Commit 6ec20aa2 authored by Christophe Leroy's avatar Christophe Leroy Committed by Michael Ellerman
Browse files

powerpc/32s: Fix bad_kuap_fault() 



At the moment, bad_kuap_fault() reports a fault only if a bad access
to userspace occurred while access to userspace was not granted.

But if a fault occurs for a write outside the allowed userspace
segment(s) that have been unlocked, bad_kuap_fault() fails to
detect it and the kernel loops forever in do_page_fault().

Fix it by checking that the accessed address is within the allowed
range.

Fixes: a68c31fc ("powerpc/32s: Implement Kernel Userspace Access Protection")
Cc: stable@vger.kernel.org # v5.2+
Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/f48244e9485ada0a304ed33ccbb8da271180c80d.1579866752.git.christophe.leroy@c-s.fr
parent 3c2659bd

arch/powerpc/include/asm/book3s/32/kup.h

+7 −2
Original line number Diff line number Diff line
@@ -131,12 +131,17 @@ static inline void prevent_user_access(void __user *to, const void __user *from, 
	kuap_update_sr(mfsrin(addr) | SR_KS, addr, end);	/* set Ks */

}



static inline bool bad_kuap_fault(struct pt_regs *regs, bool is_write)

static inline bool

bad_kuap_fault(struct pt_regs *regs, unsigned long address, bool is_write)

{

	unsigned long begin = regs->kuap & 0xf0000000;

	unsigned long end = regs->kuap << 28;



	if (!is_write)

		return false;



	return WARN(!regs->kuap, "Bug: write fault blocked by segment registers !");

	return WARN(address < begin || address >= end,

		    "Bug: write fault blocked by segment registers !");

}



#endif /* CONFIG_PPC_KUAP */

arch/powerpc/include/asm/book3s/64/kup-radix.h

+2 −1
Original line number Diff line number Diff line
@@ -95,7 +95,8 @@ static inline void prevent_user_access(void __user *to, const void __user *from, 
	set_kuap(AMR_KUAP_BLOCKED);

}



static inline bool bad_kuap_fault(struct pt_regs *regs, bool is_write)

static inline bool

bad_kuap_fault(struct pt_regs *regs, unsigned long address, bool is_write)

{

	return WARN(mmu_has_feature(MMU_FTR_RADIX_KUAP) &&

		    (regs->kuap & (is_write ? AMR_KUAP_BLOCK_WRITE : AMR_KUAP_BLOCK_READ)),

arch/powerpc/include/asm/kup.h

+5 −1
Original line number Diff line number Diff line
@@ -45,7 +45,11 @@ static inline void allow_user_access(void __user *to, const void __user *from, 
				     unsigned long size) { }

static inline void prevent_user_access(void __user *to, const void __user *from,

				       unsigned long size) { }

static inline bool bad_kuap_fault(struct pt_regs *regs, bool is_write) { return false; }

static inline bool

bad_kuap_fault(struct pt_regs *regs, unsigned long address, bool is_write)

{

	return false;

}

#endif /* CONFIG_PPC_KUAP */



static inline void allow_read_from_user(const void __user *from, unsigned long size)

arch/powerpc/include/asm/nohash/32/kup-8xx.h

+2 −1
Original line number Diff line number Diff line
@@ -46,7 +46,8 @@ static inline void prevent_user_access(void __user *to, const void __user *from, 
	mtspr(SPRN_MD_AP, MD_APG_KUAP);

}



static inline bool bad_kuap_fault(struct pt_regs *regs, bool is_write)

static inline bool

bad_kuap_fault(struct pt_regs *regs, unsigned long address, bool is_write)

{

	return WARN(!((regs->kuap ^ MD_APG_KUAP) & 0xf0000000),

		    "Bug: fault blocked by AP register !");

arch/powerpc/mm/fault.c

+1 −1
Original line number Diff line number Diff line
@@ -233,7 +233,7 @@ static bool bad_kernel_fault(struct pt_regs *regs, unsigned long error_code, 


	// Read/write fault in a valid region (the exception table search passed

	// above), but blocked by KUAP is bad, it can never succeed.

	if (bad_kuap_fault(regs, is_write))

	if (bad_kuap_fault(regs, address, is_write))

		return true;



	// What's left? Kernel fault on user in well defined regions (extable

CRA Git | Maintained and supported by SUSTech CRA and CCSE