commit 2c87e2cd0b57f63c226cd51f55ccc36867541a24
author Andi Kleen <ak@suse.de> Mon Jul 10 17:06:24 2006 +0200
committer Linus Torvalds <torvalds@g5.osdl.org> Mon Jul 10 15:12:33 2006 -0700
tree 78de73e00823aa0b29ebc2570e67207f42f957f0
parent 1cfcea1b2d67987ddb84dc75f454321bcf536555

[PATCH] x86_64: Fix access check in ptrace compat

We can't safely directly access an compat_alloc_user_space() pointer
with the siginfo copy functions. Bounce it through the stack.

Noticed by Al Viro using sparse

[ This was only added post 2.6.17, not in any released kernel ]

Cc: Al Viro <viro@ftp.linux.org.uk>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

arch/x86_64/ia32/ptrace32.c

diff --git a/arch/x86_64/ia32/ptrace32.c b/arch/x86_64/ia32/ptrace32.c
index a590b7a..659c072 100644
--- a/arch/x86_64/ia32/ptrace32.c
+++ b/arch/x86_64/ia32/ptrace32.c
@@ -202,17 +202,24 @@
 {
 	int ret;
 	compat_siginfo_t *si32 = (compat_siginfo_t *)compat_ptr(data);
+	siginfo_t ssi; 
 	siginfo_t *si = compat_alloc_user_space(sizeof(siginfo_t));
 	if (request == PTRACE_SETSIGINFO) {
-		ret = copy_siginfo_from_user32(si, si32);
+		memset(&ssi, 0, sizeof(siginfo_t));
+		ret = copy_siginfo_from_user32(&ssi, si32);
 		if (ret)
 			return ret;
+		if (copy_to_user(si, &ssi, sizeof(siginfo_t)))
+			return -EFAULT;
 	}
 	ret = sys_ptrace(request, pid, addr, (unsigned long)si);
 	if (ret)
 		return ret;
-	if (request == PTRACE_GETSIGINFO)
-		ret = copy_siginfo_to_user32(si32, si);
+	if (request == PTRACE_GETSIGINFO) {
+		if (copy_from_user(&ssi, si, sizeof(siginfo_t)))
+			return -EFAULT;
+		ret = copy_siginfo_to_user32(si32, &ssi);
+	}
 	return ret;
 }