]> git.proxmox.com Git - mirror_ubuntu-eoan-kernel.git/commitdiff
x86-64: Fix register leak in 32-bit syscall audting
authorJan Beulich <JBeulich@novell.com>
Mon, 26 Oct 2009 15:20:29 +0000 (15:20 +0000)
committerIngo Molnar <mingo@elte.hu>
Mon, 26 Oct 2009 15:23:26 +0000 (16:23 +0100)
Restoring %ebp after the call to audit_syscall_exit() is not
only unnecessary (because the register didn't get clobbered),
but in the sysenter case wasn't even doing the right thing: It
loaded %ebp from a location below the top of stack (RBP <
ARGOFFSET), i.e. arbitrary kernel data got passed back to user
mode in the register.

Signed-off-by: Jan Beulich <jbeulich@novell.com>
Acked-by: Roland McGrath <roland@redhat.com>
Cc: <stable@kernel.org>
LKML-Reference: <4AE5CC4D020000780001BD13@vpn.id2.novell.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
arch/x86/ia32/ia32entry.S

index 1733f9f65e8259d74fc74fc40b466bd69dc6fa87..581b0568fe1941e9cf18c730138b9dbf0ff8c815 100644 (file)
@@ -204,7 +204,7 @@ sysexit_from_sys_call:
        movl RDI-ARGOFFSET(%rsp),%r8d   /* reload 5th syscall arg */
        .endm
 
-       .macro auditsys_exit exit,ebpsave=RBP
+       .macro auditsys_exit exit
        testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10)
        jnz ia32_ret_from_sys_call
        TRACE_IRQS_ON
@@ -217,7 +217,6 @@ sysexit_from_sys_call:
        call audit_syscall_exit
        GET_THREAD_INFO(%r10)
        movl RAX-ARGOFFSET(%rsp),%eax   /* reload syscall return value */
-       movl \ebpsave-ARGOFFSET(%rsp),%ebp /* reload user register value */
        movl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),%edi
        cli
        TRACE_IRQS_OFF
@@ -351,7 +350,7 @@ cstar_auditsys:
        jmp cstar_dispatch
 
 sysretl_audit:
-       auditsys_exit sysretl_from_sys_call, RCX /* user %ebp in RCX slot */
+       auditsys_exit sysretl_from_sys_call
 #endif
 
 cstar_tracesys: