mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-04 17:44:14 +08:00
3fed9e5514
If a compat process tries to execute an unknown system call above the __ARM_NR_COMPAT_END number, the kernel sends a SIGILL signal to the offending process. Information about the error is printed to dmesg in compat_arm_syscall() -> arm64_notify_die() -> arm64_force_sig_fault() -> arm64_show_signal(). arm64_show_signal() interprets a non-zero value for current->thread.fault_code as an exception syndrome and displays the message associated with the ESR_ELx.EC field (bits 31:26). current->thread.fault_code is set in compat_arm_syscall() -> arm64_notify_die() with the bad syscall number instead of a valid ESR_ELx value. This means that the ESR_ELx.EC field has the value that the user set for the syscall number and the kernel can end up printing bogus exception messages*. For example, for the syscall number 0x68000000, which evaluates to ESR_ELx.EC value of 0x1A (ESR_ELx_EC_FPAC) the kernel prints this error: [ 18.349161] syscall[300]: unhandled exception: ERET/ERETAA/ERETAB, ESR 0x68000000, Oops - bad compat syscall(2) in syscall[10000+50000] [ 18.350639] CPU: 2 PID: 300 Comm: syscall Not tainted 5.18.0-rc1 #79 [ 18.351249] Hardware name: Pine64 RockPro64 v2.0 (DT) [..] which is misleading, as the bad compat syscall has nothing to do with pointer authentication. Stop arm64_show_signal() from printing exception syndrome information by having compat_arm_syscall() set the ESR_ELx value to 0, as it has no meaning for an invalid system call number. The example above now becomes: [ 19.935275] syscall[301]: unhandled exception: Oops - bad compat syscall(2) in syscall[10000+50000] [ 19.936124] CPU: 1 PID: 301 Comm: syscall Not tainted 5.18.0-rc1-00005-g7e08006d4102 #80 [ 19.936894] Hardware name: Pine64 RockPro64 v2.0 (DT) [..] which although shows less information because the syscall number, wrongfully advertised as the ESR value, is missing, it is better than showing plainly wrong information. The syscall number can be easily obtained with strace. *A 32-bit value above or equal to 0x8000_0000 is interpreted as a negative integer in compat_arm_syscal() and the condition scno < __ARM_NR_COMPAT_END evaluates to true; the syscall will exit to userspace in this case with the ENOSYS error code instead of arm64_notify_die() being called. Signed-off-by: Alexandru Elisei <alexandru.elisei@arm.com> Reviewed-by: Marc Zyngier <maz@kernel.org> Link: https://lore.kernel.org/r/20220425114444.368693-3-alexandru.elisei@arm.com Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
119 lines
2.9 KiB
C
119 lines
2.9 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* Based on arch/arm/kernel/sys_arm.c
|
|
*
|
|
* Copyright (C) People who wrote linux/arch/i386/kernel/sys_i386.c
|
|
* Copyright (C) 1995, 1996 Russell King.
|
|
* Copyright (C) 2012 ARM Ltd.
|
|
*/
|
|
|
|
#include <linux/compat.h>
|
|
#include <linux/cpufeature.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/sched/signal.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/syscalls.h>
|
|
#include <linux/uaccess.h>
|
|
|
|
#include <asm/cacheflush.h>
|
|
#include <asm/system_misc.h>
|
|
#include <asm/tlbflush.h>
|
|
#include <asm/unistd.h>
|
|
|
|
static long
|
|
__do_compat_cache_op(unsigned long start, unsigned long end)
|
|
{
|
|
long ret;
|
|
|
|
do {
|
|
unsigned long chunk = min(PAGE_SIZE, end - start);
|
|
|
|
if (fatal_signal_pending(current))
|
|
return 0;
|
|
|
|
if (cpus_have_const_cap(ARM64_WORKAROUND_1542419)) {
|
|
/*
|
|
* The workaround requires an inner-shareable tlbi.
|
|
* We pick the reserved-ASID to minimise the impact.
|
|
*/
|
|
__tlbi(aside1is, __TLBI_VADDR(0, 0));
|
|
dsb(ish);
|
|
}
|
|
|
|
ret = caches_clean_inval_user_pou(start, start + chunk);
|
|
if (ret)
|
|
return ret;
|
|
|
|
cond_resched();
|
|
start += chunk;
|
|
} while (start < end);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static inline long
|
|
do_compat_cache_op(unsigned long start, unsigned long end, int flags)
|
|
{
|
|
if (end < start || flags)
|
|
return -EINVAL;
|
|
|
|
if (!access_ok((const void __user *)start, end - start))
|
|
return -EFAULT;
|
|
|
|
return __do_compat_cache_op(start, end);
|
|
}
|
|
/*
|
|
* Handle all unrecognised system calls.
|
|
*/
|
|
long compat_arm_syscall(struct pt_regs *regs, int scno)
|
|
{
|
|
unsigned long addr;
|
|
|
|
switch (scno) {
|
|
/*
|
|
* Flush a region from virtual address 'r0' to virtual address 'r1'
|
|
* _exclusive_. There is no alignment requirement on either address;
|
|
* user space does not need to know the hardware cache layout.
|
|
*
|
|
* r2 contains flags. It should ALWAYS be passed as ZERO until it
|
|
* is defined to be something else. For now we ignore it, but may
|
|
* the fires of hell burn in your belly if you break this rule. ;)
|
|
*
|
|
* (at a later date, we may want to allow this call to not flush
|
|
* various aspects of the cache. Passing '0' will guarantee that
|
|
* everything necessary gets flushed to maintain consistency in
|
|
* the specified region).
|
|
*/
|
|
case __ARM_NR_compat_cacheflush:
|
|
return do_compat_cache_op(regs->regs[0], regs->regs[1], regs->regs[2]);
|
|
|
|
case __ARM_NR_compat_set_tls:
|
|
current->thread.uw.tp_value = regs->regs[0];
|
|
|
|
/*
|
|
* Protect against register corruption from context switch.
|
|
* See comment in tls_thread_flush.
|
|
*/
|
|
barrier();
|
|
write_sysreg(regs->regs[0], tpidrro_el0);
|
|
return 0;
|
|
|
|
default:
|
|
/*
|
|
* Calls 0xf0xxx..0xf07ff are defined to return -ENOSYS
|
|
* if not implemented, rather than raising SIGILL. This
|
|
* way the calling program can gracefully determine whether
|
|
* a feature is supported.
|
|
*/
|
|
if (scno < __ARM_NR_COMPAT_END)
|
|
return -ENOSYS;
|
|
break;
|
|
}
|
|
|
|
addr = instruction_pointer(regs) - (compat_thumb_mode(regs) ? 2 : 4);
|
|
|
|
arm64_notify_die("Oops - bad compat syscall(2)", regs,
|
|
SIGILL, ILL_ILLTRP, addr, 0);
|
|
return 0;
|
|
}
|