Message ID | 20201130053037.27006-1-tesheng@andestech.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | riscv/mm: Prevent kernel module access user-space memory without uaccess routines | expand |
On Mon, Nov 30, 2020 at 7:33 AM Eric Lin <tesheng@andestech.com> wrote: > > In the page fault handler, an access to user-space memory > without get/put_user() or copy_from/to_user() routines is > not resolved properly. Like arm and other architectures, > we need to let it die earlier in page fault handler. Fix looks good to me. Can you elaborate on how you found the issue and how the bug manifests itself? > > Signed-off-by: Eric Lin <tesheng@andestech.com> > Cc: Alan Kao <alankao@andestech.com> > --- > arch/riscv/mm/fault.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c > index 3c8b9e433c67..a452cfa266a2 100644 > --- a/arch/riscv/mm/fault.c > +++ b/arch/riscv/mm/fault.c > @@ -232,6 +232,9 @@ asmlinkage void do_page_fault(struct pt_regs *regs) > if (user_mode(regs)) > flags |= FAULT_FLAG_USER; > > + if (!user_mode(regs) && addr < TASK_SIZE && unlikely(!(regs->status & SR_SUM))) > + die(regs, "Accessing user space memory without uaccess routines\n"); Let's introduce a die_kernel_fault() helper (similar to arm64, for example) to ensure same semantics for the different kernel faults. You can extract the helper from no_context(). > + > perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, addr); > > if (cause == EXC_STORE_PAGE_FAULT) > -- > 2.17.0 > > > _______________________________________________ > linux-riscv mailing list > linux-riscv@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/linux-riscv
> + if (!user_mode(regs) && addr < TASK_SIZE && unlikely(!(regs->status & SR_SUM)))
Please avoid the overly long line.
On Mon, Nov 30, 2020 at 04:30:15PM +0800, Christoph Hellwig wrote: Hi Christoph, > > + if (!user_mode(regs) && addr < TASK_SIZE && unlikely(!(regs->status & SR_SUM))) > > Please avoid the overly long line. OK, I'll modify it in v2. Thanks for your review.
On Mon, Nov 30, 2020 at 04:07:03PM +0800, Pekka Enberg wrote: Hi Pekka, > On Mon, Nov 30, 2020 at 7:33 AM Eric Lin <tesheng@andestech.com> wrote: > > > > In the page fault handler, an access to user-space memory > > without get/put_user() or copy_from/to_user() routines is > > not resolved properly. Like arm and other architectures, > > we need to let it die earlier in page fault handler. > > Fix looks good to me. Can you elaborate on how you found the issue and > how the bug manifests itself? OK, I'll elaborate more on the commit message. > > > > > Signed-off-by: Eric Lin <tesheng@andestech.com> > > Cc: Alan Kao <alankao@andestech.com> > > --- > > arch/riscv/mm/fault.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c > > index 3c8b9e433c67..a452cfa266a2 100644 > > --- a/arch/riscv/mm/fault.c > > +++ b/arch/riscv/mm/fault.c > > @@ -232,6 +232,9 @@ asmlinkage void do_page_fault(struct pt_regs *regs) > > if (user_mode(regs)) > > flags |= FAULT_FLAG_USER; > > > > + if (!user_mode(regs) && addr < TASK_SIZE && unlikely(!(regs->status & SR_SUM))) > > + die(regs, "Accessing user space memory without uaccess routines\n"); > > Let's introduce a die_kernel_fault() helper (similar to arm64, for > example) to ensure same semantics for the different kernel faults. You > can extract the helper from no_context(). OK, I'll add a die_kernel_fault() helper function in v2. Thanks for your review. > > > + > > perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, addr); > > > > if (cause == EXC_STORE_PAGE_FAULT) > > -- > > 2.17.0 > > > > > > _______________________________________________ > > linux-riscv mailing list > > linux-riscv@lists.infradead.org > > http://lists.infradead.org/mailman/listinfo/linux-riscv
diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c index 3c8b9e433c67..a452cfa266a2 100644 --- a/arch/riscv/mm/fault.c +++ b/arch/riscv/mm/fault.c @@ -232,6 +232,9 @@ asmlinkage void do_page_fault(struct pt_regs *regs) if (user_mode(regs)) flags |= FAULT_FLAG_USER; + if (!user_mode(regs) && addr < TASK_SIZE && unlikely(!(regs->status & SR_SUM))) + die(regs, "Accessing user space memory without uaccess routines\n"); + perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, addr); if (cause == EXC_STORE_PAGE_FAULT)
In the page fault handler, an access to user-space memory without get/put_user() or copy_from/to_user() routines is not resolved properly. Like arm and other architectures, we need to let it die earlier in page fault handler. Signed-off-by: Eric Lin <tesheng@andestech.com> Cc: Alan Kao <alankao@andestech.com> --- arch/riscv/mm/fault.c | 3 +++ 1 file changed, 3 insertions(+)