target/linux/generic/backport-4.14/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch

   1 From adcc81f148d733b7e8e641300c5590a2cdc13bf3 Mon Sep 17 00:00:00 2001
   2 From: Paul Burton <paul.burton@mips.com>
   3 Date: Thu, 20 Dec 2018 17:45:43 +0000
   4 Subject: MIPS: math-emu: Write-protect delay slot emulation pages
   5
   6 Mapping the delay slot emulation page as both writeable & executable
   7 presents a security risk, in that if an exploit can write to & jump into
   8 the page then it can be used as an easy way to execute arbitrary code.
   9
  10 Prevent this by mapping the page read-only for userland, and using
  11 access_process_vm() with the FOLL_FORCE flag to write to it from
  12 mips_dsemul().
  13
  14 This will likely be less efficient due to copy_to_user_page() performing
  15 cache maintenance on a whole page, rather than a single line as in the
  16 previous use of flush_cache_sigtramp(). However this delay slot
  17 emulation code ought not to be running in any performance critical paths
  18 anyway so this isn't really a problem, and we can probably do better in
  19 copy_to_user_page() anyway in future.
  20
  21 A major advantage of this approach is that the fix is small & simple to
  22 backport to stable kernels.
  23
  24 Reported-by: Andy Lutomirski <luto@kernel.org>
  25 Signed-off-by: Paul Burton <paul.burton@mips.com>
  26 Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions")
  27 Cc: stable@vger.kernel.org # v4.8+
  28 Cc: linux-mips@vger.kernel.org
  29 Cc: linux-kernel@vger.kernel.org
  30 Cc: Rich Felker <dalias@libc.org>
  31 Cc: David Daney <david.daney@cavium.com>
  32 ---
  33  arch/mips/kernel/vdso.c     |  4 ++--
  34  arch/mips/math-emu/dsemul.c | 38 ++++++++++++++++++++------------------
  35  2 files changed, 22 insertions(+), 20 deletions(-)
  36
  37 --- a/arch/mips/kernel/vdso.c
  38 +++ b/arch/mips/kernel/vdso.c
  39 @@ -126,8 +126,8 @@ int arch_setup_additional_pages(struct l
  40
  41         /* Map delay slot emulation page */
  42         base = mmap_region(NULL, STACK_TOP, PAGE_SIZE,
  43 -                          VM_READ|VM_WRITE|VM_EXEC|
  44 -                          VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
  45 +                          VM_READ | VM_EXEC |
  46 +                          VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
  47                            0, NULL);
  48         if (IS_ERR_VALUE(base)) {
  49                 ret = base;
  50 --- a/arch/mips/math-emu/dsemul.c
  51 +++ b/arch/mips/math-emu/dsemul.c
  52 @@ -214,8 +214,9 @@ int mips_dsemul(struct pt_regs *regs, mi
  53  {
  54         int isa16 = get_isa16_mode(regs->cp0_epc);
  55         mips_instruction break_math;
  56 -       struct emuframe __user *fr;
  57 -       int err, fr_idx;
  58 +       unsigned long fr_uaddr;
  59 +       struct emuframe fr;
  60 +       int fr_idx, ret;
  61
  62         /* NOP is easy */
  63         if (ir == 0)
  64 @@ -250,27 +251,31 @@ int mips_dsemul(struct pt_regs *regs, mi
  65                 fr_idx = alloc_emuframe();
  66         if (fr_idx == BD_EMUFRAME_NONE)
  67                 return SIGBUS;
  68 -       fr = &dsemul_page()[fr_idx];
  69
  70         /* Retrieve the appropriately encoded break instruction */
  71         break_math = BREAK_MATH(isa16);
  72
  73         /* Write the instructions to the frame */
  74         if (isa16) {
  75 -               err = __put_user(ir >> 16,
  76 -                                (u16 __user *)(&fr->emul));
  77 -               err |= __put_user(ir & 0xffff,
  78 -                                 (u16 __user *)((long)(&fr->emul) + 2));
  79 -               err |= __put_user(break_math >> 16,
  80 -                                 (u16 __user *)(&fr->badinst));
  81 -               err |= __put_user(break_math & 0xffff,
  82 -                                 (u16 __user *)((long)(&fr->badinst) + 2));
  83 +               union mips_instruction _emul = {
  84 +                       .halfword = { ir >> 16, ir }
  85 +               };
  86 +               union mips_instruction _badinst = {
  87 +                       .halfword = { break_math >> 16, break_math }
  88 +               };
  89 +
  90 +               fr.emul = _emul.word;
  91 +               fr.badinst = _badinst.word;
  92         } else {
  93 -               err = __put_user(ir, &fr->emul);
  94 -               err |= __put_user(break_math, &fr->badinst);
  95 +               fr.emul = ir;
  96 +               fr.badinst = break_math;
  97         }
  98
  99 -       if (unlikely(err)) {
 100 +       /* Write the frame to user memory */
 101 +       fr_uaddr = (unsigned long)&dsemul_page()[fr_idx];
 102 +       ret = access_process_vm(current, fr_uaddr, &fr, sizeof(fr),
 103 +                               FOLL_FORCE | FOLL_WRITE);
 104 +       if (unlikely(ret != sizeof(fr))) {
 105                 MIPS_FPU_EMU_INC_STATS(errors);
 106                 free_emuframe(fr_idx, current->mm);
 107                 return SIGBUS;
 108 @@ -282,10 +287,7 @@ int mips_dsemul(struct pt_regs *regs, mi
 109         atomic_set(&current->thread.bd_emu_frame, fr_idx);
 110
 111         /* Change user register context to execute the frame */
 112 -       regs->cp0_epc = (unsigned long)&fr->emul | isa16;
 113 -
 114 -       /* Ensure the icache observes our newly written frame */
 115 -       flush_cache_sigtramp((unsigned long)&fr->emul);
 116 +       regs->cp0_epc = fr_uaddr | isa16;
 117
 118         return 0;
 119  }