[PATCH 2/2] um: Detect kernel userspace access

From: Richard Weinberger
Date: Thu May 29 2014 - 05:51:52 EST


>From time to time users report that UML hangs and consumes 100% CPU
on the host side.
Analyzing such an issue uncovered a bug in UML's page fault
handler. If the kernel tries to access userspace memory without
copy_from/to_user() UML receives a SIGSEGV and tries to handle
it. As the page fault handler is not designed to fix such faults the
SIGSEGV stays and UML consumes all CPU handling SIGSEGV.
The only sane thing we can do here is calling panic().

This patch helps to detect bad memory access from the kernel side.

Signed-off-by: Richard Weinberger <richard@xxxxxx>
---
arch/um/kernel/trap.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/arch/um/kernel/trap.c b/arch/um/kernel/trap.c
index b0a3017..04a6de4 100644
--- a/arch/um/kernel/trap.c
+++ b/arch/um/kernel/trap.c
@@ -222,6 +222,9 @@ unsigned long segv(struct faultinfo fi, unsigned long ip, int is_user,
if (!is_user && address < PAGE_SIZE) {
show_regs(container_of(regs, struct pt_regs, regs));
panic("NULL pointer dereference at ip:0x%lx address:0x%lx", ip, address);
+ } else if (!is_user && address < task_size) {
+ show_regs(container_of(regs, struct pt_regs, regs));
+ panic("Kernel tried to access userspace at ip:0x%lx address:0x%lx", ip, address);
}

err = handle_page_fault(address, ip, is_write, is_user,
--
1.8.4.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/