• Paul Mackerras's avatar
    powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET · bf8c173b
    Paul Mackerras authored
    commit f077aaf0 upstream.
    
    In commit c60ac569 ("powerpc: Update kernel VSID range", 2013-03-13)
    we lost a check on the region number (the top four bits of the effective
    address) for addresses below PAGE_OFFSET.  That commit replaced a check
    that the top 18 bits were all zero with a check that bits 46 - 59 were
    zero (performed for all addresses, not just user addresses).
    
    This means that userspace can access an address like 0x1000_0xxx_xxxx_xxxx
    and we will insert a valid SLB entry for it.  The VSID used will be the
    same as if the top 4 bits were 0, but the page size will be some random
    value obtained by indexing beyond the end of the mm_ctx_high_slices_psize
    array in the paca.  If that page size is the same as would be used for
    region 0, then userspace just has an alias of the region 0 space.  If the
    page size is different, then no HPTE will be found for the access, and
    the process will get a SIGSEGV (since hash_page_mm() will refuse to create
    a HPTE for the bogus address).
    
    The access beyond the end of the mm_ctx_high_slices_psize can be at most
    5.5MB past the array, and so will be in RAM somewhere.  Since the access
    is a load performed in real mode, it won't fault or crash the kernel.
    At most this bug could perhaps leak a little bit of information about
    blocks of 32 bytes of memory located at offsets of i * 512kB past the
    paca->mm_ctx_high_slices_psize array, for 1 <= i <= 11.
    
    Fixes: c60ac569 ("powerpc: Update kernel VSID range")
    Signed-off-by: default avatarPaul Mackerras <paulus@ozlabs.org>
    Reviewed-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
    Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    bf8c173b
slb_low.S 7.4 KB