33b88b6e30
Changes in 4.9.238 af_key: pfkey_dump needs parameter validation KVM: fix memory leak in kvm_io_bus_unregister_dev() kprobes: fix kill kprobe which has been marked as gone RDMA/ucma: ucma_context reference leak in error path mtd: Fix comparison in map_word_andequal() hdlc_ppp: add range checks in ppp_cp_parse_cr() ip: fix tos reflection in ack and reset packets tipc: use skb_unshare() instead in tipc_buf_append() bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex. net: phy: Avoid NPD upon phy_detach() when driver is unbound net/hsr: Check skb_put_padto() return value net: add __must_check to skb_put_padto() serial: 8250: Avoid error message on reprobe scsi: aacraid: fix illegal IO beyond last LBA m68k: q40: Fix info-leak in rtc_ioctl gma/gma500: fix a memory disclosure bug due to uninitialized bytes ASoC: kirkwood: fix IRQ error handling ALSA: usb-audio: Add delay quirk for H570e USB headsets PM / devfreq: tegra30: Fix integer overflow on CPU's freq max out clk/ti/adpll: allocate room for terminating null mtd: cfi_cmdset_0002: don't free cfi->cfiq in error path of cfi_amdstd_setup() mfd: mfd-core: Protect against NULL call-back function pointer tracing: Adding NULL checks for trace_array descriptor pointer bcache: fix a lost wake-up problem caused by mca_cannibalize_lock RDMA/i40iw: Fix potential use after free xfs: fix attr leaf header freemap.size underflow RDMA/iw_cgxb4: Fix an error handling path in 'c4iw_connect()' debugfs: Fix !DEBUG_FS debugfs_create_automount CIFS: Properly process SMB3 lease breaks kernel/sys.c: avoid copying possible padding bytes in copy_to_user neigh_stat_seq_next() should increase position index rt_cpu_seq_next should increase position index seqlock: Require WRITE_ONCE surrounding raw_seqcount_barrier media: ti-vpe: cal: Restrict DMA to avoid memory corruption ACPI: EC: Reference count query handlers under lock dmaengine: zynqmp_dma: fix burst length configuration tracing: Set kernel_stack's caller size properly ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter Bluetooth: Fix refcount use-after-free issue mm: pagewalk: fix termination condition in walk_pte_range() Bluetooth: prefetch channel before killing sock KVM: fix overflow of zero page refcount with ksm running ALSA: hda: Clear RIRB status before reading WP skbuff: fix a data race in skb_queue_len() audit: CONFIG_CHANGE don't log internal bookkeeping as an event selinux: sel_avc_get_stat_idx should increase position index scsi: lpfc: Fix RQ buffer leakage when no IOCBs available scsi: lpfc: Fix coverity errors in fmdi attribute handling drm/omap: fix possible object reference leak RDMA/rxe: Fix configuration of atomic queue pair attributes KVM: x86: fix incorrect comparison in trace event x86/pkeys: Add check for pkey "overflow" bpf: Remove recursion prevention from rcu free callback dmaengine: tegra-apb: Prevent race conditions on channel's freeing media: go7007: Fix URB type for interrupt handling Bluetooth: guard against controllers sending zero'd events timekeeping: Prevent 32bit truncation in scale64_check_overflow() drm/amdgpu: increase atombios cmd timeout Bluetooth: L2CAP: handle l2cap config request during open state media: tda10071: fix unsigned sign extension overflow xfs: don't ever return a stale pointer from __xfs_dir3_free_read tpm: ibmvtpm: Wait for buffer to be set before proceeding tracing: Use address-of operator on section symbols serial: 8250_port: Don't service RX FIFO if throttled serial: 8250_omap: Fix sleeping function called from invalid context during probe serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout cpufreq: powernv: Fix frame-size-overflow in powernv_cpufreq_work_fn tools: gpio-hammer: Avoid potential overflow in main SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()' svcrdma: Fix leak of transport addresses ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor mm/filemap.c: clear page error before actual read mm/mmap.c: initialize align_offset explicitly for vm_unmapped_area KVM: Remove CREATE_IRQCHIP/SET_PIT2 race bdev: Reduce time holding bd_mutex in sync in blkdev_close() drivers: char: tlclk.c: Avoid data race between init and interrupt handler dt-bindings: sound: wm8994: Correct required supplies based on actual implementaion atm: fix a memory leak of vcc->user_back phy: samsung: s5pv210-usb2: Add delay after reset Bluetooth: Handle Inquiry Cancel error after Inquiry Complete USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() tty: serial: samsung: Correct clock selection logic ALSA: hda: Fix potential race in unsol event handler fuse: don't check refcount after stealing page USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int e1000: Do not perform reset in reset_task if we are already down printk: handle blank console arguments passed in. btrfs: don't force read-only after error in drop snapshot vfio/pci: fix memory leaks of eventfd ctx perf util: Fix memory leak of prefix_if_not_in perf kcore_copy: Fix module map when there are no modules loaded mtd: rawnand: omap_elm: Fix runtime PM imbalance on error ceph: fix potential race in ceph_check_caps mtd: parser: cmdline: Support MTD names containing one or more colons x86/speculation/mds: Mark mds_user_clear_cpu_buffers() __always_inline vfio/pci: Clear error and request eventfd ctx after releasing cifs: Fix double add page to memcg when cifs_readpages selftests/x86/syscall_nt: Clear weird flags after each test vfio/pci: fix racy on error and request eventfd ctx s390/init: add missing __init annotations i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices() objtool: Fix noreturn detection for ignored functions ieee802154/adf7242: check status of adf7242_read_reg clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init() mwifiex: Increase AES key storage size to 256 bits batman-adv: bla: fix type misuse for backbone_gw hash indexing atm: eni: fix the missed pci_disable_device() for eni_init_one() batman-adv: mcast/TT: fix wrongly dropped or rerouted packets mac802154: tx: fix use-after-free batman-adv: Add missing include for in_interrupt() batman-adv: mcast: fix duplicate mcast packets in BLA backbone from mesh ALSA: asihpi: fix iounmap in error handler MIPS: Add the missing 'CPU_1074K' into __get_cpu_type() kprobes: Fix to check probe enabled before disarm_kprobe_ftrace() lib/string.c: implement stpcpy ata: define AC_ERR_OK ata: make qc_prep return ata_completion_errors ata: sata_mv, avoid trigerrable BUG_ON Linux 4.9.238 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I799877db3bc49e473bbc023ab948cd241755beff
97 lines
2.4 KiB
C
97 lines
2.4 KiB
C
/*
|
|
* syscall_nt.c - checks syscalls with NT set
|
|
* Copyright (c) 2014-2015 Andrew Lutomirski
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms and conditions of the GNU General Public License,
|
|
* version 2, as published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope it will be useful, but
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* General Public License for more details.
|
|
*
|
|
* Some obscure user-space code requires the ability to make system calls
|
|
* with FLAGS.NT set. Make sure it works.
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <unistd.h>
|
|
#include <string.h>
|
|
#include <signal.h>
|
|
#include <err.h>
|
|
#include <sys/syscall.h>
|
|
#include <asm/processor-flags.h>
|
|
|
|
#ifdef __x86_64__
|
|
# define WIDTH "q"
|
|
#else
|
|
# define WIDTH "l"
|
|
#endif
|
|
|
|
static unsigned int nerrs;
|
|
|
|
static unsigned long get_eflags(void)
|
|
{
|
|
unsigned long eflags;
|
|
asm volatile ("pushf" WIDTH "\n\tpop" WIDTH " %0" : "=rm" (eflags));
|
|
return eflags;
|
|
}
|
|
|
|
static void set_eflags(unsigned long eflags)
|
|
{
|
|
asm volatile ("push" WIDTH " %0\n\tpopf" WIDTH
|
|
: : "rm" (eflags) : "flags");
|
|
}
|
|
|
|
static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *),
|
|
int flags)
|
|
{
|
|
struct sigaction sa;
|
|
memset(&sa, 0, sizeof(sa));
|
|
sa.sa_sigaction = handler;
|
|
sa.sa_flags = SA_SIGINFO | flags;
|
|
sigemptyset(&sa.sa_mask);
|
|
if (sigaction(sig, &sa, 0))
|
|
err(1, "sigaction");
|
|
}
|
|
|
|
static void sigtrap(int sig, siginfo_t *si, void *ctx_void)
|
|
{
|
|
}
|
|
|
|
static void do_it(unsigned long extraflags)
|
|
{
|
|
unsigned long flags;
|
|
|
|
set_eflags(get_eflags() | extraflags);
|
|
syscall(SYS_getpid);
|
|
flags = get_eflags();
|
|
set_eflags(X86_EFLAGS_IF | X86_EFLAGS_FIXED);
|
|
if ((flags & extraflags) == extraflags) {
|
|
printf("[OK]\tThe syscall worked and flags are still set\n");
|
|
} else {
|
|
printf("[FAIL]\tThe syscall worked but flags were cleared (flags = 0x%lx but expected 0x%lx set)\n",
|
|
flags, extraflags);
|
|
nerrs++;
|
|
}
|
|
}
|
|
|
|
int main(void)
|
|
{
|
|
printf("[RUN]\tSet NT and issue a syscall\n");
|
|
do_it(X86_EFLAGS_NT);
|
|
|
|
/*
|
|
* Now try it again with TF set -- TF forces returns via IRET in all
|
|
* cases except non-ptregs-using 64-bit full fast path syscalls.
|
|
*/
|
|
|
|
sethandler(SIGTRAP, sigtrap, 0);
|
|
|
|
printf("[RUN]\tSet NT|TF and issue a syscall\n");
|
|
do_it(X86_EFLAGS_NT | X86_EFLAGS_TF);
|
|
|
|
return nerrs == 0 ? 0 : 1;
|
|
}
|