powerpc/mm/hash: Handle user access of kernel address gracefully (374f3f59) · Commits · 戴 / test

In commit ("powerpc/mm: Move the DSISR_PROTFAULT sanity check") we moved the protection fault access check before the vma lookup. That means we hit that WARN_ON when user space accesses a kernel address. Before that commit this was handled by find_vma() not finding vma for the kernel address and considering that access as bad area access. Avoid the confusing WARN_ON and convert that to a ratelimited printk. With the patch we now get: for load: a.out[5997]: User access of kernel address (c00000000000dea0) - exploit attempt? (uid: 1000) a.out[5997]: segfault (11) at c00000000000dea0 nip 1317c0798 lr 7fff80d6441c code 1 in a.out[1317c0000+10000] a.out[5997]: code: 60000000 60420000 3c4c0002 38427790 4bffff20 3c4c0002 38427784 fbe1fff8 a.out[5997]: code: f821ffc1 7c3f0b78 60000000 e9228030 <89290000> 993f002f 60000000 383f0040 for exec: a.out[6067]: User access of kernel address (c00000000000dea0) - exploit attempt? (uid: 1000) a.out[6067]: segfault (11) at c00000000000dea0 nip c00000000000dea0 lr 129d507b0 code 1 a.out[6067]: Bad NIP, not dumping instructions. Fixes: ("powerpc/mm: Move the DSISR_PROTFAULT sanity check") Signed-off-by:

Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com> Tested-by:

Breno Leitao <leitao@debian.org> [mpe: Don't split printk() string across lines] Signed-off-by:

Michael Ellerman <mpe@ellerman.id.au>

arch/powerpc/mm/fault.c

+19 −5

Original line number	Diff line number	Diff line
		@@ -342,8 +342,19 @@ static inline void cmo_account_page_fault(void) { }
		#endif /* CONFIG_PPC_SMLPAR */

		#ifdef CONFIG_PPC_BOOK3S
		static void sanity_check_fault(bool is_write, unsigned long error_code)
		static void sanity_check_fault(bool is_write, bool is_user,
		unsigned long error_code, unsigned long address)
		{
		/*
		* Userspace trying to access kernel address, we get PROTFAULT for that.
		*/
		if (is_user && address >= TASK_SIZE) {
		pr_crit_ratelimited("%s[%d]: User access of kernel address (%lx) - exploit attempt? (uid: %d)\n",
		current->comm, current->pid, address,
		from_kuid(&init_user_ns, current_uid()));
		return;
		}

		/*
		* For hash translation mode, we should never get a
		* PROTFAULT. Any update to pte to reduce access will result in us
		@@ -373,11 +384,14 @@ static void sanity_check_fault(bool is_write, unsigned long error_code)
		* For radix, we can get prot fault for autonuma case, because radix
		* page table will have them marked noaccess for user.
		*/
		if (!radix_enabled() && !is_write)
		if (radix_enabled() \|\| is_write)
		return;

		WARN_ON_ONCE(error_code & DSISR_PROTFAULT);
		}
		#else
		static void sanity_check_fault(bool is_write, unsigned long error_code) { }
		static void sanity_check_fault(bool is_write, bool is_user,
		unsigned long error_code, unsigned long address) { }
		#endif /* CONFIG_PPC_BOOK3S */

		/*
		@@ -435,7 +449,7 @@ static int __do_page_fault(struct pt_regs *regs, unsigned long address,
		}

		/* Additional sanity check(s) */
		sanity_check_fault(is_write, error_code);
		sanity_check_fault(is_write, is_user, error_code, address);

		/*
		* The kernel should never take an execute fault nor should it

Admin message