2005-04-17 02:20:36 +04:00
# ifndef _PTRACE32_H
# define _PTRACE32_H
2009-03-26 17:24:40 +03:00
# include <asm/ptrace.h> /* needed for NUM_CR_WORDS */
2008-07-14 11:58:54 +04:00
# include "compat_linux.h" /* needed for psw_compat_t */
2005-04-17 02:20:36 +04:00
2011-01-05 14:48:10 +03:00
struct compat_per_struct_kernel {
__u32 cr9 ; /* PER control bits */
__u32 cr10 ; /* PER starting address */
__u32 cr11 ; /* PER ending address */
__u32 bits ; /* Obsolete software bits */
__u32 starting_addr ; /* User specified start address */
__u32 ending_addr ; /* User specified end address */
__u16 perc_atmid ; /* PER trap ATMID */
__u32 address ; /* PER trap instruction address */
__u8 access_id ; /* PER trap access identification */
} ;
2005-04-17 02:20:36 +04:00
2011-01-05 14:48:10 +03:00
struct compat_user_regs_struct
2005-04-17 02:20:36 +04:00
{
2008-07-14 11:58:54 +04:00
psw_compat_t psw ;
2005-04-17 02:20:36 +04:00
u32 gprs [ NUM_GPRS ] ;
u32 acrs [ NUM_ACRS ] ;
u32 orig_gpr2 ;
[S390] CVE-2008-1514: prevent ptrace padding area read/write in 31-bit mode
When running a 31-bit ptrace, on either an s390 or s390x kernel,
reads and writes into a padding area in struct user_regs_struct32
will result in a kernel panic.
This is also known as CVE-2008-1514.
Test case available here:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/user-area-padding.c?cvsroot=systemtap
Steps to reproduce:
1) wget the above
2) gcc -o user-area-padding-31bit user-area-padding.c -Wall -ggdb2 -D_GNU_SOURCE -m31
3) ./user-area-padding-31bit
<panic>
Test status
-----------
Without patch, both s390 and s390x kernels panic. With patch, the test case,
as well as the gdb testsuite, pass without incident, padding area reads
returning zero, writes ignored.
Nb: original version returned -EINVAL on write attempts, which broke the
gdb test and made the test case slightly unhappy, Jan Kratochvil suggested
the change to return 0 on write attempts.
Signed-off-by: Jarod Wilson <jarod@redhat.com>
Tested-by: Jan Kratochvil <jan.kratochvil@redhat.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
2008-09-09 14:38:56 +04:00
/* nb: there's a 4-byte hole here */
2005-04-17 02:20:36 +04:00
s390_fp_regs fp_regs ;
/*
* These per registers are in here so that gdb can modify them
* itself as there is no " official " ptrace interface for hardware
* watchpoints . This is the way intel does it .
*/
2011-01-05 14:48:10 +03:00
struct compat_per_struct_kernel per_info ;
2010-10-25 18:10:41 +04:00
u32 ieee_instruction_pointer ; /* obsolete, always 0 */
2005-04-17 02:20:36 +04:00
} ;
2011-01-05 14:48:10 +03:00
struct compat_user {
2005-04-17 02:20:36 +04:00
/* We start with the registers, to mimic the way that "memory"
is returned from the ptrace ( 3 , . . . ) function . */
2011-01-05 14:48:10 +03:00
struct compat_user_regs_struct regs ;
2005-04-17 02:20:36 +04:00
/* The rest of this junk is to help gdb figure out what goes where */
u32 u_tsize ; /* Text segment size (pages). */
u32 u_dsize ; /* Data segment size (pages). */
u32 u_ssize ; /* Stack segment size (pages). */
u32 start_code ; /* Starting virtual address of text. */
u32 start_stack ; /* Starting virtual address of stack area.
This is actually the bottom of the stack ,
the top of the stack is always found in the
esp register . */
s32 signal ; /* Signal that caused the core dump. */
u32 u_ar0 ; /* Used by gdb to help find the values for */
/* the registers. */
u32 magic ; /* To uniquely identify a core file */
char u_comm [ 32 ] ; /* User command that was responsible */
} ;
typedef struct
{
__u32 len ;
__u32 kernel_addr ;
__u32 process_addr ;
2011-01-05 14:48:10 +03:00
} compat_ptrace_area ;
2005-04-17 02:20:36 +04:00
# endif /* _PTRACE32_H */
