linux-hardened/include/linux/personality.h
Oleg Nesterov 485d527686 sys_personality: change sys_personality() to accept "unsigned int" instead of u_long
task_struct->pesonality is "unsigned int", but sys_personality() paths use
"unsigned long pesonality".  This means that every assignment or
comparison is not right.  In particular, if this argument does not fit
into "unsigned int" __set_personality() changes the caller's personality
and then sys_personality() returns -EINVAL.

Turn this argument into "unsigned int" and avoid overflows.  Obviously,
this is the user-visible change, we just ignore the upper bits.  But this
can't break the sane application.

There is another thing which can confuse the poorly written applications.
User-space thinks that this syscall returns int, not long.  This means
that the returned value can be negative and look like the error code.  But
note that libc won't be confused and thus errno won't be set, and with
this patch the user-space can never get -1 unless sys_personality() really
fails.  And, most importantly, the negative RET != -1 is only possible if
that app previously called personality(RET).

Pointed-out-by: Wenming Zhang <wezhang@redhat.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-06-04 15:21:45 -07:00

120 lines
3.4 KiB
C

#ifndef _LINUX_PERSONALITY_H
#define _LINUX_PERSONALITY_H
#ifdef __KERNEL__
/*
* Handling of different ABIs (personalities).
*/
struct exec_domain;
struct pt_regs;
extern int register_exec_domain(struct exec_domain *);
extern int unregister_exec_domain(struct exec_domain *);
extern int __set_personality(unsigned int);
#endif /* __KERNEL__ */
/*
* Flags for bug emulation.
*
* These occupy the top three bytes.
*/
enum {
ADDR_NO_RANDOMIZE = 0x0040000, /* disable randomization of VA space */
FDPIC_FUNCPTRS = 0x0080000, /* userspace function ptrs point to descriptors
* (signal handling)
*/
MMAP_PAGE_ZERO = 0x0100000,
ADDR_COMPAT_LAYOUT = 0x0200000,
READ_IMPLIES_EXEC = 0x0400000,
ADDR_LIMIT_32BIT = 0x0800000,
SHORT_INODE = 0x1000000,
WHOLE_SECONDS = 0x2000000,
STICKY_TIMEOUTS = 0x4000000,
ADDR_LIMIT_3GB = 0x8000000,
};
/*
* Security-relevant compatibility flags that must be
* cleared upon setuid or setgid exec:
*/
#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC | \
ADDR_NO_RANDOMIZE | \
ADDR_COMPAT_LAYOUT | \
MMAP_PAGE_ZERO)
/*
* Personality types.
*
* These go in the low byte. Avoid using the top bit, it will
* conflict with error returns.
*/
enum {
PER_LINUX = 0x0000,
PER_LINUX_32BIT = 0x0000 | ADDR_LIMIT_32BIT,
PER_LINUX_FDPIC = 0x0000 | FDPIC_FUNCPTRS,
PER_SVR4 = 0x0001 | STICKY_TIMEOUTS | MMAP_PAGE_ZERO,
PER_SVR3 = 0x0002 | STICKY_TIMEOUTS | SHORT_INODE,
PER_SCOSVR3 = 0x0003 | STICKY_TIMEOUTS |
WHOLE_SECONDS | SHORT_INODE,
PER_OSR5 = 0x0003 | STICKY_TIMEOUTS | WHOLE_SECONDS,
PER_WYSEV386 = 0x0004 | STICKY_TIMEOUTS | SHORT_INODE,
PER_ISCR4 = 0x0005 | STICKY_TIMEOUTS,
PER_BSD = 0x0006,
PER_SUNOS = 0x0006 | STICKY_TIMEOUTS,
PER_XENIX = 0x0007 | STICKY_TIMEOUTS | SHORT_INODE,
PER_LINUX32 = 0x0008,
PER_LINUX32_3GB = 0x0008 | ADDR_LIMIT_3GB,
PER_IRIX32 = 0x0009 | STICKY_TIMEOUTS,/* IRIX5 32-bit */
PER_IRIXN32 = 0x000a | STICKY_TIMEOUTS,/* IRIX6 new 32-bit */
PER_IRIX64 = 0x000b | STICKY_TIMEOUTS,/* IRIX6 64-bit */
PER_RISCOS = 0x000c,
PER_SOLARIS = 0x000d | STICKY_TIMEOUTS,
PER_UW7 = 0x000e | STICKY_TIMEOUTS | MMAP_PAGE_ZERO,
PER_OSF4 = 0x000f, /* OSF/1 v4 */
PER_HPUX = 0x0010,
PER_MASK = 0x00ff,
};
#ifdef __KERNEL__
/*
* Description of an execution domain.
*
* The first two members are refernced from assembly source
* and should stay where they are unless explicitly needed.
*/
typedef void (*handler_t)(int, struct pt_regs *);
struct exec_domain {
const char *name; /* name of the execdomain */
handler_t handler; /* handler for syscalls */
unsigned char pers_low; /* lowest personality */
unsigned char pers_high; /* highest personality */
unsigned long *signal_map; /* signal mapping */
unsigned long *signal_invmap; /* reverse signal mapping */
struct map_segment *err_map; /* error mapping */
struct map_segment *socktype_map; /* socket type mapping */
struct map_segment *sockopt_map; /* socket option mapping */
struct map_segment *af_map; /* address family mapping */
struct module *module; /* module context of the ed. */
struct exec_domain *next; /* linked list (internal) */
};
/*
* Return the base personality without flags.
*/
#define personality(pers) (pers & PER_MASK)
/*
* Change personality of the currently running process.
*/
#define set_personality(pers) \
((current->personality == (pers)) ? 0 : __set_personality(pers))
#endif /* __KERNEL__ */
#endif /* _LINUX_PERSONALITY_H */