[PATCH v3 0/2] Let illegal access to user-space memory die

[PATCH v3 0/2] Let illegal access to user-space memory die

[Eric Lin]

Accesses to user-space memory without calling uaccess routine
leads to hanging in page fault handler. Like arm64, we let it
die earlier in page fault handler.

Changes in v3:
	-Let no_context() use die_kernel_fault() helper

Changes in v2:
    -Add a die_kernel_fault() helper
    -Split one long line code into two

Eric Lin (2):
  riscv/mm: Introduce a die_kernel_fault() helper function
  riscv/mm: Prevent kernel module to access user memory without uaccess
    routines

 arch/riscv/mm/fault.c | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

-- 
2.17.0

[PATCH v3 0/2] Let illegal access to user-space memory die

[Eric Lin]

Accesses to user-space memory without calling uaccess routine
leads to hanging in page fault handler. Like arm64, we let it
die earlier in page fault handler.

Changes in v3:
	-Let no_context() use die_kernel_fault() helper

Changes in v2:
    -Add a die_kernel_fault() helper
    -Split one long line code into two

Eric Lin (2):
  riscv/mm: Introduce a die_kernel_fault() helper function
  riscv/mm: Prevent kernel module to access user memory without uaccess
    routines

 arch/riscv/mm/fault.c | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

-- 
2.17.0


_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

[PATCH v3 1/2] riscv/mm: Introduce a die_kernel_fault() helper function

[Eric Lin]

Like arm64, this patch adds a die_kernel_fault() helper
to ensure the same semantics for the different kernel faults.

Signed-off-by: Eric Lin <tesheng@andestech.com>
Cc: Alan Kao <alankao@andestech.com>
Reviewed-by: Pekka Enberg <penberg@kernel.org>
---
 arch/riscv/mm/fault.c | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c
index 3c8b9e433c67..0d5f06d6e3c7 100644
--- a/arch/riscv/mm/fault.c
+++ b/arch/riscv/mm/fault.c
@@ -19,8 +19,23 @@
 
 #include "../kernel/head.h"
 
+static void die_kernel_fault(const char *msg, unsigned long addr,
+		struct pt_regs *regs)
+{
+	bust_spinlocks(1);
+
+	pr_alert("Unable to handle kernel %s at virtual address " REG_FMT "\n", msg,
+		addr);
+
+	bust_spinlocks(0);
+	die(regs, "Oops");
+	do_exit(SIGKILL);
+}
+
 static inline void no_context(struct pt_regs *regs, unsigned long addr)
 {
+	const char *msg;
+
 	/* Are we prepared to handle this kernel fault? */
 	if (fixup_exception(regs))
 		return;
@@ -29,12 +44,8 @@ static inline void no_context(struct pt_regs *regs, unsigned long addr)
 	 * Oops. The kernel tried to access some bad page. We'll have to
 	 * terminate things with extreme prejudice.
 	 */
-	bust_spinlocks(1);
-	pr_alert("Unable to handle kernel %s at virtual address " REG_FMT "\n",
-		(addr < PAGE_SIZE) ? "NULL pointer dereference" :
-		"paging request", addr);
-	die(regs, "Oops");
-	do_exit(SIGKILL);
+	msg = (addr < PAGE_SIZE) ? "NULL pointer dereference" : "paging request";
+	die_kernel_fault(msg, addr, regs);
 }
 
 static inline void mm_fault_error(struct pt_regs *regs, unsigned long addr, vm_fault_t fault)
-- 
2.17.0

[PATCH v3 1/2] riscv/mm: Introduce a die_kernel_fault() helper function

[Eric Lin]

Like arm64, this patch adds a die_kernel_fault() helper
to ensure the same semantics for the different kernel faults.

Signed-off-by: Eric Lin <tesheng@andestech.com>
Cc: Alan Kao <alankao@andestech.com>
Reviewed-by: Pekka Enberg <penberg@kernel.org>
---
 arch/riscv/mm/fault.c | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c
index 3c8b9e433c67..0d5f06d6e3c7 100644
--- a/arch/riscv/mm/fault.c
+++ b/arch/riscv/mm/fault.c
@@ -19,8 +19,23 @@
 
 #include "../kernel/head.h"
 
+static void die_kernel_fault(const char *msg, unsigned long addr,
+		struct pt_regs *regs)
+{
+	bust_spinlocks(1);
+
+	pr_alert("Unable to handle kernel %s at virtual address " REG_FMT "\n", msg,
+		addr);
+
+	bust_spinlocks(0);
+	die(regs, "Oops");
+	do_exit(SIGKILL);
+}
+
 static inline void no_context(struct pt_regs *regs, unsigned long addr)
 {
+	const char *msg;
+
 	/* Are we prepared to handle this kernel fault? */
 	if (fixup_exception(regs))
 		return;
@@ -29,12 +44,8 @@ static inline void no_context(struct pt_regs *regs, unsigned long addr)
 	 * Oops. The kernel tried to access some bad page. We'll have to
 	 * terminate things with extreme prejudice.
 	 */
-	bust_spinlocks(1);
-	pr_alert("Unable to handle kernel %s at virtual address " REG_FMT "\n",
-		(addr < PAGE_SIZE) ? "NULL pointer dereference" :
-		"paging request", addr);
-	die(regs, "Oops");
-	do_exit(SIGKILL);
+	msg = (addr < PAGE_SIZE) ? "NULL pointer dereference" : "paging request";
+	die_kernel_fault(msg, addr, regs);
 }
 
 static inline void mm_fault_error(struct pt_regs *regs, unsigned long addr, vm_fault_t fault)
-- 
2.17.0


_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

[PATCH v3 2/2] riscv/mm: Prevent kernel module to access user memory without uaccess routines

[Eric Lin]

We found this issue in an legacy out-of-tree kernel module
which didn't properly access user space pointer by get/put_user().
Such an illegal access loops in the page fault handler.
To resolve this, let it die here.

Signed-off-by: Eric Lin <tesheng@andestech.com>
Cc: Alan Kao <alankao@andestech.com>
Reviewed-by: Pekka Enberg <penberg@kernel.org>
---
 arch/riscv/mm/fault.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c
index 0d5f06d6e3c7..33d284188f9a 100644
--- a/arch/riscv/mm/fault.c
+++ b/arch/riscv/mm/fault.c
@@ -243,6 +243,11 @@ asmlinkage void do_page_fault(struct pt_regs *regs)
 	if (user_mode(regs))
 		flags |= FAULT_FLAG_USER;
 
+	if (!user_mode(regs) && addr < TASK_SIZE &&
+			unlikely(!(regs->status & SR_SUM)))
+		die_kernel_fault("access to user memory without uaccess routines",
+				addr, regs);
+
 	perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, addr);
 
 	if (cause == EXC_STORE_PAGE_FAULT)
-- 
2.17.0

[PATCH v3 2/2] riscv/mm: Prevent kernel module to access user memory without uaccess routines

[Eric Lin]

We found this issue in an legacy out-of-tree kernel module
which didn't properly access user space pointer by get/put_user().
Such an illegal access loops in the page fault handler.
To resolve this, let it die here.

Signed-off-by: Eric Lin <tesheng@andestech.com>
Cc: Alan Kao <alankao@andestech.com>
Reviewed-by: Pekka Enberg <penberg@kernel.org>
---
 arch/riscv/mm/fault.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c
index 0d5f06d6e3c7..33d284188f9a 100644
--- a/arch/riscv/mm/fault.c
+++ b/arch/riscv/mm/fault.c
@@ -243,6 +243,11 @@ asmlinkage void do_page_fault(struct pt_regs *regs)
 	if (user_mode(regs))
 		flags |= FAULT_FLAG_USER;
 
+	if (!user_mode(regs) && addr < TASK_SIZE &&
+			unlikely(!(regs->status & SR_SUM)))
+		die_kernel_fault("access to user memory without uaccess routines",
+				addr, regs);
+
 	perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, addr);
 
 	if (cause == EXC_STORE_PAGE_FAULT)
-- 
2.17.0


_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH v3 0/2] Let illegal access to user-space memory die

[Eric Lin]

On Fri, Dec 04, 2020 at 01:42:57PM +0800, Eric Te-Sheng Lin(?L?w??) wrote:
> Accesses to user-space memory without calling uaccess routine
> leads to hanging in page fault handler. Like arm64, we let it
> die earlier in page fault handler.

Hi Palmer, kindly ping.

Thanks.
> 
> Changes in v3:
> 	-Let no_context() use die_kernel_fault() helper
> 
> Changes in v2:
>     -Add a die_kernel_fault() helper
>     -Split one long line code into two
> 
> Eric Lin (2):
>   riscv/mm: Introduce a die_kernel_fault() helper function
>   riscv/mm: Prevent kernel module to access user memory without uaccess
>     routines
> 
>  arch/riscv/mm/fault.c | 28 ++++++++++++++++++++++------
>  1 file changed, 22 insertions(+), 6 deletions(-)
> 
> -- 
> 2.17.0
> 

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH v3 0/2] Let illegal access to user-space memory die

[Palmer Dabbelt]

On Thu, 03 Dec 2020 21:42:57 PST (-0800), tesheng@andestech.com wrote:
> Accesses to user-space memory without calling uaccess routine
> leads to hanging in page fault handler. Like arm64, we let it
> die earlier in page fault handler.
>
> Changes in v3:
> 	-Let no_context() use die_kernel_fault() helper
>
> Changes in v2:
>     -Add a die_kernel_fault() helper
>     -Split one long line code into two
>
> Eric Lin (2):
>   riscv/mm: Introduce a die_kernel_fault() helper function
>   riscv/mm: Prevent kernel module to access user memory without uaccess
>     routines
>
>  arch/riscv/mm/fault.c | 28 ++++++++++++++++++++++------
>  1 file changed, 22 insertions(+), 6 deletions(-)

Thanks, these will be on for-next when the merge window ends.

Re: [PATCH v3 0/2] Let illegal access to user-space memory die

[Palmer Dabbelt]

On Thu, 03 Dec 2020 21:42:57 PST (-0800), tesheng@andestech.com wrote:
> Accesses to user-space memory without calling uaccess routine
> leads to hanging in page fault handler. Like arm64, we let it
> die earlier in page fault handler.
>
> Changes in v3:
> 	-Let no_context() use die_kernel_fault() helper
>
> Changes in v2:
>     -Add a die_kernel_fault() helper
>     -Split one long line code into two
>
> Eric Lin (2):
>   riscv/mm: Introduce a die_kernel_fault() helper function
>   riscv/mm: Prevent kernel module to access user memory without uaccess
>     routines
>
>  arch/riscv/mm/fault.c | 28 ++++++++++++++++++++++------
>  1 file changed, 22 insertions(+), 6 deletions(-)

Thanks, these will be on for-next when the merge window ends.

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

Re: [PATCH v3 0/2] Let illegal access to user-space memory die

[Ben Dooks]

On 22/12/2020 02:35, Palmer Dabbelt wrote:
> On Thu, 03 Dec 2020 21:42:57 PST (-0800), tesheng@andestech.com wrote:
>> Accesses to user-space memory without calling uaccess routine
>> leads to hanging in page fault handler. Like arm64, we let it
>> die earlier in page fault handler.
>>
>> Changes in v3:
>>     -Let no_context() use die_kernel_fault() helper
>>
>> Changes in v2:
>>     -Add a die_kernel_fault() helper
>>     -Split one long line code into two
>>
>> Eric Lin (2):
>>   riscv/mm: Introduce a die_kernel_fault() helper function
>>   riscv/mm: Prevent kernel module to access user memory without uaccess
>>     routines
>>
>>  arch/riscv/mm/fault.c | 28 ++++++++++++++++++++++------
>>  1 file changed, 22 insertions(+), 6 deletions(-)
> 
> Thanks, these will be on for-next when the merge window ends.

Just tested this and it seems to be working.

-- 
Ben Dooks				http://www.codethink.co.uk/
Senior Engineer				Codethink - Providing Genius

https://www.codethink.co.uk/privacy.html

Re: [PATCH v3 0/2] Let illegal access to user-space memory die

[Ben Dooks]

On 22/12/2020 02:35, Palmer Dabbelt wrote:
> On Thu, 03 Dec 2020 21:42:57 PST (-0800), tesheng@andestech.com wrote:
>> Accesses to user-space memory without calling uaccess routine
>> leads to hanging in page fault handler. Like arm64, we let it
>> die earlier in page fault handler.
>>
>> Changes in v3:
>>     -Let no_context() use die_kernel_fault() helper
>>
>> Changes in v2:
>>     -Add a die_kernel_fault() helper
>>     -Split one long line code into two
>>
>> Eric Lin (2):
>>   riscv/mm: Introduce a die_kernel_fault() helper function
>>   riscv/mm: Prevent kernel module to access user memory without uaccess
>>     routines
>>
>>  arch/riscv/mm/fault.c | 28 ++++++++++++++++++++++------
>>  1 file changed, 22 insertions(+), 6 deletions(-)
> 
> Thanks, these will be on for-next when the merge window ends.

Just tested this and it seems to be working.

-- 
Ben Dooks				http://www.codethink.co.uk/
Senior Engineer				Codethink - Providing Genius

https://www.codethink.co.uk/privacy.html

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv