Commit 475c8749 authored by Aneesh Kumar K.V's avatar Aneesh Kumar K.V Committed by Michael Ellerman
Browse files

powerpc/book3s64/kuap: Improve error reporting with KUAP 



This partially reverts commit eb232b16 ("powerpc/book3s64/kuap: Improve
error reporting with KUAP") and update the fault handler to print

[   55.022514] Kernel attempted to access user page (7e6725b70000) - exploit attempt? (uid: 0)
[   55.022528] BUG: Unable to handle kernel data access on read at 0x7e6725b70000
[   55.022533] Faulting instruction address: 0xc000000000e8b9bc
[   55.022540] Oops: Kernel access of bad area, sig: 11 [#1]
....

when the kernel access userspace address without unlocking AMR.

bad_kuap_fault() is added as part of commit 5e5be3ae ("powerpc/mm: Detect
bad KUAP faults") to catch userspace access incorrectly blocked by AMR. Hence
retain the full stack dump there even with hash translation. Also, add a comment
explaining the difference between hash and radix.

Signed-off-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20201208031539.84878-1-aneesh.kumar@linux.ibm.com
parent 250ad7a4

arch/powerpc/include/asm/book3s/32/kup.h

+2 −2
Original line number Diff line number Diff line
@@ -177,8 +177,8 @@ static inline void restore_user_access(unsigned long flags) 
		allow_user_access(to, to, end - addr, KUAP_READ_WRITE);

}



static inline bool bad_kuap_fault(struct pt_regs *regs, unsigned long address,

				  bool is_write, unsigned long error_code)

static inline bool

bad_kuap_fault(struct pt_regs *regs, unsigned long address, bool is_write)

{

	unsigned long begin = regs->kuap & 0xf0000000;

	unsigned long end = regs->kuap << 28;

arch/powerpc/include/asm/book3s/64/kup.h

+17 −17
Original line number Diff line number Diff line
@@ -353,29 +353,29 @@ static inline void set_kuap(unsigned long value) 
	isync();

}



#define RADIX_KUAP_BLOCK_READ	UL(0x4000000000000000)

#define RADIX_KUAP_BLOCK_WRITE	UL(0x8000000000000000)



static inline bool bad_kuap_fault(struct pt_regs *regs, unsigned long address,

				  bool is_write, unsigned long error_code)

				  bool is_write)

{

	if (!mmu_has_feature(MMU_FTR_BOOK3S_KUAP))

		return false;



	if (radix_enabled()) {

	/*

		 * Will be a storage protection fault.

		 * Only check the details of AMR[0]

	 * For radix this will be a storage protection fault (DSISR_PROTFAULT).

	 * For hash this will be a key fault (DSISR_KEYFAULT)

	 */

		return WARN((regs->kuap & (is_write ? RADIX_KUAP_BLOCK_WRITE : RADIX_KUAP_BLOCK_READ)),

			    "Bug: %s fault blocked by AMR!", is_write ? "Write" : "Read");

	}

	/*

	 * We don't want to WARN here because userspace can setup

	 * keys such that a kernel access to user address can cause

	 * fault

	 * We do have exception table entry, but accessing the

	 * userspace results in fault.  This could be because we

	 * didn't unlock the AMR or access is denied by userspace

	 * using a key value that blocks access. We are only interested

	 * in catching the use case of accessing without unlocking

	 * the AMR. Hence check for BLOCK_WRITE/READ against AMR.

	 */

	return !!(error_code & DSISR_KEYFAULT);

	if (is_write) {

		return WARN(((regs->amr & AMR_KUAP_BLOCK_WRITE) == AMR_KUAP_BLOCK_WRITE),

			    "Bug: Write fault blocked by AMR!");

	}

	return WARN(((regs->amr & AMR_KUAP_BLOCK_READ) == AMR_KUAP_BLOCK_READ),

		    "Bug: Read fault blocked by AMR!");

}



static __always_inline void allow_user_access(void __user *to, const void __user *from,

arch/powerpc/include/asm/kup.h

+2 −2
Original line number Diff line number Diff line
@@ -62,8 +62,8 @@ void setup_kuap(bool disabled); 
#else

static inline void setup_kuap(bool disabled) { }



static inline bool bad_kuap_fault(struct pt_regs *regs, unsigned long address,

				  bool is_write, unsigned long error_code)

static inline bool

bad_kuap_fault(struct pt_regs *regs, unsigned long address, bool is_write)

{

	return false;

}

arch/powerpc/include/asm/nohash/32/kup-8xx.h

+2 −2
Original line number Diff line number Diff line
@@ -60,8 +60,8 @@ static inline void restore_user_access(unsigned long flags) 
	mtspr(SPRN_MD_AP, flags);

}



static inline bool bad_kuap_fault(struct pt_regs *regs, unsigned long address,

				  bool is_write, unsigned long error_code)

static inline bool

bad_kuap_fault(struct pt_regs *regs, unsigned long address, bool is_write)

{

	return WARN(!((regs->kuap ^ MD_APG_KUAP) & 0xff000000),

		    "Bug: fault blocked by AP register !");

arch/powerpc/mm/fault.c

+2 −2
Original line number Diff line number Diff line
@@ -210,7 +210,7 @@ static bool bad_kernel_fault(struct pt_regs *regs, unsigned long error_code, 
		return true;

	}



	if (!is_exec && address < TASK_SIZE && (error_code & DSISR_PROTFAULT) &&

	if (!is_exec && address < TASK_SIZE && (error_code & (DSISR_PROTFAULT | DSISR_KEYFAULT)) &&

	    !search_exception_tables(regs->nip)) {

		pr_crit_ratelimited("Kernel attempted to access user page (%lx) - exploit attempt? (uid: %d)\n",

				    address,
@@ -227,7 +227,7 @@ static bool bad_kernel_fault(struct pt_regs *regs, unsigned long error_code, 


	// Read/write fault in a valid region (the exception table search passed

	// above), but blocked by KUAP is bad, it can never succeed.

	if (bad_kuap_fault(regs, address, is_write, error_code))

	if (bad_kuap_fault(regs, address, is_write))

		return true;



	// What's left? Kernel fault on user in well defined regions (extable

CRA Git | Maintained and supported by SUSTech CRA and CCSE