Re: [PATCH v1 1/5] powerpc/mm: sanity_check_fault() should work for all, not only BOOK3S

From: Christophe Leroy
Date: Tue Sep 08 2020 - 04:56:40 EST

Next message: Daniel Vetter: "Re: [PATCH] drm/virtio: drop quirks handling"
Previous message: Willem de Bruijn: "Re: [PATCH net] net/packet: Fix a comment about hard_header_len and headroom allocation"
In reply to: Nicholas Piggin: "Re: [PATCH v1 1/5] powerpc/mm: sanity_check_fault() should work for all, not only BOOK3S"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Le 08/09/2020 à 10:43, Nicholas Piggin a écrit :

Excerpts from Christophe Leroy's message of August 7, 2020 3:15 am:

The verification and message introduced by commit 374f3f5979f9
("powerpc/mm/hash: Handle user access of kernel address gracefully")
applies to all platforms, it should not be limited to BOOK3S.

Make the BOOK3S version of sanity_check_fault() the one for all,
and bail out earlier if not BOOK3S.

Fixes: 374f3f5979f9 ("powerpc/mm/hash: Handle user access of kernel address gracefully")
Signed-off-by: Christophe Leroy <christophe.leroy@xxxxxxxxxx>
---
arch/powerpc/mm/fault.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
index 925a7231abb3..2efa34d7e644 100644
--- a/arch/powerpc/mm/fault.c
+++ b/arch/powerpc/mm/fault.c
@@ -303,7 +303,6 @@ static inline void cmo_account_page_fault(void)
static inline void cmo_account_page_fault(void) { }
#endif /* CONFIG_PPC_SMLPAR */
-#ifdef CONFIG_PPC_BOOK3S
static void sanity_check_fault(bool is_write, bool is_user,
unsigned long error_code, unsigned long address)
{
@@ -320,6 +319,9 @@ static void sanity_check_fault(bool is_write, bool is_user,
return;
}
+ if (!IS_ENABLED(CONFIG_PPC_BOOK3S))
+ return;

Seems okay. Why is address == -1 special though? I guess it's because
it may not be an exploit kernel reference but a buggy pointer underflow?
In that case -1 doesn't seem like it would catch very much. Would it be
better to test for high bit set for example ((long)address < 0) ?

See https://github.com/linuxppc/linux/commit/0f9aee0cb9da7db7d96f63cfa2dc5e4f1bffeb87#diff-f9658f412252f3bb3093e0a95b37f3ac

-1 is what mmap() returns on error, if the app uses that as a pointer that's a programming error not an exploit.

Euh .. If you test (long)address < 0, then the entire kernel falls into that range as usually it goes from 0xc0000000 to 0xffffffff

But we could skip the top page entirely, anyway it is never mapped.

Anyway for your patch

Reviewed-by: Nicholas Piggin <npiggin@xxxxxxxxx>

Thanks
Christophe

Next message: Daniel Vetter: "Re: [PATCH] drm/virtio: drop quirks handling"
Previous message: Willem de Bruijn: "Re: [PATCH net] net/packet: Fix a comment about hard_header_len and headroom allocation"
In reply to: Nicholas Piggin: "Re: [PATCH v1 1/5] powerpc/mm: sanity_check_fault() should work for all, not only BOOK3S"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]