mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2025-01-27 16:25:32 +08:00
9dc086f1e9
The early versions of our kernel user access prevention (KUAP) were written by Russell and Christophe, and didn't have separate read/write access. At some point I picked up the series and added the read/write access, but I failed to update the usages in futex.h to correctly allow read and write. However we didn't notice because of another bug which was causing the low-level code to always enable read and write. That bug was fixed recently in commit1d8f739b07
("powerpc/kuap: Fix set direction in allow/prevent_user_access()"). futex_atomic_cmpxchg_inatomic() is passed the user address as %3 and does: 1: lwarx %1, 0, %3 cmpw 0, %1, %4 bne- 3f 2: stwcx. %5, 0, %3 Which clearly loads and stores from/to %3. The logic in arch_futex_atomic_op_inuser() is similar, so fix both of them to use allow_read_write_user(). Without this fix, and with PPC_KUAP_DEBUG=y, we see eg: Bug: Read fault blocked by AMR! WARNING: CPU: 94 PID: 149215 at arch/powerpc/include/asm/book3s/64/kup-radix.h:126 __do_page_fault+0x600/0xf30 CPU: 94 PID: 149215 Comm: futex_requeue_p Tainted: G W 5.5.0-rc7-gcc9x-g4c25df5640ae #1 ... NIP [c000000000070680] __do_page_fault+0x600/0xf30 LR [c00000000007067c] __do_page_fault+0x5fc/0xf30 Call Trace: [c00020138e5637e0] [c00000000007067c] __do_page_fault+0x5fc/0xf30 (unreliable) [c00020138e5638c0] [c00000000000ada8] handle_page_fault+0x10/0x30 --- interrupt: 301 at cmpxchg_futex_value_locked+0x68/0xd0 LR = futex_lock_pi_atomic+0xe0/0x1f0 [c00020138e563bc0] [c000000000217b50] futex_lock_pi_atomic+0x80/0x1f0 (unreliable) [c00020138e563c30] [c00000000021b668] futex_requeue+0x438/0xb60 [c00020138e563d60] [c00000000021c6cc] do_futex+0x1ec/0x2b0 [c00020138e563d90] [c00000000021c8b8] sys_futex+0x128/0x200 [c00020138e563e20] [c00000000000b7ac] system_call+0x5c/0x68 Fixes:de78a9c42a
("powerpc: Add a framework for Kernel Userspace Access Protection") Cc: stable@vger.kernel.org # v5.2+ Reported-by: syzbot+e808452bad7c375cbee6@syzkaller-ppc64.appspotmail.com Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Reviewed-by: Christophe Leroy <christophe.leroy@c-s.fr> Link: https://lore.kernel.org/r/20200207122145.11928-1-mpe@ellerman.id.au
108 lines
2.4 KiB
C
108 lines
2.4 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _ASM_POWERPC_FUTEX_H
|
|
#define _ASM_POWERPC_FUTEX_H
|
|
|
|
#ifdef __KERNEL__
|
|
|
|
#include <linux/futex.h>
|
|
#include <linux/uaccess.h>
|
|
#include <asm/errno.h>
|
|
#include <asm/synch.h>
|
|
#include <asm/asm-405.h>
|
|
|
|
#define __futex_atomic_op(insn, ret, oldval, uaddr, oparg) \
|
|
__asm__ __volatile ( \
|
|
PPC_ATOMIC_ENTRY_BARRIER \
|
|
"1: lwarx %0,0,%2\n" \
|
|
insn \
|
|
PPC405_ERR77(0, %2) \
|
|
"2: stwcx. %1,0,%2\n" \
|
|
"bne- 1b\n" \
|
|
PPC_ATOMIC_EXIT_BARRIER \
|
|
"li %1,0\n" \
|
|
"3: .section .fixup,\"ax\"\n" \
|
|
"4: li %1,%3\n" \
|
|
"b 3b\n" \
|
|
".previous\n" \
|
|
EX_TABLE(1b, 4b) \
|
|
EX_TABLE(2b, 4b) \
|
|
: "=&r" (oldval), "=&r" (ret) \
|
|
: "b" (uaddr), "i" (-EFAULT), "r" (oparg) \
|
|
: "cr0", "memory")
|
|
|
|
static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval,
|
|
u32 __user *uaddr)
|
|
{
|
|
int oldval = 0, ret;
|
|
|
|
allow_read_write_user(uaddr, uaddr, sizeof(*uaddr));
|
|
pagefault_disable();
|
|
|
|
switch (op) {
|
|
case FUTEX_OP_SET:
|
|
__futex_atomic_op("mr %1,%4\n", ret, oldval, uaddr, oparg);
|
|
break;
|
|
case FUTEX_OP_ADD:
|
|
__futex_atomic_op("add %1,%0,%4\n", ret, oldval, uaddr, oparg);
|
|
break;
|
|
case FUTEX_OP_OR:
|
|
__futex_atomic_op("or %1,%0,%4\n", ret, oldval, uaddr, oparg);
|
|
break;
|
|
case FUTEX_OP_ANDN:
|
|
__futex_atomic_op("andc %1,%0,%4\n", ret, oldval, uaddr, oparg);
|
|
break;
|
|
case FUTEX_OP_XOR:
|
|
__futex_atomic_op("xor %1,%0,%4\n", ret, oldval, uaddr, oparg);
|
|
break;
|
|
default:
|
|
ret = -ENOSYS;
|
|
}
|
|
|
|
pagefault_enable();
|
|
|
|
*oval = oldval;
|
|
|
|
prevent_read_write_user(uaddr, uaddr, sizeof(*uaddr));
|
|
return ret;
|
|
}
|
|
|
|
static inline int
|
|
futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
|
|
u32 oldval, u32 newval)
|
|
{
|
|
int ret = 0;
|
|
u32 prev;
|
|
|
|
if (!access_ok(uaddr, sizeof(u32)))
|
|
return -EFAULT;
|
|
|
|
allow_read_write_user(uaddr, uaddr, sizeof(*uaddr));
|
|
|
|
__asm__ __volatile__ (
|
|
PPC_ATOMIC_ENTRY_BARRIER
|
|
"1: lwarx %1,0,%3 # futex_atomic_cmpxchg_inatomic\n\
|
|
cmpw 0,%1,%4\n\
|
|
bne- 3f\n"
|
|
PPC405_ERR77(0,%3)
|
|
"2: stwcx. %5,0,%3\n\
|
|
bne- 1b\n"
|
|
PPC_ATOMIC_EXIT_BARRIER
|
|
"3: .section .fixup,\"ax\"\n\
|
|
4: li %0,%6\n\
|
|
b 3b\n\
|
|
.previous\n"
|
|
EX_TABLE(1b, 4b)
|
|
EX_TABLE(2b, 4b)
|
|
: "+r" (ret), "=&r" (prev), "+m" (*uaddr)
|
|
: "r" (uaddr), "r" (oldval), "r" (newval), "i" (-EFAULT)
|
|
: "cc", "memory");
|
|
|
|
*uval = prev;
|
|
prevent_read_write_user(uaddr, uaddr, sizeof(*uaddr));
|
|
|
|
return ret;
|
|
}
|
|
|
|
#endif /* __KERNEL__ */
|
|
#endif /* _ASM_POWERPC_FUTEX_H */
|