oss-sec mailing list archives
CVE request - Linux Kernel KGDB/ppc issue
From: Hui Zhu <hui.zhu () windriver com>
Date: Thu, 29 Apr 2010 10:13:18 +0800
Hi All, The problem is that if KGDB is enabled on a powerpc board, a test that checks if a page is user or kernel is bypassed. This means that a user can write to arbitrary kernel address space. Upon further investigation, we found that kernels older than the v2.6.30-rc1 release have the same problem for non-booke ppc chips (74xx, 8641D), so we need two patches for kernels up to that date, and then one patch for ones after that date. Thanks, Hui
From 6450901836cb2c3dc92edf39a92532e3bb94cb88 Mon Sep 17 00:00:00 2001
From: Wufei <fei.wu () windriver com> Date: Wed, 28 Apr 2010 17:42:32 -0400 Subject: [PATCH] kgdb: don't needlessly skip PAGE_USER test for Fsl booke The bypassing of this test is a leftover from 2.4 vintage kernels, and is no longer appropriate, or even used by KGDB. Currently KGDB uses probe_kernel_write() for all access to memory via the KGDB core, so it can simply be deleted. Signed-off-by: Wufei <fei.wu () windriver com> Signed-off-by: Jason Wessel <jason.wessel () windriver com> --- arch/powerpc/mm/fsl_booke_mmu.c | 5 ----- 1 files changed, 0 insertions(+), 5 deletions(-) diff --git a/arch/powerpc/mm/fsl_booke_mmu.c b/arch/powerpc/mm/fsl_booke_mmu.c index c539472..1ce9dd5 100644 --- a/arch/powerpc/mm/fsl_booke_mmu.c +++ b/arch/powerpc/mm/fsl_booke_mmu.c @@ -155,15 +155,10 @@ static void settlbcam(int index, unsigned long virt, phys_addr_t phys, if (cur_cpu_spec->cpu_features & MMU_FTR_BIG_PHYS) TLBCAM[index].MAS7 = (u64)phys >> 32; -#ifndef CONFIG_KGDB /* want user access for breakpoints */ if (flags & _PAGE_USER) { TLBCAM[index].MAS3 |= MAS3_UX | MAS3_UR; TLBCAM[index].MAS3 |= ((flags & _PAGE_RW) ? MAS3_UW : 0); } -#else - TLBCAM[index].MAS3 |= MAS3_UX | MAS3_UR; - TLBCAM[index].MAS3 |= ((flags & _PAGE_RW) ? MAS3_UW : 0); -#endif tlbcam_addrs[index].start = virt; tlbcam_addrs[index].limit = virt + size - 1; -- 1.6.5.2
From 5a71decdf73021b70a1a45087ad6e5abba81cce8 Mon Sep 17 00:00:00 2001
From: Paul Gortmaker <paul.gortmaker () windriver com> Date: Wed, 28 Apr 2010 18:39:19 -0400 Subject: [PATCH] kgdb: don't needlessly skip PAGE_USER test Part of commit 8d1cf34e7ad5c7738ce20d20bd7f002f562cb8b5, present in 2.6.30-rc1 and newer kernels deletes this needless KGDB specific skipping of the _PAGE_USER test. The bypassing of this test is a leftover from 2.4 vintage kernels, and is no longer appropriate, or even used by KGDB. Currently KGDB uses probe_kernel_write() for all access to memory via the KGDB core. Signed-off-by: Paul Gortmaker <paul.gortmaker () windriver com> Signed-off-by: Jason Wessel <jason.wessel () windriver com> --- arch/powerpc/mm/ppc_mmu_32.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/mm/ppc_mmu_32.c b/arch/powerpc/mm/ppc_mmu_32.c index 49b195e..abedf35 100644 --- a/arch/powerpc/mm/ppc_mmu_32.c +++ b/arch/powerpc/mm/ppc_mmu_32.c @@ -136,9 +136,7 @@ void __init setbat(int index, unsigned long virt, phys_addr_t phys, wimgxpp |= (flags & _PAGE_RW)? BPP_RW: BPP_RX; bat[1].batu = virt | (bl << 2) | 2; /* Vs=1, Vp=0 */ bat[1].batl = BAT_PHYS_ADDR(phys) | wimgxpp; -#ifndef CONFIG_KGDB /* want user access for breakpoints */ if (flags & _PAGE_USER) -#endif bat[1].batu |= 1; /* Vp = 1 */ if (flags & _PAGE_GUARDED) { /* G bit must be zero in IBATs */ -- 1.6.5.2
Current thread:
- CVE request - Linux Kernel KGDB/ppc issue Hui Zhu (Apr 28)
- Re: CVE request - Linux Kernel KGDB/ppc issue Eugene Teo (Apr 28)
- Re: CVE request - Linux Kernel KGDB/ppc issue Josh Bressers (Apr 29)
- Re: CVE request - Linux Kernel KGDB/ppc issue Eugene Teo (Apr 29)