MIPS: math-emu: Write-protect delay slot emulation pages
authorPaul Burton <paul.burton@mips.com>
Thu, 20 Dec 2018 17:45:43 +0000 (17:45 +0000)
committerPaul Burton <paul.burton@mips.com>
Thu, 20 Dec 2018 18:00:01 +0000 (10:00 -0800)
Mapping the delay slot emulation page as both writeable & executable
presents a security risk, in that if an exploit can write to & jump into
the page then it can be used as an easy way to execute arbitrary code.

Prevent this by mapping the page read-only for userland, and using
access_process_vm() with the FOLL_FORCE flag to write to it from
mips_dsemul().

This will likely be less efficient due to copy_to_user_page() performing
cache maintenance on a whole page, rather than a single line as in the
previous use of flush_cache_sigtramp(). However this delay slot
emulation code ought not to be running in any performance critical paths
anyway so this isn't really a problem, and we can probably do better in
copy_to_user_page() anyway in future.

A major advantage of this approach is that the fix is small & simple to
backport to stable kernels.

Reported-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions")
Cc: stable@vger.kernel.org # v4.8+
Cc: linux-mips@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: Rich Felker <dalias@libc.org>
Cc: David Daney <david.daney@cavium.com>
arch/mips/kernel/vdso.c
arch/mips/math-emu/dsemul.c

index 48a9c6b90e079110e52603947901be76018323a1..9df3ebdc7b0f7164730b4211fa2c62c7aaeec312 100644 (file)
@@ -126,8 +126,8 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
 
        /* Map delay slot emulation page */
        base = mmap_region(NULL, STACK_TOP, PAGE_SIZE,
-                          VM_READ|VM_WRITE|VM_EXEC|
-                          VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
+                          VM_READ | VM_EXEC |
+                          VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
                           0, NULL);
        if (IS_ERR_VALUE(base)) {
                ret = base;
index 5450f4d1c920e22d5119c6ec389fb8ddc22cc176..e2d46cb93ca987f16dc0d19f3d47d04e3235e332 100644 (file)
@@ -214,8 +214,9 @@ int mips_dsemul(struct pt_regs *regs, mips_instruction ir,
 {
        int isa16 = get_isa16_mode(regs->cp0_epc);
        mips_instruction break_math;
-       struct emuframe __user *fr;
-       int err, fr_idx;
+       unsigned long fr_uaddr;
+       struct emuframe fr;
+       int fr_idx, ret;
 
        /* NOP is easy */
        if (ir == 0)
@@ -250,27 +251,31 @@ int mips_dsemul(struct pt_regs *regs, mips_instruction ir,
                fr_idx = alloc_emuframe();
        if (fr_idx == BD_EMUFRAME_NONE)
                return SIGBUS;
-       fr = &dsemul_page()[fr_idx];
 
        /* Retrieve the appropriately encoded break instruction */
        break_math = BREAK_MATH(isa16);
 
        /* Write the instructions to the frame */
        if (isa16) {
-               err = __put_user(ir >> 16,
-                                (u16 __user *)(&fr->emul));
-               err |= __put_user(ir & 0xffff,
-                                 (u16 __user *)((long)(&fr->emul) + 2));
-               err |= __put_user(break_math >> 16,
-                                 (u16 __user *)(&fr->badinst));
-               err |= __put_user(break_math & 0xffff,
-                                 (u16 __user *)((long)(&fr->badinst) + 2));
+               union mips_instruction _emul = {
+                       .halfword = { ir >> 16, ir }
+               };
+               union mips_instruction _badinst = {
+                       .halfword = { break_math >> 16, break_math }
+               };
+
+               fr.emul = _emul.word;
+               fr.badinst = _badinst.word;
        } else {
-               err = __put_user(ir, &fr->emul);
-               err |= __put_user(break_math, &fr->badinst);
+               fr.emul = ir;
+               fr.badinst = break_math;
        }
 
-       if (unlikely(err)) {
+       /* Write the frame to user memory */
+       fr_uaddr = (unsigned long)&dsemul_page()[fr_idx];
+       ret = access_process_vm(current, fr_uaddr, &fr, sizeof(fr),
+                               FOLL_FORCE | FOLL_WRITE);
+       if (unlikely(ret != sizeof(fr))) {
                MIPS_FPU_EMU_INC_STATS(errors);
                free_emuframe(fr_idx, current->mm);
                return SIGBUS;
@@ -282,10 +287,7 @@ int mips_dsemul(struct pt_regs *regs, mips_instruction ir,
        atomic_set(&current->thread.bd_emu_frame, fr_idx);
 
        /* Change user register context to execute the frame */
-       regs->cp0_epc = (unsigned long)&fr->emul | isa16;
-
-       /* Ensure the icache observes our newly written frame */
-       flush_cache_sigtramp((unsigned long)&fr->emul);
+       regs->cp0_epc = fr_uaddr | isa16;
 
        return 0;
 }