From patchwork Fri Oct 18 17:29:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ritesh Harjani (IBM)" X-Patchwork-Id: 13842083 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6427AD3DEA4 for ; Fri, 18 Oct 2024 17:30:29 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A0B1A6B0092; Fri, 18 Oct 2024 13:30:28 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 8F5D56B0093; Fri, 18 Oct 2024 13:30:28 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5E8D96B0095; Fri, 18 Oct 2024 13:30:28 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 3561A6B0092 for ; Fri, 18 Oct 2024 13:30:28 -0400 (EDT) Received: from smtpin15.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 2AC39805F4 for ; Fri, 18 Oct 2024 17:30:17 +0000 (UTC) X-FDA: 82687411842.15.47535C1 Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) by imf07.hostedemail.com (Postfix) with ESMTP id E3CE640017 for ; Fri, 18 Oct 2024 17:30:09 +0000 (UTC) Authentication-Results: imf07.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=dxQxbxYL; spf=pass (imf07.hostedemail.com: domain of ritesh.list@gmail.com designates 209.85.210.171 as permitted sender) smtp.mailfrom=ritesh.list@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1729272430; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=ZFpXrhpElIx5U0caqw8WXCQdQvrJMpAq6qiRpCPXwmQ=; b=ppAeqdK3KVia2PNafrgp9t+fQrm2a/tLgRQI+5SvHoVjuK00b69CmzfqM1HsFqIw3T0v6m xzAvwFPyB6uRgULiZsMbDsl1E+k5rZ3/AM3GfDpgNrb9w6XOhy4VFWjB+epZIznjIA9Dcg xa0ovgNu3dE0bFTM6AizwRZDDeZ7AIA= ARC-Authentication-Results: i=1; imf07.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=dxQxbxYL; spf=pass (imf07.hostedemail.com: domain of ritesh.list@gmail.com designates 209.85.210.171 as permitted sender) smtp.mailfrom=ritesh.list@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1729272430; a=rsa-sha256; cv=none; b=sceIZ/H0IpAPGlRhsvC/oZX3dOmaTq9aAqo6GJa29RPKnuTzTz7jT6GitSCUMhrDaI25nY /0T7OrZzgsqd8v34ODoHt9K6ngs0VLy+wGxfuSV2hUKOEEKoMgexG0oh+YfGS99ySQU7Ae juuI93XSEoZJwJgsAD2ydzVQTjXERsw= Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-71e52582cf8so1686516b3a.2 for ; Fri, 18 Oct 2024 10:30:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729272624; x=1729877424; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ZFpXrhpElIx5U0caqw8WXCQdQvrJMpAq6qiRpCPXwmQ=; b=dxQxbxYL8IsA+pcO+1pM/uHk6MwdvnKbgGqRjPPD7e9G0qblMsqMn/5hn9o+V4HdFT UFAI1uliiV5PM/8xbebtqmcPNBTfFOUd5xJjkh7GOOeHh9w2WuP5HTOwsT54d0Blrx9j oTPvxqzpxmrygE9XiCxJ1rrUpdOQLr9rnvRK9MmITPXEKia5Ty/S7gBvt9pb3FT5aDUe 7ZbkaWJAFPr04kRlEorp7b5cGE8tmCvJMhFGeqoS8fDelpN2Ztv/sZA4d8ZjlSWq0sN0 YvLGGycF78nwOFI+hMogDsMG6m7qoYMysYeL1K8L3KGaA1jNRt+LwSs0PFUR2gyvVNHG DYzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729272624; x=1729877424; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZFpXrhpElIx5U0caqw8WXCQdQvrJMpAq6qiRpCPXwmQ=; b=J1Xnzd3R/q+XBGOtGm4bgONUdO2HpXKEMgPxHsz5FEzdjCvZdJK/CeJcsiNa+5iVbf aAn/hIY0fCmfj8noKgIvBjDCIfkdL5OJbuklw6qSBsWN9O6YY3VaN2T+Wme8tUIZBQPT LSyh8Pxk1SDEErT6RT/GQFpL2jZPTX53yP8pFFLUSCQqUvaP/ACt8aDqsWLht52Eii/3 gxIuEb8YIqf0Cq6q/13tszQ2ap50Tl4vq9U0WvLDeJMRsy75bMXUeGOoO2uNzKGBusdZ cU7V7VxYRN803YzXlxbyElrzpoEhHz1iQMlpOIT6GjO/o5VTeLV5lopFot1Ei9T0D1Kh Xx4Q== X-Forwarded-Encrypted: i=1; AJvYcCVO/dyflJVx7KyHq1b2pbKl8mO2ZEe19D1zeeP+o86vBkjfDt1x16j3k3H9jJ8Wx/qiMMZaFxieEg==@kvack.org X-Gm-Message-State: AOJu0Yxsj69KuR4QD7OoKcL5yH0enZCQ70dSy+Jvi0mCe3BIiZ9JnwqU UwXsyTvDG8r4I4AAiB88r/dAifCWT6XN98/NSjxhmpYq4jaWX74t X-Google-Smtp-Source: AGHT+IFcGGMjhgZmKijPwzMX2TIIKyjbIB1NxgoXGiQqvtxq79BYQZAFUknM7+tFqktbTIEQT/2tPA== X-Received: by 2002:a05:6a00:1390:b0:71e:148c:4611 with SMTP id d2e1a72fcca58-71ea3124252mr4810440b3a.6.1729272624262; Fri, 18 Oct 2024 10:30:24 -0700 (PDT) Received: from dw-tp.ibmuc.com ([171.76.80.151]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71ea3311f51sm1725242b3a.36.2024.10.18.10.30.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 18 Oct 2024 10:30:23 -0700 (PDT) From: "Ritesh Harjani (IBM)" To: linuxppc-dev@lists.ozlabs.org Cc: kasan-dev@googlegroups.com, linux-mm@kvack.org, Marco Elver , Alexander Potapenko , Heiko Carstens , Michael Ellerman , Nicholas Piggin , Madhavan Srinivasan , Christophe Leroy , Hari Bathini , "Aneesh Kumar K . V" , Donet Tom , Pavithra Prakash , LKML , "Ritesh Harjani (IBM)" , Disha Goel Subject: [PATCH v3 01/12] powerpc: mm/fault: Fix kfence page fault reporting Date: Fri, 18 Oct 2024 22:59:42 +0530 Message-ID: X-Mailer: git-send-email 2.46.0 In-Reply-To: References: MIME-Version: 1.0 X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: E3CE640017 X-Stat-Signature: mrg4ybmjya1xfx3iirnjka97qr1qqfzq X-Rspam-User: X-HE-Tag: 1729272609-900952 X-HE-Meta: U2FsdGVkX1/nA5ZWIcC3LX0yUgSs8mmLVhuZubzEJaI8UdugquPw9yb7x8pfwNJAlYyAYhwO7LQi82Iv0FOE4v6uRQ9KdCHN6aauZ6MqB6cg3/PHDizYkg2mW93GHC1PCYax3eH3ay7i2U65j6Vupi9jdrxGZviS22IGpzNrrqMyJSu1Znm2KPI/Yh3/1Isuj130HfwMyf2UL+ap6fJVCS54UPMcjOYQ9/fXV+EdPyy1/2cFC/vOSf+OsyCwyh3XaicrVohYAMJKiVtC2wClNMt8HM0AvmT688EWH9R3R4DbPXSQqrMAye5xF9u5h8UI8kNeZnBzfjJneWcR4s9P+rOr+4stLInGdSuIfVfY5KmtIGAQSVEkuqMKcmwE6BsZfSlrlbBx9Zt2vMCbY6OKWI8hIb5+2LKn0WjDPR8AfpPvTBfmTX5MwQhPx6/2iR5dUZg5L9BrKxYKP7afwdtbBZwazoeddhXf14XphevZCP7nXqXRShO1Yi4rQ8GEtttyFimujQch7UYRRkCG3v6U7/FjFAz8nQspILemPEYv9Ri9obkO+IsjjXw/Jtpt9bQJpyTLDXclcuKJfzCDENnXGJ5uK86lzxmMzzjf0yPRhjkyv8/L+khKUoBC07ZJmEjls2jKIGrf9T/9j2UlYJxvAKwYzJvJ+hGWgtD33nUMJUFzh1Y+wHkpvkq1BccEVews2CWXGhAynQ0kHG1D7hFn4dBRuPlaE78Q8N6ASbvHcAl7kCUava7RIb6J3gWdkqsr4Mnl+k7FNg24mCfTlun+Crbb47e6C5biQUslkyCVRI+hDy5XwXfJoZLrEUKQluEZkgbm3P1XFZ3WfPCQM0Jrr/+Ad/oVv68v56B7HkXR6eNrh1ED3DdSEbQ3d6FMQdwxe4u5Gs0L4w77WG6xuLCZLajVm9/7zdyI6EJZNUKwXU2VucssRrXOLyo+pWEsn9rtWeaGLUEIhPGIs4oSOH+ PSnL/WCg 14u2pZvZJsRPVpwpQAcXubR+UP2V/jBRJa1H0FCsrGjjPFLqCjkMedmFZZfYpIHrWiQCIfys8v5cVbTfoUXEq1sfvlduiLlQhWFO6VmGbVR/qLFzoPmwGGByRncx/NkY6AAwqnMLVOFXU7vvXHzQNM4fQ9fvg9c3PUfXu96rk9NJxLl0Tmf7FxiZyuCoOwDgOy3/YPsCZMd+TnmLMD0NCqinJA+77GNirAOuCbE3Z9Js4Q7mxeFLPC9e3BXJFe/c6nvyp2+3zM+EulDarjGoiLWT1JIeveOu6ezpn X-Bogosity: Ham, tests=bogofilter, spamicity=0.000005, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: copy_from_kernel_nofault() can be called when doing read of /proc/kcore. /proc/kcore can have some unmapped kfence objects which when read via copy_from_kernel_nofault() can cause page faults. Since *_nofault() functions define their own fixup table for handling fault, use that instead of asking kfence to handle such faults. Hence we search the exception tables for the nip which generated the fault. If there is an entry then we let the fixup table handler handle the page fault by returning an error from within ___do_page_fault(). This can be easily triggered if someone tries to do dd from /proc/kcore. dd if=/proc/kcore of=/dev/null bs=1M =============================== BUG: KFENCE: invalid read in copy_from_kernel_nofault+0xb0/0x1c8 Invalid read at 0x000000004f749d2e: copy_from_kernel_nofault+0xb0/0x1c8 0xc0000000057f7950 read_kcore_iter+0x41c/0x9ac proc_reg_read_iter+0xe4/0x16c vfs_read+0x2e4/0x3b0 ksys_read+0x88/0x154 system_call_exception+0x124/0x340 system_call_common+0x160/0x2c4 BUG: KFENCE: use-after-free read in copy_from_kernel_nofault+0xb0/0x1c8 Use-after-free read at 0x000000008fbb08ad (in kfence-#0): copy_from_kernel_nofault+0xb0/0x1c8 0xc0000000057f7950 read_kcore_iter+0x41c/0x9ac proc_reg_read_iter+0xe4/0x16c vfs_read+0x2e4/0x3b0 ksys_read+0x88/0x154 system_call_exception+0x124/0x340 system_call_common+0x160/0x2c4 Fixes: 90cbac0e995d ("powerpc: Enable KFENCE for PPC32") Suggested-by: Christophe Leroy Reported-by: Disha Goel Signed-off-by: Ritesh Harjani (IBM) Reviewed-by: Christophe Leroy --- arch/powerpc/mm/fault.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) -- 2.46.0 diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c index 81c77ddce2e3..316f5162ffc4 100644 --- a/arch/powerpc/mm/fault.c +++ b/arch/powerpc/mm/fault.c @@ -439,10 +439,17 @@ static int ___do_page_fault(struct pt_regs *regs, unsigned long address, /* * The kernel should never take an execute fault nor should it * take a page fault to a kernel address or a page fault to a user - * address outside of dedicated places + * address outside of dedicated places. + * + * Rather than kfence directly reporting false negatives, search whether + * the NIP belongs to the fixup table for cases where fault could come + * from functions like copy_from_kernel_nofault(). */ if (unlikely(!is_user && bad_kernel_fault(regs, error_code, address, is_write))) { - if (kfence_handle_page_fault(address, is_write, regs)) + + if (is_kfence_address((void *)address) && + !search_exception_tables(instruction_pointer(regs)) && + kfence_handle_page_fault(address, is_write, regs)) return 0; return SIGSEGV;