[PATCH v2] riscv: Fix register corruption from uninitialized cregs on error
Paul Walmsley
pjw at kernel.org
Fri May 1 20:14:11 PDT 2026
On Fri, 1 May 2026, Michael Neuling wrote:
> compat_riscv_gpr_set() calls cregs_to_regs() unconditionally, even when
> user_regset_copyin() fails. Since cregs is an uninitialized stack
> variable, a copyin failure causes uninitialized stack data to be written
> into the target task's pt_regs, corrupting its register state and
> potentially leaking kernel stack contents.
>
> compat_restore_sigcontext() has the same issue: it calls cregs_to_regs()
> even when __copy_from_user() fails, leading to the same corruption of
> the signal-returning task's register state on error.
>
> Only call cregs_to_regs() when the user copy succeeds.
>
> Fixes: 4608c159594f ("riscv: compat: ptrace: Add compat_arch_ptrace implement")
> Fixes: 7383ee05314b ("riscv: compat: signal: Add rt_frame implementation")
> Signed-off-by: Michael Neuling <mikey at neuling.org>
> Assisted-by: Cursor:claude-4.6-opus-high-thinking
Thanks very much; queued for v7.1-rc.
- Paul
More information about the linux-riscv
mailing list