Linux-MIPS Archive on lore.kernel.org
 help / color / Atom feed
From: Paul Burton <paulburton@kernel.org>
To: linux-mips@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Paul Burton <paulburton@kernel.org>,
	stable@vger.kernel.org
Subject: [PATCH] MIPS: Use __copy_{to,from}_user() for emulated FP loads/stores
Date: Tue,  3 Dec 2019 12:49:33 -0800
Message-ID: <20191203204933.1642259-1-paulburton@kernel.org> (raw)

Our FPU emulator currently uses __get_user() & __put_user() to perform
emulated loads & stores. This is problematic because __get_user() &
__put_user() are only suitable for naturally aligned memory accesses,
and the address we're accessing is entirely under the control of
userland.

This allows userland to cause a kernel panic by simply performing an
unaligned floating point load or store - the kernel will handle the
address error exception by attempting to emulate the instruction, and in
the process it may generate another address error exception itself.
This time the exception is taken with EPC pointing at the kernels FPU
emulation code, and we hit a die_if_kernel() in
emulate_load_store_insn().

Fix this up by using __copy_from_user() instead of __get_user() and
__copy_to_user() instead of __put_user(). These replacements will handle
arbitrary alignment without problems.

Signed-off-by: Paul Burton <paulburton@kernel.org>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: <stable@vger.kernel.org> # v2.6.12+
---
 arch/mips/math-emu/cp1emu.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/arch/mips/math-emu/cp1emu.c b/arch/mips/math-emu/cp1emu.c
index 710e1f804a54..d2009b4b5209 100644
--- a/arch/mips/math-emu/cp1emu.c
+++ b/arch/mips/math-emu/cp1emu.c
@@ -1056,7 +1056,7 @@ static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
 			*fault_addr = dva;
 			return SIGBUS;
 		}
-		if (__get_user(dval, dva)) {
+		if (__copy_from_user(&dval, dva, sizeof(u64))) {
 			MIPS_FPU_EMU_INC_STATS(errors);
 			*fault_addr = dva;
 			return SIGSEGV;
@@ -1074,7 +1074,7 @@ static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
 			*fault_addr = dva;
 			return SIGBUS;
 		}
-		if (__put_user(dval, dva)) {
+		if (__copy_to_user(dva, &dval, sizeof(u64))) {
 			MIPS_FPU_EMU_INC_STATS(errors);
 			*fault_addr = dva;
 			return SIGSEGV;
@@ -1090,7 +1090,7 @@ static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
 			*fault_addr = wva;
 			return SIGBUS;
 		}
-		if (__get_user(wval, wva)) {
+		if (__copy_from_user(&wval, wva, sizeof(u32))) {
 			MIPS_FPU_EMU_INC_STATS(errors);
 			*fault_addr = wva;
 			return SIGSEGV;
@@ -1108,7 +1108,7 @@ static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
 			*fault_addr = wva;
 			return SIGBUS;
 		}
-		if (__put_user(wval, wva)) {
+		if (__copy_to_user(wva, &wval, sizeof(u32))) {
 			MIPS_FPU_EMU_INC_STATS(errors);
 			*fault_addr = wva;
 			return SIGSEGV;
@@ -1486,7 +1486,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
 				*fault_addr = va;
 				return SIGBUS;
 			}
-			if (__get_user(val, va)) {
+			if (__copy_from_user(&val, va, sizeof(u32))) {
 				MIPS_FPU_EMU_INC_STATS(errors);
 				*fault_addr = va;
 				return SIGSEGV;
@@ -1506,7 +1506,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
 				*fault_addr = va;
 				return SIGBUS;
 			}
-			if (put_user(val, va)) {
+			if (__copy_to_user(va, &val, sizeof(u32))) {
 				MIPS_FPU_EMU_INC_STATS(errors);
 				*fault_addr = va;
 				return SIGSEGV;
@@ -1583,7 +1583,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
 				*fault_addr = va;
 				return SIGBUS;
 			}
-			if (__get_user(val, va)) {
+			if (__copy_from_user(&val, va, sizeof(u64))) {
 				MIPS_FPU_EMU_INC_STATS(errors);
 				*fault_addr = va;
 				return SIGSEGV;
@@ -1602,7 +1602,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
 				*fault_addr = va;
 				return SIGBUS;
 			}
-			if (__put_user(val, va)) {
+			if (__copy_to_user(va, &val, sizeof(u64))) {
 				MIPS_FPU_EMU_INC_STATS(errors);
 				*fault_addr = va;
 				return SIGSEGV;
-- 
2.24.0


             reply index

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-03 20:49 Paul Burton [this message]
2019-12-04 11:14 ` David Laight
2019-12-04 15:40   ` Paul Burton
2019-12-04 16:18     ` David Laight

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191203204933.1642259-1-paulburton@kernel.org \
    --to=paulburton@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mips@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-MIPS Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-mips/0 linux-mips/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-mips linux-mips/ https://lore.kernel.org/linux-mips \
		linux-mips@vger.kernel.org
	public-inbox-index linux-mips

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-mips


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git