lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 20 Nov 2020 12:03:11 +0100
From:   Greg Kroah-Hartman <>
Cc:     Greg Kroah-Hartman <>,,,
        Michael Ellerman <>,
        Andrew Donnellan <>
Subject: [PATCH 4.9 06/16] powerpc: Fix __clear_user() with KUAP enabled

From: Andrew Donnellan <>

commit 61e3acd8c693a14fc69b824cb5b08d02cb90a6e7 upstream.

The KUAP implementation adds calls in clear_user() to enable and
disable access to userspace memory. However, it doesn't add these to
__clear_user(), which is used in the ptrace regset code.

As there's only one direct user of __clear_user() (the regset code),
and the time taken to set the AMR for KUAP purposes is going to
dominate the cost of a quick access_ok(), there's not much point
having a separate path.

Rename __clear_user() to __arch_clear_user(), and make __clear_user()
just call clear_user().

Reported-by: Daniel Axtens <>
Suggested-by: Michael Ellerman <>
Fixes: de78a9c42a79 ("powerpc: Add a framework for Kernel Userspace Access Protection")
Signed-off-by: Andrew Donnellan <>
[mpe: Use __arch_clear_user() for the asm version like arm64 & nds32]
Signed-off-by: Michael Ellerman <>
Signed-off-by: Daniel Axtens <>
Signed-off-by: Greg Kroah-Hartman <>
 arch/powerpc/include/asm/uaccess.h |    9 +++++++--
 arch/powerpc/lib/string.S          |    4 ++--
 arch/powerpc/lib/string_64.S       |    6 +++---
 3 files changed, 12 insertions(+), 7 deletions(-)

--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -460,7 +460,7 @@ static inline unsigned long __copy_to_us
 	return __copy_to_user_inatomic(to, from, size);
-extern unsigned long __clear_user(void __user *addr, unsigned long size);
+unsigned long __arch_clear_user(void __user *addr, unsigned long size);
 static inline unsigned long clear_user(void __user *addr, unsigned long size)
@@ -468,12 +468,17 @@ static inline unsigned long clear_user(v
 	if (likely(access_ok(VERIFY_WRITE, addr, size))) {
 		allow_write_to_user(addr, size);
-		ret = __clear_user(addr, size);
+		ret = __arch_clear_user(addr, size);
 		prevent_write_to_user(addr, size);
 	return ret;
+static inline unsigned long __clear_user(void __user *addr, unsigned long size)
+	return clear_user(addr, size);
 extern long strncpy_from_user(char *dst, const char __user *src, long count);
 extern __must_check long strlen_user(const char __user *str);
 extern __must_check long strnlen_user(const char __user *str, long n);
--- a/arch/powerpc/lib/string.S
+++ b/arch/powerpc/lib/string.S
@@ -89,7 +89,7 @@ _GLOBAL(memchr)
 #ifdef CONFIG_PPC32
 	addi	r6,r3,-4
 	li	r3,0
 	li	r5,0
@@ -130,5 +130,5 @@ _GLOBAL(__clear_user)
 	PPC_LONG	1b,91b
 	PPC_LONG	8b,92b
--- a/arch/powerpc/lib/string_64.S
+++ b/arch/powerpc/lib/string_64.S
@@ -28,7 +28,7 @@ PPC64_CACHES:
 	.section	".text"
- * __clear_user: - Zero a block of memory in user space, with less checking.
+ * __arch_clear_user: - Zero a block of memory in user space, with less checking.
  * @to:   Destination address, in user space.
  * @n:    Number of bytes to zero.
@@ -78,7 +78,7 @@ err3;	stb	r0,0(r3)
 	mr	r3,r4
 	cmpdi	r4,32
 	neg	r6,r3
 	li	r0,0
@@ -201,4 +201,4 @@ err1;	dcbz	0,r3
 	cmpdi	r4,32
 	blt	.Lshort_clear
 	b	.Lmedium_clear

Powered by blists - more mailing lists