[PATCH 3/5] powerpc: Fix TAR leak across exec() syscalls

Michael Neuling mikey at neuling.org
Thu Mar 24 19:44:25 AEDT 2016 

On Wed, 2016-03-23 at 16:47 +1100, Cyril Bur wrote:
> Currently start_thread() doesn't sanitise TAR.
> 
> The TAR SPR register is a register that can be set and branched to, not
> sanitising it presents an information leak to the new executable.
> 
> Other SPR registers such as the Performance registers used by perf (and are
> managed entirely by perf) as well as the Event Based Branch (EBB) registers are
> left alone by design as these fall into the same category as leaving file
> descriptors open across exec(), it is up the parent thread to sanitise what it
> deems necessary.
> 
> Signed-off-by: Cyril Bur <cyrilbur at gmail.com>
> ---
>  arch/powerpc/kernel/process.c | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
> 
> diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
> index d7a9df5..56444a6 100644
> --- a/arch/powerpc/kernel/process.c
> +++ b/arch/powerpc/kernel/process.c
> @@ -1577,6 +1577,8 @@ void start_thread(struct pt_regs *regs, unsigned long start, unsigned long sp)
>  	current->thread.vr_state.vscr.u[3] = 0x00010000; /* Java mode disabled */
>  	current->thread.vr_save_area = NULL;
>  	current->thread.vrsave = 0;
> +	if (cpu_has_feature(CPU_FTR_ALTIVEC))
> +		mtspr(SPRN_VRSAVE, 0);

VRSAVE is not mentioned in the commit message.

>  	current->thread.used_vr = 0;
>  #endif /* CONFIG_ALTIVEC */
>  #ifdef CONFIG_SPE
> @@ -1592,6 +1594,18 @@ void start_thread(struct pt_regs *regs, unsigned long start, unsigned long sp)
>  	current->thread.tm_texasr = 0;
>  	current->thread.tm_tfiar = 0;
>  #endif /* CONFIG_PPC_TRANSACTIONAL_MEM */
> +#ifdef CONFIG_PPC_BOOK3S_64
> +	/*
> +	 * Zero out the SPRs.
> +	 * Don't touch the ones use by perf, it controls them.
> +	 * Don't touch the EBB regs. This falls into the same category of
> +	 *   responsibly as open file descriptors across exec(), the parent should
> +	 *   sanitise if it feels it would be a problem
> +	 */
> +	current->thread.tar = 0;
> +	if (cpu_has_feature(CPU_FTR_ARCH_206))
> +		mtspr(SPRN_TAR, 0);
> +#endif /* CONFIG_PPC_BOOK3S_64 */
>  }
>  EXPORT_SYMBOL(start_thread);
>

More information about the Linuxppc-dev mailing list