CVE-2011-2707: Linux kernel xtensa Arbitrary Read
Our beloved Linux kernel bug killer, Dan Rosenberg (aka bliss) recently disclosed this vulnerability that affects Xtensa architecture.
The susceptible code resides in arch/xtensa/kernel/ptrace.c file which contains the architecture specific implementation of the well known ptrace(2) system call. As Dan Rosenberg noticed, in ptrace_setxregs() routine there was no access check on the user supplied pointer.
Consequently, an attacker could pass pointers belonging to kernel space and perform arbitrary read operations of kernel memory.
The fix was to add the missing check in the beginning of the function before attempting any futher processing of the user controlled pointer.
elf_xtregs_t *xtregs = uregs; int ret = 0; + if (!access_ok(VERIFY_READ, uregs, sizeof(elf_xtregs_t))) + return -EIO; + #if XTENSA_HAVE_COPROCESSORS /* Flush all coprocessors before we overwrite them. */ coprocessor_flush_all(ti);