首页 发现 帮助
注册 登录
OpenWrt
/
openwrt
镜像自地址 https://github.com/openwrt/openwrt.git
2
0
派生 0
文件 工单管理 0 Wiki
目录树: 76cc766521
分支列表 标签列表
openwrt
/
target
/
linux
/
generic
/
backport-4.19
/
096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch

096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch 4.0 KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119 
  1. From adcc81f148d733b7e8e641300c5590a2cdc13bf3 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Paul Burton <[email protected]>
    3. 

  3. Date: Thu, 20 Dec 2018 17:45:43 +0000
    4. 

  4. Subject: MIPS: math-emu: Write-protect delay slot emulation pages
    5. 

  5. 

  6. Mapping the delay slot emulation page as both writeable & executable
    7. 

  7. presents a security risk, in that if an exploit can write to & jump into
    8. 

  8. the page then it can be used as an easy way to execute arbitrary code.
    9. 

  9. 

  10. Prevent this by mapping the page read-only for userland, and using
    11. 

  11. access_process_vm() with the FOLL_FORCE flag to write to it from
    12. 

  12. mips_dsemul().
    13. 

  13. 

  14. This will likely be less efficient due to copy_to_user_page() performing
    15. 

  15. cache maintenance on a whole page, rather than a single line as in the
    16. 

  16. previous use of flush_cache_sigtramp(). However this delay slot
    17. 

  17. emulation code ought not to be running in any performance critical paths
    18. 

  18. anyway so this isn't really a problem, and we can probably do better in
    19. 

  19. copy_to_user_page() anyway in future.
    20. 

  20. 

  21. A major advantage of this approach is that the fix is small & simple to
    22. 

  22. backport to stable kernels.
    23. 

  23. 

  24. Reported-by: Andy Lutomirski <[email protected]>
    25. 

  25. Signed-off-by: Paul Burton <[email protected]>
    26. 

  26. Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions")
    27. 

  27. Cc: [email protected] # v4.8+
    28. 

  28. Cc: [email protected]
    29. 

  29. Cc: [email protected]
    30. 

  30. Cc: Rich Felker <[email protected]>
    31. 

  31. Cc: David Daney <[email protected]>
    32. 

  32. ---
    33. 

  33.  arch/mips/kernel/vdso.c     |  4 ++--
    34. 

  34.  arch/mips/math-emu/dsemul.c | 38 ++++++++++++++++++++------------------
    35. 

  35.  2 files changed, 22 insertions(+), 20 deletions(-)
    36. 

  36. 

  37. --- a/arch/mips/kernel/vdso.c
    38. 

  38. +++ b/arch/mips/kernel/vdso.c
    39. 

  39. @@ -126,8 +126,8 @@ int arch_setup_additional_pages(struct l
    40. 

  40.  
    41. 

  41.  	/* Map delay slot emulation page */
    42. 

  42.  	base = mmap_region(NULL, STACK_TOP, PAGE_SIZE,
    43. 

  43. -			   VM_READ|VM_WRITE|VM_EXEC|
    44. 

  44. -			   VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
    45. 

  45. +			   VM_READ | VM_EXEC |
    46. 

  46. +			   VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
    47. 

  47.  			   0, NULL);
    48. 

  48.  	if (IS_ERR_VALUE(base)) {
    49. 

  49.  		ret = base;
    50. 

  50. --- a/arch/mips/math-emu/dsemul.c
    51. 

  51. +++ b/arch/mips/math-emu/dsemul.c
    52. 

  52. @@ -214,8 +214,9 @@ int mips_dsemul(struct pt_regs *regs, mi
    53. 

  53.  {
    54. 

  54.  	int isa16 = get_isa16_mode(regs->cp0_epc);
    55. 

  55.  	mips_instruction break_math;
    56. 

  56. -	struct emuframe __user *fr;
    57. 

  57. -	int err, fr_idx;
    58. 

  58. +	unsigned long fr_uaddr;
    59. 

  59. +	struct emuframe fr;
    60. 

  60. +	int fr_idx, ret;
    61. 

  61.  
    62. 

  62.  	/* NOP is easy */
    63. 

  63.  	if (ir == 0)
    64. 

  64. @@ -250,27 +251,31 @@ int mips_dsemul(struct pt_regs *regs, mi
    65. 

  65.  		fr_idx = alloc_emuframe();
    66. 

  66.  	if (fr_idx == BD_EMUFRAME_NONE)
    67. 

  67.  		return SIGBUS;
    68. 

  68. -	fr = &dsemul_page()[fr_idx];
    69. 

  69.  
    70. 

  70.  	/* Retrieve the appropriately encoded break instruction */
    71. 

  71.  	break_math = BREAK_MATH(isa16);
    72. 

  72.  
    73. 

  73.  	/* Write the instructions to the frame */
    74. 

  74.  	if (isa16) {
    75. 

  75. -		err = __put_user(ir >> 16,
    76. 

  76. -				 (u16 __user *)(&fr->emul));
    77. 

  77. -		err |= __put_user(ir & 0xffff,
    78. 

  78. -				  (u16 __user *)((long)(&fr->emul) + 2));
    79. 

  79. -		err |= __put_user(break_math >> 16,
    80. 

  80. -				  (u16 __user *)(&fr->badinst));
    81. 

  81. -		err |= __put_user(break_math & 0xffff,
    82. 

  82. -				  (u16 __user *)((long)(&fr->badinst) + 2));
    83. 

  83. +		union mips_instruction _emul = {
    84. 

  84. +			.halfword = { ir >> 16, ir }
    85. 

  85. +		};
    86. 

  86. +		union mips_instruction _badinst = {
    87. 

  87. +			.halfword = { break_math >> 16, break_math }
    88. 

  88. +		};
    89. 

  89. +
    90. 

  90. +		fr.emul = _emul.word;
    91. 

  91. +		fr.badinst = _badinst.word;
    92. 

  92.  	} else {
    93. 

  93. -		err = __put_user(ir, &fr->emul);
    94. 

  94. -		err |= __put_user(break_math, &fr->badinst);
    95. 

  95. +		fr.emul = ir;
    96. 

  96. +		fr.badinst = break_math;
    97. 

  97.  	}
    98. 

  98.  
    99. 

  99. -	if (unlikely(err)) {
    100. 

  100. +	/* Write the frame to user memory */
    101. 

  101. +	fr_uaddr = (unsigned long)&dsemul_page()[fr_idx];
    102. 

  102. +	ret = access_process_vm(current, fr_uaddr, &fr, sizeof(fr),
    103. 

  103. +				FOLL_FORCE | FOLL_WRITE);
    104. 

  104. +	if (unlikely(ret != sizeof(fr))) {
    105. 

  105.  		MIPS_FPU_EMU_INC_STATS(errors);
    106. 

  106.  		free_emuframe(fr_idx, current->mm);
    107. 

  107.  		return SIGBUS;
    108. 

  108. @@ -282,10 +287,7 @@ int mips_dsemul(struct pt_regs *regs, mi
    109. 

  109.  	atomic_set(&current->thread.bd_emu_frame, fr_idx);
    110. 

  110.  
    111. 

  111.  	/* Change user register context to execute the frame */
    112. 

  112. -	regs->cp0_epc = (unsigned long)&fr->emul | isa16;
    113. 

  113. -
    114. 

  114. -	/* Ensure the icache observes our newly written frame */
    115. 

  115. -	flush_cache_sigtramp((unsigned long)&fr->emul);
    116. 

  116. +	regs->cp0_epc = fr_uaddr | isa16;
    117. 

  117.  
    118. 

  118.  	return 0;
    119. 

  119.  }
    120.