Re: [PATCH] arm64: kernel: memory corruptions due non-disabled PAN
From: Will Deacon
Date: Wed Nov 20 2019 - 14:16:57 EST
On Tue, Nov 19, 2019 at 05:10:06PM -0500, Pavel Tatashin wrote:
> Userland access functions (__arch_clear_user, __arch_copy_from_user,
> __arch_copy_in_user, __arch_copy_to_user), enable and disable PAN
> for the duration of copy. However, when copy fails for some reason,
> i.e. access violation the code is transferred to fixedup section,
> where we do not disable PAN.
>
> The bug is a security violation as the access to userland is still
> open when it should be disabled, but it also causes memory corruptions
> when software emulated PAN is used: CONFIG_ARM64_SW_TTBR0_PAN=y.
>
> I was able to reproduce memory corruption problem on Broadcom's SoC
> ARMv8-A like this:
>
> Enable software perf-events with PERF_SAMPLE_CALLCHAIN so userland's
> stack is accessed and copied.
>
> The test program performed the following on every CPU and forking many
> processes:
>
> unsigned long *map = mmap(NULL, PAGE_SIZE, PROT_READ|PROT_WRITE,
> MAP_SHARED | MAP_ANONYMOUS, -1, 0);
> map[0] = getpid();
> sched_yield();
> if (map[0] != getpid()) {
> fprintf(stderr, "Corruption detected!");
> }
> munmap(map, PAGE_SIZE);
>
> From time to time I was getting map[0] to contain pid for a different
> process.
>
> Fixes: 338d4f49d6f7114 ("arm64: kernel: Add support for Privileged...")
>
> Signed-off-by: Pavel Tatashin <pasha.tatashin@xxxxxxxxxx>
> ---
> arch/arm64/lib/clear_user.S | 1 +
> arch/arm64/lib/copy_from_user.S | 1 +
> arch/arm64/lib/copy_in_user.S | 1 +
> arch/arm64/lib/copy_to_user.S | 1 +
> 4 files changed, 4 insertions(+)
Thanks. I've pushed this and your other patch out [1], with some changes
to the commit message. I'm annoyed that I didn't spot this during review
of the initial PAN patches.
Will
[1] https://fixes.arm64.dev