRACE_POKEUSR commands, where if you specify the
offset/addr location just beyond the end of the user_regs_struct, the
code incorrectly lets you peek or (more importantly) poke that location.
Also included is a small example test to show the problem.
Thank you for your time and consideration.
diff -ru linux-2.6.11.8/arch/x86_64/kernel/ptrace.c
new/arch/x86_64/kernel/ptrace.c
--- linux-2.6.11.8/arch/x86_64/kernel/ptrace.c 2005-05-16
11:56:52.121795891 -0400
+++ new/arch/x86_64/kernel/ptrace.c 2005-05-16 10:59:56.970748305 -0400
@@ -247,7 +247,8 @@
break;
switch (addr) {
- case 0 ... sizeof(struct user_regs_struct):
+ case 0 ... (sizeof(struct user_regs_struct)
+ - sizeof(unsigned long)):
tmp = getreg(child, addr);
break;
case offsetof(struct user, u_debugreg[0]):
@@ -292,7 +293,8 @@
break;
switch (addr) {
- case 0 ... sizeof(struct user_regs_struct):
+ case 0 ... (sizeof(struct user_regs_struct)
+ - sizeof(unsigned long)):
ret = putreg(child, addr, data);
break;
/* Disallows to set a breakpoint into the vsyscall */
----------------------------------------------------------------------
example test: gcc -o test test.c
----------------------------------------------------------------------
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/user.h>
#include <linux/ptrace.h>
#include <errno.h>
static void
do_pokeusr_test(pid_t child)
{
int was_error = 0;
long pstatus;
printf("calling PTRACE_POKEUSR with offset 0x%lx (%ld) data 0\n",
sizeof(struct user_regs_struct),
sizeof(struct user_regs_struct));
pstatus = ptrace(PTRACE_POKEUSR,
child, (void *)(sizeof(struct user_regs_struct)), (void *)0);
if (pstatus)
printf("ptrace pokeusr returned %d\n", errno);
}
static void child_process(void)
{
printf("child pid %d parent pid %d\n", getpid(), getppid());
while ( sleep(5)) ;
exit(0);
}
int
main(int argc, char *argv[])
{
int status, child_status;
long pstatus;
pid_t child;
child = fork();
if (child == -1) {
printf("ERROR: fork returned errno %d\n", errno);
exit(1);
}
if (!child)
child_process();
sleep(1);
printf("Attaching to child ...\n");
pstatus = ptrace(PTRACE_ATTACH, child, (void *)0, (void *)0);
if (pstatus == ~0l) {
printf("ERROR: attach failed. errno %d\n", errno);
exit(1);
}
status = waitpid(-1, &child_status, WUNTRACED);
if (status == -1) {
printf("ERROR: waitpid() returned errno %d\n", errno);
printf("---- Test Failed. ----\n");
exit(1);
}
printf("waitpid(): child pid %d child_status %d\n",
status, child_status);
do_pokeusr_test(child);
printf("Continuing child process.\n");
pstatus = ptrace(PTRACE_CONT, (pid_t)child, (void *)0, (void *)0);
if (pstatus) {
printf("ERROR: ptrace continue returned %d\n", errno);
exit(1);
}
status = waitpid(-1, &child_status, WUNTRACED);
if (status == -1) {
printf("ERROR: waitpid() returned errno %d\n", errno);
printf("---- Test Failed. ----\n");
exit(1);
}
printf("waitpid(): child pid %d child_status %d\n",
status, child_status);
return 0;
}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]