• Christophe Leroy's avatar
    powerpc/603: Fix protection of user pages mapped with PROT_NONE · c119565a
    Christophe Leroy authored
    On book3s/32, page protection is defined by the PP bits in the PTE
    which provide the following protection depending on the access
    keys defined in the matching segment register:
    - PP 00 means RW with key 0 and N/A with key 1.
    - PP 01 means RW with key 0 and RO with key 1.
    - PP 10 means RW with both key 0 and key 1.
    - PP 11 means RO with both key 0 and key 1.
    
    Since the implementation of kernel userspace access protection,
    PP bits have been set as follows:
    - PP00 for pages without _PAGE_USER
    - PP01 for pages with _PAGE_USER and _PAGE_RW
    - PP11 for pages with _PAGE_USER and without _PAGE_RW
    
    For kernelspace segments, kernel accesses are performed with key 0
    and user accesses are performed with key 1. As PP00 is used for
    non _PAGE_USER pages, user can't access kernel pages not flagged
    _PAGE_USER while kernel can.
    
    For userspace segments, both kernel and user accesses are performed
    with key 0, therefore pages not flagged _PAGE_USER are still
    accessible to the user.
    
    This shouldn't be an issue, because userspace is expected to be
    accessible to the user. But unlike most other architectures, powerpc
    implements PROT_NONE protection by removing _PAGE_USER flag instead of
    flagging the page as not valid. This means that pages in userspace
    that are not flagged _PAGE_USER shall remain inaccessible.
    
    To get the expected behaviour, just mimic other architectures in the
    TLB miss handler by checking _PAGE_USER permission on userspace
    accesses as if it was the _PAGE_PRESENT bit.
    
    Note that this problem only is only for 603 cores. The 604+ have
    an hash table, and hash_page() function already implement the
    verification of _PAGE_USER permission on userspace pages.
    
    Fixes: f342adca ("powerpc/32s: Prepare Kernel Userspace Access Protection")
    Cc: stable@vger.kernel.org # v5.2+
    Reported-by: default avatarChristoph Plattner <christoph.plattner@thalesgroup.com>
    Signed-off-by: default avatarChristophe Leroy <christophe.leroy@csgroup.eu>
    Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/4a0c6e3bb8f0c162457bf54d9bc6fd8d7b55129f.1612160907.git.christophe.leroy@csgroup.eu
    c119565a
head_book3s_32.S 35.4 KB