On 11/11/2022 18:49, Kristina Martsenko wrote:
The PTRACE_POKEDATA request writes a word of data to the tracee's memory. In PCuABI the size of the write remains 8 bytes. Currently the kernel erroneously writes 16 bytes, thereby overwriting 8 bytes of unrelated memory. Fix this by restoring the type of the data argument of generic_ptrace_pokedata() to unsigned long.
Fixes: ("kernel/ptrace: Modify ptrace syscall to accept capability arguments")
Thanks so much for finding and fixing this. This is completely my fault: when I picked up Beata's final version of the patch (v5), I amended it to fix morello_ptrace_pokecap() in line with morello_ptrace_peekcap(). This was correct, unfortunately I then proceeded to amend generic_ptrace_pokedata() too, and didn't realise that data is *not* a pointer in that case.
Will pick this up soon.
Kevin
Signed-off-by: Kristina Martsenko kristina.martsenko@arm.com
include/linux/ptrace.h | 2 +- kernel/ptrace.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)z
diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h index a4c84dbbe084..cfdd378636c7 100644 --- a/include/linux/ptrace.h +++ b/include/linux/ptrace.h @@ -108,7 +108,7 @@ static inline void ptrace_unlink(struct task_struct *child) int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr, user_uintptr_t data); int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
user_uintptr_t data);
unsigned long data);
/**
- ptrace_parent - return the task that is tracing the given task
diff --git a/kernel/ptrace.c b/kernel/ptrace.c index c278ae0058a6..e5343257131f 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -1350,7 +1350,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr, } int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
user_uintptr_t data)
unsigned long data)
{ int copied;