Commit adcc81f1 authored by Paul Burton's avatar Paul Burton

MIPS: math-emu: Write-protect delay slot emulation pages

Mapping the delay slot emulation page as both writeable & executable
presents a security risk, in that if an exploit can write to & jump into
the page then it can be used as an easy way to execute arbitrary code.

Prevent this by mapping the page read-only for userland, and using
access_process_vm() with the FOLL_FORCE flag to write to it from
mips_dsemul().

This will likely be less efficient due to copy_to_user_page() performing
cache maintenance on a whole page, rather than a single line as in the
previous use of flush_cache_sigtramp(). However this delay slot
emulation code ought not to be running in any performance critical paths
anyway so this isn't really a problem, and we can probably do better in
copy_to_user_page() anyway in future.

A major advantage of this approach is that the fix is small & simple to
backport to stable kernels.
Reported-by: default avatarAndy Lutomirski <luto@kernel.org>
Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
Fixes: 432c6bac ("MIPS: Use per-mm page to execute branch delay slot instructions")
Cc: stable@vger.kernel.org # v4.8+
Cc: linux-mips@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: Rich Felker <dalias@libc.org>
Cc: David Daney <david.daney@cavium.com>
parent 41e486f4
...@@ -126,8 +126,8 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp) ...@@ -126,8 +126,8 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
/* Map delay slot emulation page */ /* Map delay slot emulation page */
base = mmap_region(NULL, STACK_TOP, PAGE_SIZE, base = mmap_region(NULL, STACK_TOP, PAGE_SIZE,
VM_READ|VM_WRITE|VM_EXEC| VM_READ | VM_EXEC |
VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC, VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
0, NULL); 0, NULL);
if (IS_ERR_VALUE(base)) { if (IS_ERR_VALUE(base)) {
ret = base; ret = base;
......
...@@ -214,8 +214,9 @@ int mips_dsemul(struct pt_regs *regs, mips_instruction ir, ...@@ -214,8 +214,9 @@ int mips_dsemul(struct pt_regs *regs, mips_instruction ir,
{ {
int isa16 = get_isa16_mode(regs->cp0_epc); int isa16 = get_isa16_mode(regs->cp0_epc);
mips_instruction break_math; mips_instruction break_math;
struct emuframe __user *fr; unsigned long fr_uaddr;
int err, fr_idx; struct emuframe fr;
int fr_idx, ret;
/* NOP is easy */ /* NOP is easy */
if (ir == 0) if (ir == 0)
...@@ -250,27 +251,31 @@ int mips_dsemul(struct pt_regs *regs, mips_instruction ir, ...@@ -250,27 +251,31 @@ int mips_dsemul(struct pt_regs *regs, mips_instruction ir,
fr_idx = alloc_emuframe(); fr_idx = alloc_emuframe();
if (fr_idx == BD_EMUFRAME_NONE) if (fr_idx == BD_EMUFRAME_NONE)
return SIGBUS; return SIGBUS;
fr = &dsemul_page()[fr_idx];
/* Retrieve the appropriately encoded break instruction */ /* Retrieve the appropriately encoded break instruction */
break_math = BREAK_MATH(isa16); break_math = BREAK_MATH(isa16);
/* Write the instructions to the frame */ /* Write the instructions to the frame */
if (isa16) { if (isa16) {
err = __put_user(ir >> 16, union mips_instruction _emul = {
(u16 __user *)(&fr->emul)); .halfword = { ir >> 16, ir }
err |= __put_user(ir & 0xffff, };
(u16 __user *)((long)(&fr->emul) + 2)); union mips_instruction _badinst = {
err |= __put_user(break_math >> 16, .halfword = { break_math >> 16, break_math }
(u16 __user *)(&fr->badinst)); };
err |= __put_user(break_math & 0xffff,
(u16 __user *)((long)(&fr->badinst) + 2)); fr.emul = _emul.word;
fr.badinst = _badinst.word;
} else { } else {
err = __put_user(ir, &fr->emul); fr.emul = ir;
err |= __put_user(break_math, &fr->badinst); fr.badinst = break_math;
} }
if (unlikely(err)) { /* Write the frame to user memory */
fr_uaddr = (unsigned long)&dsemul_page()[fr_idx];
ret = access_process_vm(current, fr_uaddr, &fr, sizeof(fr),
FOLL_FORCE | FOLL_WRITE);
if (unlikely(ret != sizeof(fr))) {
MIPS_FPU_EMU_INC_STATS(errors); MIPS_FPU_EMU_INC_STATS(errors);
free_emuframe(fr_idx, current->mm); free_emuframe(fr_idx, current->mm);
return SIGBUS; return SIGBUS;
...@@ -282,10 +287,7 @@ int mips_dsemul(struct pt_regs *regs, mips_instruction ir, ...@@ -282,10 +287,7 @@ int mips_dsemul(struct pt_regs *regs, mips_instruction ir,
atomic_set(&current->thread.bd_emu_frame, fr_idx); atomic_set(&current->thread.bd_emu_frame, fr_idx);
/* Change user register context to execute the frame */ /* Change user register context to execute the frame */
regs->cp0_epc = (unsigned long)&fr->emul | isa16; regs->cp0_epc = fr_uaddr | isa16;
/* Ensure the icache observes our newly written frame */
flush_cache_sigtramp((unsigned long)&fr->emul);
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment