From: Al Viro viro@zeniv.linux.org.uk
commit fbd63c08cdcca5fb1315aca3172b3c9c272cfb4f upstream.
csky restore_sigcontext() blindly overwrites regs->sr with the value it finds in sigcontext. Attacker can store whatever they want in there, which includes things like S-bit. Userland shouldn't be able to set that, or anything other than C flag (bit 0).
Do the same thing other architectures with protected bits in flags register do - preserve everything that shouldn't be settable in user mode, picking the rest from the value saved is sigcontext.
Signed-off-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Guo Ren guoren@kernel.org Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- arch/csky/kernel/signal.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/arch/csky/kernel/signal.c +++ b/arch/csky/kernel/signal.c @@ -52,10 +52,14 @@ static long restore_sigcontext(struct pt struct sigcontext __user *sc) { int err = 0; + unsigned long sr = regs->sr;
/* sc_pt_regs is structured the same as the start of pt_regs */ err |= __copy_from_user(regs, &sc->sc_pt_regs, sizeof(struct pt_regs));
+ /* BIT(0) of regs->sr is Condition Code/Carry bit */ + regs->sr = (sr & ~1) | (regs->sr & 1); + /* Restore the floating-point state. */ err |= restore_fpu_state(sc);