From: Michael Ellerman <patch-notifications@ellerman.id.au>
To: Christophe Leroy <christophe.leroy@csgroup.eu>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Michael Ellerman <mpe@ellerman.id.au>
Cc: linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org
Subject: Re: [PATCH v2] powerpc/signal32: Fix Oops on sigreturn with unmapped VDSO
Date: Sat, 03 Apr 2021 22:51:45 +1100 [thread overview]
Message-ID: <161745070541.936361.6883787979113499379.b4-ty@ellerman.id.au> (raw)
In-Reply-To: <bde9154e5351a5ac7bca3d59cdb5a5e8edacbb79.1617199569.git.christophe.leroy@csgroup.eu>
On Wed, 31 Mar 2021 14:07:04 +0000 (UTC), Christophe Leroy wrote:
> PPC32 encounters a KUAP fault when trying to handle a signal with
> VDSO unmapped.
>
> Kernel attempted to read user page (7fc07ec0) - exploit attempt? (uid: 0)
> BUG: Unable to handle kernel data access on read at 0x7fc07ec0
> Faulting instruction address: 0xc00111d4
> Oops: Kernel access of bad area, sig: 11 [#1]
> BE PAGE_SIZE=16K PREEMPT CMPC885
> CPU: 0 PID: 353 Comm: sigreturn_vdso Not tainted 5.12.0-rc4-s3k-dev-01553-gb30c310ea220 #4814
> NIP: c00111d4 LR: c0005a28 CTR: 00000000
> REGS: cadb3dd0 TRAP: 0300 Not tainted (5.12.0-rc4-s3k-dev-01553-gb30c310ea220)
> MSR: 00009032 <EE,ME,IR,DR,RI> CR: 48000884 XER: 20000000
> DAR: 7fc07ec0 DSISR: 88000000
> GPR00: c0007788 cadb3e90 c28d4a40 7fc07ec0 7fc07ed0 000004e0 7fc07ce0 00000000
> GPR08: 00000001 00000001 7fc07ec0 00000000 28000282 1001b828 100a0920 00000000
> GPR16: 100cac0c 100b0000 105c43a4 105c5685 100d0000 100d0000 100d0000 100b2e9e
> GPR24: ffffffff 105c43c8 00000000 7fc07ec8 cadb3f40 cadb3ec8 c28d4a40 00000000
> NIP [c00111d4] flush_icache_range+0x90/0xb4
> LR [c0005a28] handle_signal32+0x1bc/0x1c4
> Call Trace:
> [cadb3e90] [100d0000] 0x100d0000 (unreliable)
> [cadb3ec0] [c0007788] do_notify_resume+0x260/0x314
> [cadb3f20] [c000c764] syscall_exit_prepare+0x120/0x184
> [cadb3f30] [c00100b4] ret_from_syscall+0xc/0x28
> --- interrupt: c00 at 0xfe807f8
> NIP: 0fe807f8 LR: 10001060 CTR: c0139378
> REGS: cadb3f40 TRAP: 0c00 Not tainted (5.12.0-rc4-s3k-dev-01553-gb30c310ea220)
> MSR: 0000d032 <EE,PR,ME,IR,DR,RI> CR: 28000482 XER: 20000000
>
> [...]
Applied to powerpc/fixes.
[1/1] powerpc/signal32: Fix Oops on sigreturn with unmapped VDSO
https://git.kernel.org/powerpc/c/acca57217c688c5bbbd5140974533d81e8757cc9
cheers
WARNING: multiple messages have this Message-ID (diff)
From: Michael Ellerman <patch-notifications@ellerman.id.au>
To: Christophe Leroy <christophe.leroy@csgroup.eu>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Michael Ellerman <mpe@ellerman.id.au>
Cc: linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] powerpc/signal32: Fix Oops on sigreturn with unmapped VDSO
Date: Sat, 03 Apr 2021 22:51:45 +1100 [thread overview]
Message-ID: <161745070541.936361.6883787979113499379.b4-ty@ellerman.id.au> (raw)
In-Reply-To: <bde9154e5351a5ac7bca3d59cdb5a5e8edacbb79.1617199569.git.christophe.leroy@csgroup.eu>
On Wed, 31 Mar 2021 14:07:04 +0000 (UTC), Christophe Leroy wrote:
> PPC32 encounters a KUAP fault when trying to handle a signal with
> VDSO unmapped.
>
> Kernel attempted to read user page (7fc07ec0) - exploit attempt? (uid: 0)
> BUG: Unable to handle kernel data access on read at 0x7fc07ec0
> Faulting instruction address: 0xc00111d4
> Oops: Kernel access of bad area, sig: 11 [#1]
> BE PAGE_SIZE=16K PREEMPT CMPC885
> CPU: 0 PID: 353 Comm: sigreturn_vdso Not tainted 5.12.0-rc4-s3k-dev-01553-gb30c310ea220 #4814
> NIP: c00111d4 LR: c0005a28 CTR: 00000000
> REGS: cadb3dd0 TRAP: 0300 Not tainted (5.12.0-rc4-s3k-dev-01553-gb30c310ea220)
> MSR: 00009032 <EE,ME,IR,DR,RI> CR: 48000884 XER: 20000000
> DAR: 7fc07ec0 DSISR: 88000000
> GPR00: c0007788 cadb3e90 c28d4a40 7fc07ec0 7fc07ed0 000004e0 7fc07ce0 00000000
> GPR08: 00000001 00000001 7fc07ec0 00000000 28000282 1001b828 100a0920 00000000
> GPR16: 100cac0c 100b0000 105c43a4 105c5685 100d0000 100d0000 100d0000 100b2e9e
> GPR24: ffffffff 105c43c8 00000000 7fc07ec8 cadb3f40 cadb3ec8 c28d4a40 00000000
> NIP [c00111d4] flush_icache_range+0x90/0xb4
> LR [c0005a28] handle_signal32+0x1bc/0x1c4
> Call Trace:
> [cadb3e90] [100d0000] 0x100d0000 (unreliable)
> [cadb3ec0] [c0007788] do_notify_resume+0x260/0x314
> [cadb3f20] [c000c764] syscall_exit_prepare+0x120/0x184
> [cadb3f30] [c00100b4] ret_from_syscall+0xc/0x28
> --- interrupt: c00 at 0xfe807f8
> NIP: 0fe807f8 LR: 10001060 CTR: c0139378
> REGS: cadb3f40 TRAP: 0c00 Not tainted (5.12.0-rc4-s3k-dev-01553-gb30c310ea220)
> MSR: 0000d032 <EE,PR,ME,IR,DR,RI> CR: 28000482 XER: 20000000
>
> [...]
Applied to powerpc/fixes.
[1/1] powerpc/signal32: Fix Oops on sigreturn with unmapped VDSO
https://git.kernel.org/powerpc/c/acca57217c688c5bbbd5140974533d81e8757cc9
cheers
next prev parent reply other threads:[~2021-04-03 11:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-31 14:07 [PATCH v2] powerpc/signal32: Fix Oops on sigreturn with unmapped VDSO Christophe Leroy
2021-03-31 14:07 ` Christophe Leroy
2021-04-03 11:51 ` Michael Ellerman [this message]
2021-04-03 11:51 ` Michael Ellerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=161745070541.936361.6883787979113499379.b4-ty@ellerman.id.au \
--to=patch-notifications@ellerman.id.au \
--cc=benh@kernel.crashing.org \
--cc=christophe.leroy@csgroup.eu \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=paulus@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.