[RFC/PATCH 0/2] Backports CVE-2021-21781 for 4.4 and 4.9

[RFC/PATCH 0/2] Backports CVE-2021-21781 for 4.4 and 4.9

[Nobuhiro Iwamatsu]

Hi,

This is a patch series to CVE-2021-21781.
The patch 9c698bff66ab ("RM: ensure the signal page contains defined
contents") depepds on memset32. However, this function is not provided
in 4.4 and 4.9. Therefore, we need the patch 3b3c4babd898 ("lib/string.c:
add multibyte memset functions") to apply this feature.
Another option is to implement only the memset32 function in
arch/arm/kernel/signal.c only or using loop memset, but for simplicity
we have taken the way of applying the original patch 3b3c4babd898
("lib/string.c: add multibyte memset functions") that provides memset32
in mainline kernel.

Best regards,
     Nobuhiro

Matthew Wilcox (1):
  lib/string.c: add multibyte memset functions

Russell King (1):
  ARM: ensure the signal page contains defined contents

 arch/arm/kernel/signal.c | 14 +++++----
 include/linux/string.h   | 30 ++++++++++++++++++
 lib/string.c             | 66 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 104 insertions(+), 6 deletions(-)

-- 
2.32.0

From 97cc3a4817c982954ff69355d2577a92bddbad4a Mon Sep 17 00:00:00 2001
From: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
Date: Fri, 30 Jul 2021 14:40:55 +0900
Subject: [RFC/PATCH 0/2] Backports CVE-2021-21781 for 4.4 and 4.9

Hi,

This is a patch series to CVE-2021-21781.
The patch 9c698bff66ab ("RM: ensure the signal page contains defined
contents") depepds on memset32. However, this function is not provided
in 4.4 and 4.9. Therefore, we need the patch 3b3c4babd898 ("lib/string.c:
add multibyte memset functions") to apply this feature.
Another option is to implement only the memset32 function in
arch/arm/kernel/signal.c only, but for simplicity we have taken the
way of applying the original patch 3b3c4babd898 ("lib/string.c: add
multibyte memset functions") that provides memset32 in mainline kernel.

Best regards,
     Nobuhiro

Matthew Wilcox (1):
  lib/string.c: add multibyte memset functions

Russell King (1):
  ARM: ensure the signal page contains defined contents

 arch/arm/kernel/signal.c | 23 ++++++++++----
 include/linux/string.h   | 30 ++++++++++++++++++
 lib/string.c             | 66 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 113 insertions(+), 6 deletions(-)

-- 
2.32.0

[PATCH 1/2 for 4.4 and 4.9] lib/string.c: add multibyte memset functions

[Nobuhiro Iwamatsu]

From: Matthew Wilcox <mawilcox@microsoft.com>

commit 3b3c4babd898715926d24ae10aa64778ace33aae upstream.

Patch series "Multibyte memset variations", v4.

A relatively common idiom we're missing is a function to fill an area of
memory with a pattern which is larger than a single byte.  I first
noticed this with a zram patch which wanted to fill a page with an
'unsigned long' value.  There turn out to be quite a few places in the
kernel which can benefit from using an optimised function rather than a
loop; sometimes text size, sometimes speed, and sometimes both.  The
optimised PowerPC version (not included here) improves performance by
about 30% on POWER8 on just the raw memset_l().

Most of the extra lines of code come from the three testcases I added.

This patch (of 8):

memset16(), memset32() and memset64() are like memset(), but allow the
caller to fill the destination with a value larger than a single byte.
memset_l() and memset_p() allow the caller to use unsigned long and
pointer values respectively.

Link: http://lkml.kernel.org/r/20170720184539.31609-2-willy@infradead.org
Signed-off-by: Matthew Wilcox <mawilcox@microsoft.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: David Miller <davem@davemloft.net>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Matt Turner <mattst88@gmail.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Russell King <rmk+kernel@armlinux.org.uk>
Cc: Sam Ravnborg <sam@ravnborg.org>
Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
---
 include/linux/string.h | 30 +++++++++++++++++++
 lib/string.c           | 66 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 96 insertions(+)

diff --git a/include/linux/string.h b/include/linux/string.h
index 66a91f5a344990..dd810d4739ee92 100644
--- a/include/linux/string.h
+++ b/include/linux/string.h
@@ -103,6 +103,36 @@ extern __kernel_size_t strcspn(const char *,const char *);
 #ifndef __HAVE_ARCH_MEMSET
 extern void * memset(void *,int,__kernel_size_t);
 #endif
+
+#ifndef __HAVE_ARCH_MEMSET16
+extern void *memset16(uint16_t *, uint16_t, __kernel_size_t);
+#endif
+
+#ifndef __HAVE_ARCH_MEMSET32
+extern void *memset32(uint32_t *, uint32_t, __kernel_size_t);
+#endif
+
+#ifndef __HAVE_ARCH_MEMSET64
+extern void *memset64(uint64_t *, uint64_t, __kernel_size_t);
+#endif
+
+static inline void *memset_l(unsigned long *p, unsigned long v,
+		__kernel_size_t n)
+{
+	if (BITS_PER_LONG == 32)
+		return memset32((uint32_t *)p, v, n);
+	else
+		return memset64((uint64_t *)p, v, n);
+}
+
+static inline void *memset_p(void **p, void *v, __kernel_size_t n)
+{
+	if (BITS_PER_LONG == 32)
+		return memset32((uint32_t *)p, (uintptr_t)v, n);
+	else
+		return memset64((uint64_t *)p, (uintptr_t)v, n);
+}
+
 #ifndef __HAVE_ARCH_MEMCPY
 extern void * memcpy(void *,const void *,__kernel_size_t);
 #endif
diff --git a/lib/string.c b/lib/string.c
index 8fe13371aed7ad..ec1ba61b358f21 100644
--- a/lib/string.c
+++ b/lib/string.c
@@ -754,6 +754,72 @@ void memzero_explicit(void *s, size_t count)
 }
 EXPORT_SYMBOL(memzero_explicit);
 
+#ifndef __HAVE_ARCH_MEMSET16
+/**
+ * memset16() - Fill a memory area with a uint16_t
+ * @s: Pointer to the start of the area.
+ * @v: The value to fill the area with
+ * @count: The number of values to store
+ *
+ * Differs from memset() in that it fills with a uint16_t instead
+ * of a byte.  Remember that @count is the number of uint16_ts to
+ * store, not the number of bytes.
+ */
+void *memset16(uint16_t *s, uint16_t v, size_t count)
+{
+	uint16_t *xs = s;
+
+	while (count--)
+		*xs++ = v;
+	return s;
+}
+EXPORT_SYMBOL(memset16);
+#endif
+
+#ifndef __HAVE_ARCH_MEMSET32
+/**
+ * memset32() - Fill a memory area with a uint32_t
+ * @s: Pointer to the start of the area.
+ * @v: The value to fill the area with
+ * @count: The number of values to store
+ *
+ * Differs from memset() in that it fills with a uint32_t instead
+ * of a byte.  Remember that @count is the number of uint32_ts to
+ * store, not the number of bytes.
+ */
+void *memset32(uint32_t *s, uint32_t v, size_t count)
+{
+	uint32_t *xs = s;
+
+	while (count--)
+		*xs++ = v;
+	return s;
+}
+EXPORT_SYMBOL(memset32);
+#endif
+
+#ifndef __HAVE_ARCH_MEMSET64
+/**
+ * memset64() - Fill a memory area with a uint64_t
+ * @s: Pointer to the start of the area.
+ * @v: The value to fill the area with
+ * @count: The number of values to store
+ *
+ * Differs from memset() in that it fills with a uint64_t instead
+ * of a byte.  Remember that @count is the number of uint64_ts to
+ * store, not the number of bytes.
+ */
+void *memset64(uint64_t *s, uint64_t v, size_t count)
+{
+	uint64_t *xs = s;
+
+	while (count--)
+		*xs++ = v;
+	return s;
+}
+EXPORT_SYMBOL(memset64);
+#endif
+
 #ifndef __HAVE_ARCH_MEMCPY
 /**
  * memcpy - Copy one area of memory to another
-- 
2.32.0

[PATCH 2/2 for 4.4, 4.9] ARM: ensure the signal page contains defined contents

[Nobuhiro Iwamatsu]

From: Russell King <rmk+kernel@armlinux.org.uk>

commit 9c698bff66ab4914bb3d71da7dc6112519bde23e upstream.

Ensure that the signal page contains our poison instruction to increase
the protection against ROP attacks and also contains well defined
contents.

Acked-by: Will Deacon <will@kernel.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Reference: CVE-2021-21781
Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
---
 arch/arm/kernel/signal.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
index 0a066f03b5ec9b..180c1782ad63d9 100644
--- a/arch/arm/kernel/signal.c
+++ b/arch/arm/kernel/signal.c
@@ -625,18 +625,20 @@ struct page *get_signal_page(void)
 
 	addr = page_address(page);
 
+	/* Poison the entire page */
+	memset32(addr, __opcode_to_mem_arm(0xe7fddef1),
+		 PAGE_SIZE / sizeof(u32));
+
 	/* Give the signal return code some randomness */
 	offset = 0x200 + (get_random_int() & 0x7fc);
 	signal_return_offset = offset;
 
-	/*
-	 * Copy signal return handlers into the vector page, and
-	 * set sigreturn to be a pointer to these.
-	 */
+	/* Copy signal return handlers into the page */
 	memcpy(addr + offset, sigreturn_codes, sizeof(sigreturn_codes));
 
-	ptr = (unsigned long)addr + offset;
-	flush_icache_range(ptr, ptr + sizeof(sigreturn_codes));
+	/* Flush out all instructions in this page */
+	ptr = (unsigned long)addr;
+	flush_icache_range(ptr, ptr + PAGE_SIZE);
 
 	return page;
 }
-- 
2.32.0

Re: [RFC/PATCH 0/2] Backports CVE-2021-21781 for 4.4 and 4.9

[Greg KH]

On Fri, Jul 30, 2021 at 03:08:03PM +0900, Nobuhiro Iwamatsu wrote:
> Hi,
> 
> This is a patch series to CVE-2021-21781.

Given that this looks to be a "private" CVE at this point in time:
	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21781
you are going to have to provide a bit more information here :(

thanks,

greg k-h

Re: [RFC/PATCH 0/2] Backports CVE-2021-21781 for 4.4 and 4.9

[Greg KH]

On Fri, Jul 30, 2021 at 08:27:20AM +0200, Greg KH wrote:
> On Fri, Jul 30, 2021 at 03:08:03PM +0900, Nobuhiro Iwamatsu wrote:
> > Hi,
> > 
> > This is a patch series to CVE-2021-21781.
> 
> Given that this looks to be a "private" CVE at this point in time:
> 	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21781
> you are going to have to provide a bit more information here :(

Ah, nevermind, patch 2 explains things, this is fine, thanks for the
backports.

greg k-h

Re: [RFC/PATCH 0/2] Backports CVE-2021-21781 for 4.4 and 4.9

[Greg KH]

On Fri, Jul 30, 2021 at 03:08:03PM +0900, Nobuhiro Iwamatsu wrote:
> Hi,
> 
> This is a patch series to CVE-2021-21781.
> The patch 9c698bff66ab ("RM: ensure the signal page contains defined
> contents") depepds on memset32. However, this function is not provided
> in 4.4 and 4.9. Therefore, we need the patch 3b3c4babd898 ("lib/string.c:
> add multibyte memset functions") to apply this feature.
> Another option is to implement only the memset32 function in
> arch/arm/kernel/signal.c only or using loop memset, but for simplicity
> we have taken the way of applying the original patch 3b3c4babd898
> ("lib/string.c: add multibyte memset functions") that provides memset32
> in mainline kernel.

All now queued up, thanks.

greg k-h

[RFC/PATCH 0/2] Backports CVE-2021-21781 for 4.4 and 4.9

[Nobuhiro Iwamatsu]

Hi,

This is a patch series to CVE-2021-21781.
The patch 9c698bff66ab ("RM: ensure the signal page contains defined
contents") depepds on memset32. However, this function is not provided
in 4.4 and 4.9. Therefore, we need the patch 3b3c4babd898 ("lib/string.c:
add multibyte memset functions") to apply this feature.
Another option is to implement only the memset32 function in
arch/arm/kernel/signal.c only or using loop memset, but for simplicity
we have taken the way of applying the original patch 3b3c4babd898
("lib/string.c: add multibyte memset functions") that provides memset32
in mainline kernel.

Best regards,
     Nobuhiro

Matthew Wilcox (1):
  lib/string.c: add multibyte memset functions

Russell King (1):
  ARM: ensure the signal page contains defined contents

 arch/arm/kernel/signal.c | 14 +++++----
 include/linux/string.h   | 30 ++++++++++++++++++
 lib/string.c             | 66 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 104 insertions(+), 6 deletions(-)

-- 
2.32.0

From 97cc3a4817c982954ff69355d2577a92bddbad4a Mon Sep 17 00:00:00 2001
From: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
Date: Fri, 30 Jul 2021 14:40:55 +0900
Subject: [RFC/PATCH 0/2] Backports CVE-2021-21781 for 4.4 and 4.9

Hi,

This is a patch series to CVE-2021-21781.
The patch 9c698bff66ab ("RM: ensure the signal page contains defined
contents") depepds on memset32. However, this function is not provided
in 4.4 and 4.9. Therefore, we need the patch 3b3c4babd898 ("lib/string.c:
add multibyte memset functions") to apply this feature.
Another option is to implement only the memset32 function in
arch/arm/kernel/signal.c only, but for simplicity we have taken the
way of applying the original patch 3b3c4babd898 ("lib/string.c: add
multibyte memset functions") that provides memset32 in mainline kernel.

Best regards,
     Nobuhiro

Matthew Wilcox (1):
  lib/string.c: add multibyte memset functions

Russell King (1):
  ARM: ensure the signal page contains defined contents

 arch/arm/kernel/signal.c | 23 ++++++++++----
 include/linux/string.h   | 30 ++++++++++++++++++
 lib/string.c             | 66 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 113 insertions(+), 6 deletions(-)

-- 
2.32.0

[RFC/PATCH 0/2] Backports CVE-2021-21781 for 4.4 and 4.9

[Nobuhiro Iwamatsu]

Hi,

This is a patch series to CVE-2021-21781.
The patch 9c698bff66ab ("RM: ensure the signal page contains defined
contents") depepds on memset32. However, this function is not provided
in 4.4 and 4.9. Therefore, we need the patch 3b3c4babd898 ("lib/string.c:
add multibyte memset functions") to apply this feature.
Another option is to implement only the memset32 function in
arch/arm/kernel/signal.c only or using loop memset, but for simplicity
we have taken the way of applying the original patch 3b3c4babd898
("lib/string.c: add multibyte memset functions") that provides memset32
in mainline kernel.

Best regards,
     Nobuhiro

Matthew Wilcox (1):
  lib/string.c: add multibyte memset functions

Russell King (1):
  ARM: ensure the signal page contains defined contents

 arch/arm/kernel/signal.c | 14 +++++----
 include/linux/string.h   | 30 ++++++++++++++++++
 lib/string.c             | 66 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 104 insertions(+), 6 deletions(-)

-- 
2.32.0

From 97cc3a4817c982954ff69355d2577a92bddbad4a Mon Sep 17 00:00:00 2001
From: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
Date: Fri, 30 Jul 2021 14:40:55 +0900
Subject: [RFC/PATCH 0/2] Backports CVE-2021-21781 for 4.4 and 4.9

Hi,

This is a patch series to CVE-2021-21781.
The patch 9c698bff66ab ("RM: ensure the signal page contains defined
contents") depepds on memset32. However, this function is not provided
in 4.4 and 4.9. Therefore, we need the patch 3b3c4babd898 ("lib/string.c:
add multibyte memset functions") to apply this feature.
Another option is to implement only the memset32 function in
arch/arm/kernel/signal.c only, but for simplicity we have taken the
way of applying the original patch 3b3c4babd898 ("lib/string.c: add
multibyte memset functions") that provides memset32 in mainline kernel.

Best regards,
     Nobuhiro

Matthew Wilcox (1):
  lib/string.c: add multibyte memset functions

Russell King (1):
  ARM: ensure the signal page contains defined contents

 arch/arm/kernel/signal.c | 23 ++++++++++----
 include/linux/string.h   | 30 ++++++++++++++++++
 lib/string.c             | 66 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 113 insertions(+), 6 deletions(-)

-- 
2.32.0