| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20201201053257.GB7647@atcfdc88>
Date: Tue, 1 Dec 2020 13:32:57 +0800
From: Eric Lin <tesheng@...estech.com>
To: Pekka Enberg <penberg@...il.com>
CC: LKML <linux-kernel@...r.kernel.org>,
linux-riscv <linux-riscv@...ts.infradead.org>,
Michel Lespinasse <walken@...gle.com>,
Daniel Jordan <daniel.m.jordan@...cle.com>,
Peter Xu <peterx@...hat.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Albert Ou <aou@...s.berkeley.edu>,
Palmer Dabbelt <palmer@...belt.com>,
Paul Walmsley <paul.walmsley@...ive.com>,
"dslin1010@...il.com" <dslin1010@...il.com>,
"Alan Quey-Liang Kao(?????????)" <alankao@...estech.com>
Subject: Re: [PATCH] riscv/mm: Prevent kernel module access user-space memory
without uaccess routines
On Mon, Nov 30, 2020 at 04:07:03PM +0800, Pekka Enberg wrote:
Hi Pekka,
> On Mon, Nov 30, 2020 at 7:33 AM Eric Lin <tesheng@...estech.com> wrote:
> >
> > In the page fault handler, an access to user-space memory
> > without get/put_user() or copy_from/to_user() routines is
> > not resolved properly. Like arm and other architectures,
> > we need to let it die earlier in page fault handler.
>
> Fix looks good to me. Can you elaborate on how you found the issue and
> how the bug manifests itself?
OK, I'll elaborate more on the commit message.
>
> >
> > Signed-off-by: Eric Lin <tesheng@...estech.com>
> > Cc: Alan Kao <alankao@...estech.com>
> > ---
> > arch/riscv/mm/fault.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c
> > index 3c8b9e433c67..a452cfa266a2 100644
> > --- a/arch/riscv/mm/fault.c
> > +++ b/arch/riscv/mm/fault.c
> > @@ -232,6 +232,9 @@ asmlinkage void do_page_fault(struct pt_regs *regs)
> > if (user_mode(regs))
> > flags |= FAULT_FLAG_USER;
> >
> > + if (!user_mode(regs) && addr < TASK_SIZE && unlikely(!(regs->status & SR_SUM)))
> > + die(regs, "Accessing user space memory without uaccess routines\n");
>
> Let's introduce a die_kernel_fault() helper (similar to arm64, for
> example) to ensure same semantics for the different kernel faults. You
> can extract the helper from no_context().
OK, I'll add a die_kernel_fault() helper function in v2.
Thanks for your review.
>
> > +
> > perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, addr);
> >
> > if (cause == EXC_STORE_PAGE_FAULT)
> > --
> > 2.17.0
> >
> >
> > _______________________________________________
> > linux-riscv mailing list
> > linux-riscv@...ts.infradead.org
> > http://lists.infradead.org/mailman/listinfo/linux-riscv
Powered by blists - more mailing lists