From nobody Sun Jun 14 07:36:49 2026 Received: from mail-ot1-f44.google.com (mail-ot1-f44.google.com [209.85.210.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D27FA34DCF3 for ; Fri, 1 May 2026 06:23:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777616617; cv=none; b=L7hhUBI94ep1tJVTbe1SCj6TQzu639A8IB0M/XhlDIb2QQ2NHwtNJ1Q8vt8fdh/j3gMe1HZqhGibJQV60x1hlaKYRmAO0AznYWtwgFlgTTq/oMOr29NnoR/m98iNLGfItFJ9UuTYSLYoFjorfgEP/RMOl+eOl6w64d0MT+2d+AM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777616617; c=relaxed/simple; bh=eI6jEZwqzQGZZJWwLHrt2DE0BbaSrsZcpavJxVb6hEA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TDK3+URSaNYeMbMoWvMg3tZH3ay7uP8WwDnK2b7stJbcSqpn8U3rGNS1MNoxT8ixiFOwc5aXQMjle0FCYtkF1rSov/NJfe2NxPXuDADpFEMCosAgLMUce2l0vVYssckU6T4hSUJuV385VGKNHRQW/pchuoSsYBCEzxEK0hzVhNI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=neuling.org; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fwM/Jgtz; arc=none smtp.client-ip=209.85.210.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=neuling.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fwM/Jgtz" Received: by mail-ot1-f44.google.com with SMTP id 46e09a7af769-7dcd17e19b6so938304a34.1 for ; Thu, 30 Apr 2026 23:23:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777616615; x=1778221415; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=mmd88X/w26xtSKxfgjt+pkfxGFHUfVGxFukWfHdY3Z8=; b=fwM/JgtzADP5RGNtUk0eHhhIoB86QCvNBzawxL7qCAfxbc79aRzKZ10DK+wz1reLO0 Nd3ZUxCr4Z6nYC+xpqaY53lpWs0J7MdA+X027Ctyz0SBRZdcgUDDxuLIfTIRwmYDYnVM XqB3C3JJeyI0fR+O4+ZE9K9nKeqKfDtMdug3bREAXItJUqJM8gGeov2LmWQmIlLVDibd 0FpaAg56iukkzDnQJWtWBDqSXZHtI5cX5HLe82dT3YN9ZOnZRg8E0lBOy86+7NAliUhL jjqO/Qv+nOPdbTVZO+yBbcP8r3KBitusnvdpqB8WSU4eiwHr3el7gxlH0uelvvDVfQu2 UFKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777616615; x=1778221415; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mmd88X/w26xtSKxfgjt+pkfxGFHUfVGxFukWfHdY3Z8=; b=rNIo5LmWAdJ8FMpsO1NcigRR9EkEMG9mFfQxoSCdeZT4AqzoRMJVgoBRzhjopXEWg3 nVmnN3gEMqvD6V5cmfTGTnTPi7re+akA77OKKEbqNHthi4azdVhL01ttlOdRrvNUQiFC l3BeCWV8NL3gryWzKhkVu2w6H0uMqNufXM8tZ8OlPo0Z1h1NZsv6UoW8bgLLuQB6gwZ3 15nQBtQQewsrexXD6Frkx8kOOVIe4kdy5SaeomnR0uhtJKcTkQsbO44XrieSP8c8s74V S7sp4lm+mVeackYpluazX9dmUtW6vIqzXVt+Xf0GXutlXDn2yXZ2P7B1g0TGWSz/fDGH OVzA== X-Forwarded-Encrypted: i=1; AFNElJ8BKibc34FX/SyyAQZDgBgcE+fYCqwsSw14fPheqyekeuPGsuW5+1hbSvuXa+qJ0nAmoMQGbkK5atUrbm4=@vger.kernel.org X-Gm-Message-State: AOJu0YyD6zlDrsSEty5sRsTVjlTL7/liaCDNqci/fPVYxed0SAMjC5Yl PMCxoaYGbk17YrZJzr8ayyMLVli5b9J6NoNe2k5PwYVpVPzP1oKSQ0P7 X-Gm-Gg: AeBDiescspR8+svQMPhKBbjP013Oy9HnOU2NHxb302N52T1ZYwtul0525DR47Xk+uiz uR1h+WAWM09gMCMVpVrdk/MM3Ti6TmwqGXhlEHtnrLpzto64QnOn0y5D3bklR0Az3P/tLOsBYes 2pYmaMzgmA5n8RMUOb1djuAtzSJ8EEDLsN5guDEN5YOTUkAvggg+fFE1SBOS68gsxcpCTWSw4B7 QgvbBy0iN86C/bFMjHrKTLuBWOB7e2wabYJDcEFmog+wOkpVHU1zDwwp0DbIkOeCzSYZGgvegI+ S85V7gQxe+k7HYSlMV5v8xdIeppzn8/7j1eAXdlrpBA3MeDcZLY9ob9DRlp/47Wm4DQQyrK/Sy/ sgAnW8QtVRycJvApJ5U1LVTMaQpj+Y8FjnAhV+d2IDN2HP/nPTE0hj8lfR2hpEs+h0qao/D+LCe 7SFcy2G1meyX18+SGXbFv1So0EgkuSQRvbuTU1ioQ8qTPb X-Received: by 2002:a05:6830:4411:b0:7de:495a:cf80 with SMTP id 46e09a7af769-7ded0a380f3mr844419a34.16.1777616614670; Thu, 30 Apr 2026 23:23:34 -0700 (PDT) Received: from ird-aus2.tenstorrent.com ([38.104.49.66]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7decadc350dsm1457174a34.22.2026.04.30.23.23.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Apr 2026 23:23:34 -0700 (PDT) Sender: Michael Neuling From: Michael Neuling To: pjw@kernel.org Cc: ajones@ventanamicro.com, akpm@linux-foundation.org, aleksa.paunovic@htecgroup.com, alex@ghiti.fr, aou@eecs.berkeley.edu, arikalo@gmail.com, arnd@arndb.de, bjorn@rivosinc.com, david@redhat.com, djordje.todorovic@htecgroup.com, guoren@kernel.org, junhui.liu@pigmoral.tech, kevin.brodsky@arm.com, linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, ljs@kernel.org, mikey@neuling.org, namcao@linutronix.de, oleg@redhat.com, osalvador@suse.de, palmer@dabbelt.com, panqinglin2020@iscas.ac.cn, rppt@kernel.org, rvishwanathan@mips.com, vishal.moola@gmail.com Subject: [PATCH v2] riscv: Fix register corruption from uninitialized cregs on error Date: Fri, 1 May 2026 06:23:20 +0000 Message-ID: <20260501062320.2339562-1-mikey@neuling.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <78b4e931-9ec7-14b6-1487-906652a65ce8@kernel.org> References: <78b4e931-9ec7-14b6-1487-906652a65ce8@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" compat_riscv_gpr_set() calls cregs_to_regs() unconditionally, even when user_regset_copyin() fails. Since cregs is an uninitialized stack variable, a copyin failure causes uninitialized stack data to be written into the target task's pt_regs, corrupting its register state and potentially leaking kernel stack contents. compat_restore_sigcontext() has the same issue: it calls cregs_to_regs() even when __copy_from_user() fails, leading to the same corruption of the signal-returning task's register state on error. Only call cregs_to_regs() when the user copy succeeds. Fixes: 4608c159594f ("riscv: compat: ptrace: Add compat_arch_ptrace impleme= nt") Fixes: 7383ee05314b ("riscv: compat: signal: Add rt_frame implementation") Signed-off-by: Michael Neuling Assisted-by: Cursor:claude-4.6-opus-high-thinking --- arch/riscv/kernel/compat_signal.c | 2 ++ arch/riscv/kernel/ptrace.c | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/riscv/kernel/compat_signal.c b/arch/riscv/kernel/compat_s= ignal.c index 6ec4e34255..cf3eb33a11 100644 --- a/arch/riscv/kernel/compat_signal.c +++ b/arch/riscv/kernel/compat_signal.c @@ -107,6 +107,8 @@ static long compat_restore_sigcontext(struct pt_regs *r= egs, =20 /* sc_regs is structured the same as the start of pt_regs */ err =3D __copy_from_user(&cregs, &sc->sc_regs, sizeof(sc->sc_regs)); + if (unlikely(err)) + return err; =20 cregs_to_regs(&cregs, regs); =20 diff --git a/arch/riscv/kernel/ptrace.c b/arch/riscv/kernel/ptrace.c index 93de2e7a30..793bcee461 100644 --- a/arch/riscv/kernel/ptrace.c +++ b/arch/riscv/kernel/ptrace.c @@ -577,8 +577,8 @@ static int compat_riscv_gpr_set(struct task_struct *tar= get, struct compat_user_regs_struct cregs; =20 ret =3D user_regset_copyin(&pos, &count, &kbuf, &ubuf, &cregs, 0, -1); - - cregs_to_regs(&cregs, task_pt_regs(target)); + if (!ret) + cregs_to_regs(&cregs, task_pt_regs(target)); =20 return ret; } --=20 2.43.0