linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit
@ 2022-06-15  1:47 Chen Lifu
  2022-06-28 12:58 ` chenlifu
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Chen Lifu @ 2022-06-15  1:47 UTC (permalink / raw)
  To: paul.walmsley, palmer, aou, akira.tsukamoto, jszhang,
	wangkefeng.wang, linux-riscv, linux-kernel, alankao
  Cc: chenlifu

Since commit 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code"),
if __clear_user and __copy_user return from an fixup branch,
CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that
S-mode memory accesses to pages that are accessible by U-mode will success.
Disable S-mode access to U-mode memory should clear SR_SUM bit.

Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")

Signed-off-by: Chen Lifu <chenlifu@huawei.com>
---
 arch/riscv/lib/uaccess.S | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
index 8c475f4da308..ec486e5369d9 100644
--- a/arch/riscv/lib/uaccess.S
+++ b/arch/riscv/lib/uaccess.S
@@ -173,11 +173,11 @@ ENTRY(__asm_copy_from_user)
 	ret
 
 	/* Exception fixup code */
 10:
 	/* Disable access to user memory */
-	csrs CSR_STATUS, t6
+	csrc CSR_STATUS, t6
 	mv a0, t5
 	ret
 ENDPROC(__asm_copy_to_user)
 ENDPROC(__asm_copy_from_user)
 EXPORT_SYMBOL(__asm_copy_to_user)
@@ -225,10 +225,10 @@ ENTRY(__clear_user)
 	j 3b
 
 	/* Exception fixup code */
 11:
 	/* Disable access to user memory */
-	csrs CSR_STATUS, t6
+	csrc CSR_STATUS, t6
 	mv a0, a1
 	ret
 ENDPROC(__clear_user)
 EXPORT_SYMBOL(__clear_user)
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit
  2022-06-15  1:47 [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit Chen Lifu
@ 2022-06-28 12:58 ` chenlifu
  2022-07-15  3:47   ` chenlifu
  2022-07-18 15:10 ` Ben Dooks
  2022-08-10 22:01 ` Palmer Dabbelt
  2 siblings, 1 reply; 6+ messages in thread
From: chenlifu @ 2022-06-28 12:58 UTC (permalink / raw)
  To: paul.walmsley, palmer, aou, akira.tsukamoto, jszhang,
	wangkefeng.wang, linux-riscv, linux-kernel, alankao

> Since commit 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code"),
> if __clear_user and __copy_user return from an fixup branch,
> CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that
> S-mode memory accesses to pages that are accessible by U-mode will success.
> Disable S-mode access to U-mode memory should clear SR_SUM bit.
> 
> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")
> 
> Signed-off-by: Chen Lifu <chenlifu@huawei.com>
> ---
>   arch/riscv/lib/uaccess.S | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
> index 8c475f4da308..ec486e5369d9 100644
> --- a/arch/riscv/lib/uaccess.S
> +++ b/arch/riscv/lib/uaccess.S
> @@ -173,11 +173,11 @@ ENTRY(__asm_copy_from_user)
>   	ret
>   
>   	/* Exception fixup code */
>   10:
>   	/* Disable access to user memory */
> -	csrs CSR_STATUS, t6
> +	csrc CSR_STATUS, t6
>   	mv a0, t5
>   	ret
>   ENDPROC(__asm_copy_to_user)
>   ENDPROC(__asm_copy_from_user)
>   EXPORT_SYMBOL(__asm_copy_to_user)
> @@ -225,10 +225,10 @@ ENTRY(__clear_user)
>   	j 3b
>   
>   	/* Exception fixup code */
>   11:
>   	/* Disable access to user memory */
> -	csrs CSR_STATUS, t6
> +	csrc CSR_STATUS, t6
>   	mv a0, a1
>   	ret
>   ENDPROC(__clear_user)
>   EXPORT_SYMBOL(__clear_user)
> 

friendly ping ...

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit
  2022-06-28 12:58 ` chenlifu
@ 2022-07-15  3:47   ` chenlifu
  2022-08-09 11:01     ` chenlifu
  0 siblings, 1 reply; 6+ messages in thread
From: chenlifu @ 2022-07-15  3:47 UTC (permalink / raw)
  To: paul.walmsley, palmer, aou, akira.tsukamoto, jszhang,
	wangkefeng.wang, linux-riscv, linux-kernel, alankao

>> Since commit 5d8544e2d007 ("RISC-V: Generic library routines and 
>> assembly")
>> and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup 
>> code"),
>> if __clear_user and __copy_user return from an fixup branch,
>> CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that
>> S-mode memory accesses to pages that are accessible by U-mode will 
>> success.
>> Disable S-mode access to U-mode memory should clear SR_SUM bit.
>>
>> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
>> Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")
>>
>> Signed-off-by: Chen Lifu <chenlifu@huawei.com>
>> ---
>>   arch/riscv/lib/uaccess.S | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
>> index 8c475f4da308..ec486e5369d9 100644
>> --- a/arch/riscv/lib/uaccess.S
>> +++ b/arch/riscv/lib/uaccess.S
>> @@ -173,11 +173,11 @@ ENTRY(__asm_copy_from_user)
>>       ret
>>       /* Exception fixup code */
>>   10:
>>       /* Disable access to user memory */
>> -    csrs CSR_STATUS, t6
>> +    csrc CSR_STATUS, t6
>>       mv a0, t5
>>       ret
>>   ENDPROC(__asm_copy_to_user)
>>   ENDPROC(__asm_copy_from_user)
>>   EXPORT_SYMBOL(__asm_copy_to_user)
>> @@ -225,10 +225,10 @@ ENTRY(__clear_user)
>>       j 3b
>>       /* Exception fixup code */
>>   11:
>>       /* Disable access to user memory */
>> -    csrs CSR_STATUS, t6
>> +    csrc CSR_STATUS, t6
>>       mv a0, a1
>>       ret
>>   ENDPROC(__clear_user)
>>   EXPORT_SYMBOL(__clear_user)
>>
> 
> friendly ping ...
> 

friendly ping ...

> _______________________________________________
> linux-riscv mailing list
> linux-riscv@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv
> .

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit
  2022-06-15  1:47 [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit Chen Lifu
  2022-06-28 12:58 ` chenlifu
@ 2022-07-18 15:10 ` Ben Dooks
  2022-08-10 22:01 ` Palmer Dabbelt
  2 siblings, 0 replies; 6+ messages in thread
From: Ben Dooks @ 2022-07-18 15:10 UTC (permalink / raw)
  To: Chen Lifu, paul.walmsley, palmer, aou, akira.tsukamoto, jszhang,
	wangkefeng.wang, linux-riscv, linux-kernel, alankao

On 15/06/2022 02:47, Chen Lifu wrote:
> Since commit 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code"),
> if __clear_user and __copy_user return from an fixup branch,
> CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that
> S-mode memory accesses to pages that are accessible by U-mode will success.
> Disable S-mode access to U-mode memory should clear SR_SUM bit.
> 
> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")
> 
> Signed-off-by: Chen Lifu <chenlifu@huawei.com>

I've not run tested this, but it does look correct

Reviewed-by: Ben Dooks <ben.dooks@codethink.co.uk>


> ---
>   arch/riscv/lib/uaccess.S | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
> index 8c475f4da308..ec486e5369d9 100644
> --- a/arch/riscv/lib/uaccess.S
> +++ b/arch/riscv/lib/uaccess.S
> @@ -173,11 +173,11 @@ ENTRY(__asm_copy_from_user)
>   	ret
>   
>   	/* Exception fixup code */
>   10:
>   	/* Disable access to user memory */
> -	csrs CSR_STATUS, t6
> +	csrc CSR_STATUS, t6
>   	mv a0, t5
>   	ret
>   ENDPROC(__asm_copy_to_user)
>   ENDPROC(__asm_copy_from_user)
>   EXPORT_SYMBOL(__asm_copy_to_user)
> @@ -225,10 +225,10 @@ ENTRY(__clear_user)
>   	j 3b
>   
>   	/* Exception fixup code */
>   11:
>   	/* Disable access to user memory */
> -	csrs CSR_STATUS, t6
> +	csrc CSR_STATUS, t6
>   	mv a0, a1
>   	ret
>   ENDPROC(__clear_user)
>   EXPORT_SYMBOL(__clear_user)


-- 
Ben Dooks				http://www.codethink.co.uk/
Senior Engineer				Codethink - Providing Genius

https://www.codethink.co.uk/privacy.html

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit
  2022-07-15  3:47   ` chenlifu
@ 2022-08-09 11:01     ` chenlifu
  0 siblings, 0 replies; 6+ messages in thread
From: chenlifu @ 2022-08-09 11:01 UTC (permalink / raw)
  To: paul.walmsley, palmer, aou, akira.tsukamoto, jszhang,
	wangkefeng.wang, linux-riscv, linux-kernel, alankao

在 2022/7/15 11:47, chenlifu 写道:
>>> Since commit 5d8544e2d007 ("RISC-V: Generic library routines and 
>>> assembly")
>>> and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup 
>>> code"),
>>> if __clear_user and __copy_user return from an fixup branch,
>>> CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that
>>> S-mode memory accesses to pages that are accessible by U-mode will 
>>> success.
>>> Disable S-mode access to U-mode memory should clear SR_SUM bit.
>>>
>>> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
>>> Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")
>>>
>>> Signed-off-by: Chen Lifu <chenlifu@huawei.com>
>>> ---
>>>   arch/riscv/lib/uaccess.S | 4 ++--
>>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
>>> index 8c475f4da308..ec486e5369d9 100644
>>> --- a/arch/riscv/lib/uaccess.S
>>> +++ b/arch/riscv/lib/uaccess.S
>>> @@ -173,11 +173,11 @@ ENTRY(__asm_copy_from_user)
>>>       ret
>>>       /* Exception fixup code */
>>>   10:
>>>       /* Disable access to user memory */
>>> -    csrs CSR_STATUS, t6
>>> +    csrc CSR_STATUS, t6
>>>       mv a0, t5
>>>       ret
>>>   ENDPROC(__asm_copy_to_user)
>>>   ENDPROC(__asm_copy_from_user)
>>>   EXPORT_SYMBOL(__asm_copy_to_user)
>>> @@ -225,10 +225,10 @@ ENTRY(__clear_user)
>>>       j 3b
>>>       /* Exception fixup code */
>>>   11:
>>>       /* Disable access to user memory */
>>> -    csrs CSR_STATUS, t6
>>> +    csrc CSR_STATUS, t6
>>>       mv a0, a1
>>>       ret
>>>   ENDPROC(__clear_user)
>>>   EXPORT_SYMBOL(__clear_user)
>>>
>>
>> friendly ping ...
>>
> 
> friendly ping ...
> 
>> _______________________________________________
>> linux-riscv mailing list
>> linux-riscv@lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/linux-riscv
>> .
> .

friendly ping ...

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit
  2022-06-15  1:47 [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit Chen Lifu
  2022-06-28 12:58 ` chenlifu
  2022-07-18 15:10 ` Ben Dooks
@ 2022-08-10 22:01 ` Palmer Dabbelt
  2 siblings, 0 replies; 6+ messages in thread
From: Palmer Dabbelt @ 2022-08-10 22:01 UTC (permalink / raw)
  To: chenlifu
  Cc: Paul Walmsley, aou, akira.tsukamoto, jszhang, wangkefeng.wang,
	linux-riscv, linux-kernel, alankao, chenlifu

On Tue, 14 Jun 2022 18:47:14 PDT (-0700), chenlifu@huawei.com wrote:
> Since commit 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code"),
> if __clear_user and __copy_user return from an fixup branch,
> CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that
> S-mode memory accesses to pages that are accessible by U-mode will success.
> Disable S-mode access to U-mode memory should clear SR_SUM bit.
>
> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")
>
> Signed-off-by: Chen Lifu <chenlifu@huawei.com>
> ---
>  arch/riscv/lib/uaccess.S | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
> index 8c475f4da308..ec486e5369d9 100644
> --- a/arch/riscv/lib/uaccess.S
> +++ b/arch/riscv/lib/uaccess.S
> @@ -173,11 +173,11 @@ ENTRY(__asm_copy_from_user)
>  	ret
>
>  	/* Exception fixup code */
>  10:
>  	/* Disable access to user memory */
> -	csrs CSR_STATUS, t6
> +	csrc CSR_STATUS, t6
>  	mv a0, t5
>  	ret
>  ENDPROC(__asm_copy_to_user)
>  ENDPROC(__asm_copy_from_user)
>  EXPORT_SYMBOL(__asm_copy_to_user)
> @@ -225,10 +225,10 @@ ENTRY(__clear_user)
>  	j 3b
>
>  	/* Exception fixup code */
>  11:
>  	/* Disable access to user memory */
> -	csrs CSR_STATUS, t6
> +	csrc CSR_STATUS, t6
>  	mv a0, a1
>  	ret
>  ENDPROC(__clear_user)
>  EXPORT_SYMBOL(__clear_user)

Thanks, this is on for-next (still for 5.20).

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-08-10 22:01 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-15  1:47 [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit Chen Lifu
2022-06-28 12:58 ` chenlifu
2022-07-15  3:47   ` chenlifu
2022-08-09 11:01     ` chenlifu
2022-07-18 15:10 ` Ben Dooks
2022-08-10 22:01 ` Palmer Dabbelt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).