From patchwork Wed Jan 17 15:07:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 13521886 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 5158DC47258 for ; Wed, 17 Jan 2024 15:08:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Message-ID: Mime-Version:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=0uCln0ZdO22+L7iFQZ3muQbhLdTxYQ78wKUu889RdNM=; b=zFj MJH1qw2jvEioZvF5NPv8YUiHkJA+Lpg1zghaZNgw6cjD5l5vyisfIEZNPddUXcfwt9xF7s9MxBevj UM4BSX5XsTxTC2FfKbH1eOjOwLRsbON72JGYkHm0YovM0FXnrj7k+pnzMtAUvWMQggte1b0r6xtGU RZ6eGUmf9RDa5aJ7ITjm8vogRRArYHJHR2Yg9VH1/2TbHS0iK9EJFRUNxqAbBgXC8aIY3AVrbTaz2 Dh/V5u5g/3hVoidl/ghowxL/Akd6TYRtcdY0l+hwrFwsvztKUSOSM6HAOExfNDnVwOZkZe9OLuc+5 vX9q48bJ/4tznwdWxKXeNJck/Mg6LtQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1rQ7WF-00HNia-2W; Wed, 17 Jan 2024 15:07:55 +0000 Received: from mail-wr1-x44a.google.com ([2a00:1450:4864:20::44a]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1rQ7WC-00HNhY-36 for linux-arm-kernel@lists.infradead.org; Wed, 17 Jan 2024 15:07:54 +0000 Received: by mail-wr1-x44a.google.com with SMTP id ffacd0b85a97d-337bfa463b3so616705f8f.0 for ; Wed, 17 Jan 2024 07:07:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1705504070; x=1706108870; darn=lists.infradead.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=rVulTBS++6BNHBzStgOwEOvg1IvmTaOK3X/7YAxqnt4=; b=fqAuZqzY3rwsJIRDpWn1JkWSIL5liELkgiEP63OXkHrQv9jHuyeowphOOSufI1bbT4 GXnND5Hj1V758FKRRJDOJbj+NKu+tltzJzDHtpvMUodJ63hMmXQvzxD2I8GsXN5/ZOuR 7V3hw33LGxpHbu2YJroV+MliLZhTBrzfgamKzH6zi5wd/i0lohJT/DRhsB/Jpfxw4Cdp boIoSC5vjUrEqcjWHibapOn1dqmWyn5lTK8H7H5DX9XbXcdwEPVIcXr3cAySugzxiuQv CXXDQkv4isT39ZRJCBToTOoj0NJOHRyyKGt1RjXH8lZNBJcKfK+2amsdxxauN5OTUAYs g7vQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705504070; x=1706108870; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=rVulTBS++6BNHBzStgOwEOvg1IvmTaOK3X/7YAxqnt4=; b=XnZgejeJkSMwbHRHfA4rxT/z6aqcIWYtTyjjSSNunBWFhfaLRdbBVUWoEvcn6CGX+t xgwWIIWSgTzsbHfnSOLop5kmyG61JPgTSD2Fg/8ySNtlGoTVPOGBOCJd42V1jzPHYSXu sBV7oZBCinze3sq62Sonw78MN/XGOKGAZqKAVbwvZtNRG/LfzCftQkZGMQqsjzY7Rzpg ob1r7faGEkoyMaTSrU/1Awpzrc+BtW7qNs8UTfuw6u0FGd1sAoF9SRYf3Iq47DngakI7 fWBufZGyTE6NKw6J7eLyNp4qTqClMQYTFlTXiTgw7H4o4/y6s/T6Ayu4eV6Cwdo+4Gu8 LPow== X-Gm-Message-State: AOJu0YxrI/ZpB83Lwjf+fvBltWXJ6PAndag0I2qx2pD0idxV3bYkoTTW mFpt7db7qeu0KblcnOi6zadf/SFjQuTSRa43vVnEXbbQK4nYNRyAABZRIm7yXd2bKyWetcRV0/h bf+yPZx7LzdEMmenqPKYY6lbgjKpPrg0G8XRYpaJwkIP1qr6pQ3uW0vPjg9PuWh6Qpb/Z9AVj73 Ni29RRUg== X-Google-Smtp-Source: AGHT+IE9Bf+3If1eVdIMGldCJZPb9deNRyw5wnJOaUxUzx5qQfFiU5wGse4zaXSxF8g20+hKoFoeg2RY X-Received: from palermo.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:118a]) (user=ardb job=sendgmr) by 2002:adf:9dc8:0:b0:337:8da4:ee83 with SMTP id q8-20020adf9dc8000000b003378da4ee83mr38309wre.5.1705504069965; Wed, 17 Jan 2024 07:07:49 -0800 (PST) Date: Wed, 17 Jan 2024 16:07:34 +0100 Mime-Version: 1.0 X-Developer-Key: i=ardb@kernel.org; a=openpgp; fpr=F43D03328115A198C90016883D200E9CA6329909 X-Developer-Signature: v=1; a=openpgp-sha256; l=1847; i=ardb@kernel.org; h=from:subject; bh=OHvbERs4ipvI59dvc+AcgREqqdaKRWVtNE1w9oTgjhw=; b=owGbwMvMwCFmkMcZplerG8N4Wi2JIXX5WzPJZ31KgY1nXs6P+1F7oUNBbUJZhkrdruZoGZvk5 huxy890lLIwiHEwyIopsgjM/vtu5+mJUrXOs2Rh5rAygQxh4OIUgInsSGb4X1bQlDyz4VdIcP76 OYrXSzkqGF+6Xb6QODtoUrTnzidG+YwMXQWzpsuptrYvyZmsoOz48uQMBvdk7qLryfprn/WqemU wAwA= X-Mailer: git-send-email 2.43.0.381.gb435a96ce8-goog Message-ID: <20240117150733.2608655-2-ardb+git@google.com> Subject: [PATCH] ARM: mm: Disregard user space addresses in BUG() address check From: Ard Biesheuvel To: linux-arm-kernel@lists.infradead.org Cc: Ard Biesheuvel , Kees Cook , Russell King , Mark Brown , Zhen Lei , Linus Walleij X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240117_070753_018430_FDB908B1 X-CRM114-Status: GOOD ( 15.20 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org From: Ard Biesheuvel is_valid_bugaddr() dereferences the faulting PC to fetch the instruction that triggered the fault, to decide whether it is a BRK instruction used to force an exception. This is used by the BUG() infrastructure to keep the handling logic (which should never execute) separate from the code that normally runs. This dereference may attempt to access user memory if the faulting PC happens to contain a user address. One way this might happen is when the kernel is tricked into executing from user space while PAN protections (Privileged Access Never) are in effect: the instruction fetch will trigger a prefetch abort, the handling of which involves a check whether the instruction that caused it is a BRK, requiring a load from the same address. This load is privileged too, and so it will trigger another exception, which we fail to recover from. Given that BRK instructions tied to BUG() handling can only appear in kernel code, let's check first that the PC actually points into kernel memory. Cc: Kees Cook Cc: Russell King Cc: Mark Brown Cc: Zhen Lei Cc: Linus Walleij Link: https://lkml.kernel.org/r/202401111544.18EBB6AA%40keescook Signed-off-by: Ard Biesheuvel Reviewed-by: Mark Brown Tested-by: Mark Brown --- arch/arm/kernel/traps.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c index 3bad79db5d6e..f342bd6b2a5d 100644 --- a/arch/arm/kernel/traps.c +++ b/arch/arm/kernel/traps.c @@ -402,6 +402,9 @@ int is_valid_bugaddr(unsigned long pc) u32 insn = __opcode_to_mem_arm(BUG_INSTR_VALUE); #endif + if (pc < TASK_SIZE) + return 0; + if (get_kernel_nofault(bkpt, (void *)pc)) return 0;