485d527686
task_struct->pesonality is "unsigned int", but sys_personality() paths use "unsigned long pesonality". This means that every assignment or comparison is not right. In particular, if this argument does not fit into "unsigned int" __set_personality() changes the caller's personality and then sys_personality() returns -EINVAL. Turn this argument into "unsigned int" and avoid overflows. Obviously, this is the user-visible change, we just ignore the upper bits. But this can't break the sane application. There is another thing which can confuse the poorly written applications. User-space thinks that this syscall returns int, not long. This means that the returned value can be negative and look like the error code. But note that libc won't be confused and thus errno won't be set, and with this patch the user-space can never get -1 unless sys_personality() really fails. And, most importantly, the negative RET != -1 is only possible if that app previously called personality(RET). Pointed-out-by: Wenming Zhang <wezhang@redhat.com> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Oleg Nesterov <oleg@redhat.com> Cc: "H. Peter Anvin" <hpa@zytor.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
120 lines
3.4 KiB
C
120 lines
3.4 KiB
C
#ifndef _LINUX_PERSONALITY_H
|
|
#define _LINUX_PERSONALITY_H
|
|
|
|
#ifdef __KERNEL__
|
|
|
|
/*
|
|
* Handling of different ABIs (personalities).
|
|
*/
|
|
|
|
struct exec_domain;
|
|
struct pt_regs;
|
|
|
|
extern int register_exec_domain(struct exec_domain *);
|
|
extern int unregister_exec_domain(struct exec_domain *);
|
|
extern int __set_personality(unsigned int);
|
|
|
|
#endif /* __KERNEL__ */
|
|
|
|
/*
|
|
* Flags for bug emulation.
|
|
*
|
|
* These occupy the top three bytes.
|
|
*/
|
|
enum {
|
|
ADDR_NO_RANDOMIZE = 0x0040000, /* disable randomization of VA space */
|
|
FDPIC_FUNCPTRS = 0x0080000, /* userspace function ptrs point to descriptors
|
|
* (signal handling)
|
|
*/
|
|
MMAP_PAGE_ZERO = 0x0100000,
|
|
ADDR_COMPAT_LAYOUT = 0x0200000,
|
|
READ_IMPLIES_EXEC = 0x0400000,
|
|
ADDR_LIMIT_32BIT = 0x0800000,
|
|
SHORT_INODE = 0x1000000,
|
|
WHOLE_SECONDS = 0x2000000,
|
|
STICKY_TIMEOUTS = 0x4000000,
|
|
ADDR_LIMIT_3GB = 0x8000000,
|
|
};
|
|
|
|
/*
|
|
* Security-relevant compatibility flags that must be
|
|
* cleared upon setuid or setgid exec:
|
|
*/
|
|
#define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC | \
|
|
ADDR_NO_RANDOMIZE | \
|
|
ADDR_COMPAT_LAYOUT | \
|
|
MMAP_PAGE_ZERO)
|
|
|
|
/*
|
|
* Personality types.
|
|
*
|
|
* These go in the low byte. Avoid using the top bit, it will
|
|
* conflict with error returns.
|
|
*/
|
|
enum {
|
|
PER_LINUX = 0x0000,
|
|
PER_LINUX_32BIT = 0x0000 | ADDR_LIMIT_32BIT,
|
|
PER_LINUX_FDPIC = 0x0000 | FDPIC_FUNCPTRS,
|
|
PER_SVR4 = 0x0001 | STICKY_TIMEOUTS | MMAP_PAGE_ZERO,
|
|
PER_SVR3 = 0x0002 | STICKY_TIMEOUTS | SHORT_INODE,
|
|
PER_SCOSVR3 = 0x0003 | STICKY_TIMEOUTS |
|
|
WHOLE_SECONDS | SHORT_INODE,
|
|
PER_OSR5 = 0x0003 | STICKY_TIMEOUTS | WHOLE_SECONDS,
|
|
PER_WYSEV386 = 0x0004 | STICKY_TIMEOUTS | SHORT_INODE,
|
|
PER_ISCR4 = 0x0005 | STICKY_TIMEOUTS,
|
|
PER_BSD = 0x0006,
|
|
PER_SUNOS = 0x0006 | STICKY_TIMEOUTS,
|
|
PER_XENIX = 0x0007 | STICKY_TIMEOUTS | SHORT_INODE,
|
|
PER_LINUX32 = 0x0008,
|
|
PER_LINUX32_3GB = 0x0008 | ADDR_LIMIT_3GB,
|
|
PER_IRIX32 = 0x0009 | STICKY_TIMEOUTS,/* IRIX5 32-bit */
|
|
PER_IRIXN32 = 0x000a | STICKY_TIMEOUTS,/* IRIX6 new 32-bit */
|
|
PER_IRIX64 = 0x000b | STICKY_TIMEOUTS,/* IRIX6 64-bit */
|
|
PER_RISCOS = 0x000c,
|
|
PER_SOLARIS = 0x000d | STICKY_TIMEOUTS,
|
|
PER_UW7 = 0x000e | STICKY_TIMEOUTS | MMAP_PAGE_ZERO,
|
|
PER_OSF4 = 0x000f, /* OSF/1 v4 */
|
|
PER_HPUX = 0x0010,
|
|
PER_MASK = 0x00ff,
|
|
};
|
|
|
|
#ifdef __KERNEL__
|
|
|
|
/*
|
|
* Description of an execution domain.
|
|
*
|
|
* The first two members are refernced from assembly source
|
|
* and should stay where they are unless explicitly needed.
|
|
*/
|
|
typedef void (*handler_t)(int, struct pt_regs *);
|
|
|
|
struct exec_domain {
|
|
const char *name; /* name of the execdomain */
|
|
handler_t handler; /* handler for syscalls */
|
|
unsigned char pers_low; /* lowest personality */
|
|
unsigned char pers_high; /* highest personality */
|
|
unsigned long *signal_map; /* signal mapping */
|
|
unsigned long *signal_invmap; /* reverse signal mapping */
|
|
struct map_segment *err_map; /* error mapping */
|
|
struct map_segment *socktype_map; /* socket type mapping */
|
|
struct map_segment *sockopt_map; /* socket option mapping */
|
|
struct map_segment *af_map; /* address family mapping */
|
|
struct module *module; /* module context of the ed. */
|
|
struct exec_domain *next; /* linked list (internal) */
|
|
};
|
|
|
|
/*
|
|
* Return the base personality without flags.
|
|
*/
|
|
#define personality(pers) (pers & PER_MASK)
|
|
|
|
|
|
/*
|
|
* Change personality of the currently running process.
|
|
*/
|
|
#define set_personality(pers) \
|
|
((current->personality == (pers)) ? 0 : __set_personality(pers))
|
|
|
|
#endif /* __KERNEL__ */
|
|
|
|
#endif /* _LINUX_PERSONALITY_H */
|