* [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit
@ 2022-06-15 1:47 Chen Lifu
2022-06-28 12:58 ` chenlifu
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Chen Lifu @ 2022-06-15 1:47 UTC (permalink / raw)
To: paul.walmsley, palmer, aou, akira.tsukamoto, jszhang,
wangkefeng.wang, linux-riscv, linux-kernel, alankao
Cc: chenlifu
Since commit 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code"),
if __clear_user and __copy_user return from an fixup branch,
CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that
S-mode memory accesses to pages that are accessible by U-mode will success.
Disable S-mode access to U-mode memory should clear SR_SUM bit.
Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")
Signed-off-by: Chen Lifu <chenlifu@huawei.com>
---
arch/riscv/lib/uaccess.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
index 8c475f4da308..ec486e5369d9 100644
--- a/arch/riscv/lib/uaccess.S
+++ b/arch/riscv/lib/uaccess.S
@@ -173,11 +173,11 @@ ENTRY(__asm_copy_from_user)
ret
/* Exception fixup code */
10:
/* Disable access to user memory */
- csrs CSR_STATUS, t6
+ csrc CSR_STATUS, t6
mv a0, t5
ret
ENDPROC(__asm_copy_to_user)
ENDPROC(__asm_copy_from_user)
EXPORT_SYMBOL(__asm_copy_to_user)
@@ -225,10 +225,10 @@ ENTRY(__clear_user)
j 3b
/* Exception fixup code */
11:
/* Disable access to user memory */
- csrs CSR_STATUS, t6
+ csrc CSR_STATUS, t6
mv a0, a1
ret
ENDPROC(__clear_user)
EXPORT_SYMBOL(__clear_user)
--
2.35.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit
2022-06-15 1:47 [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit Chen Lifu
@ 2022-06-28 12:58 ` chenlifu
2022-07-15 3:47 ` chenlifu
2022-07-18 15:10 ` Ben Dooks
2022-08-10 22:01 ` Palmer Dabbelt
2 siblings, 1 reply; 6+ messages in thread
From: chenlifu @ 2022-06-28 12:58 UTC (permalink / raw)
To: paul.walmsley, palmer, aou, akira.tsukamoto, jszhang,
wangkefeng.wang, linux-riscv, linux-kernel, alankao
> Since commit 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code"),
> if __clear_user and __copy_user return from an fixup branch,
> CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that
> S-mode memory accesses to pages that are accessible by U-mode will success.
> Disable S-mode access to U-mode memory should clear SR_SUM bit.
>
> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")
>
> Signed-off-by: Chen Lifu <chenlifu@huawei.com>
> ---
> arch/riscv/lib/uaccess.S | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
> index 8c475f4da308..ec486e5369d9 100644
> --- a/arch/riscv/lib/uaccess.S
> +++ b/arch/riscv/lib/uaccess.S
> @@ -173,11 +173,11 @@ ENTRY(__asm_copy_from_user)
> ret
>
> /* Exception fixup code */
> 10:
> /* Disable access to user memory */
> - csrs CSR_STATUS, t6
> + csrc CSR_STATUS, t6
> mv a0, t5
> ret
> ENDPROC(__asm_copy_to_user)
> ENDPROC(__asm_copy_from_user)
> EXPORT_SYMBOL(__asm_copy_to_user)
> @@ -225,10 +225,10 @@ ENTRY(__clear_user)
> j 3b
>
> /* Exception fixup code */
> 11:
> /* Disable access to user memory */
> - csrs CSR_STATUS, t6
> + csrc CSR_STATUS, t6
> mv a0, a1
> ret
> ENDPROC(__clear_user)
> EXPORT_SYMBOL(__clear_user)
>
friendly ping ...
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit
2022-06-28 12:58 ` chenlifu
@ 2022-07-15 3:47 ` chenlifu
2022-08-09 11:01 ` chenlifu
0 siblings, 1 reply; 6+ messages in thread
From: chenlifu @ 2022-07-15 3:47 UTC (permalink / raw)
To: paul.walmsley, palmer, aou, akira.tsukamoto, jszhang,
wangkefeng.wang, linux-riscv, linux-kernel, alankao
>> Since commit 5d8544e2d007 ("RISC-V: Generic library routines and
>> assembly")
>> and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup
>> code"),
>> if __clear_user and __copy_user return from an fixup branch,
>> CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that
>> S-mode memory accesses to pages that are accessible by U-mode will
>> success.
>> Disable S-mode access to U-mode memory should clear SR_SUM bit.
>>
>> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
>> Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")
>>
>> Signed-off-by: Chen Lifu <chenlifu@huawei.com>
>> ---
>> arch/riscv/lib/uaccess.S | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
>> index 8c475f4da308..ec486e5369d9 100644
>> --- a/arch/riscv/lib/uaccess.S
>> +++ b/arch/riscv/lib/uaccess.S
>> @@ -173,11 +173,11 @@ ENTRY(__asm_copy_from_user)
>> ret
>> /* Exception fixup code */
>> 10:
>> /* Disable access to user memory */
>> - csrs CSR_STATUS, t6
>> + csrc CSR_STATUS, t6
>> mv a0, t5
>> ret
>> ENDPROC(__asm_copy_to_user)
>> ENDPROC(__asm_copy_from_user)
>> EXPORT_SYMBOL(__asm_copy_to_user)
>> @@ -225,10 +225,10 @@ ENTRY(__clear_user)
>> j 3b
>> /* Exception fixup code */
>> 11:
>> /* Disable access to user memory */
>> - csrs CSR_STATUS, t6
>> + csrc CSR_STATUS, t6
>> mv a0, a1
>> ret
>> ENDPROC(__clear_user)
>> EXPORT_SYMBOL(__clear_user)
>>
>
> friendly ping ...
>
friendly ping ...
> _______________________________________________
> linux-riscv mailing list
> linux-riscv@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv
> .
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit
2022-06-15 1:47 [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit Chen Lifu
2022-06-28 12:58 ` chenlifu
@ 2022-07-18 15:10 ` Ben Dooks
2022-08-10 22:01 ` Palmer Dabbelt
2 siblings, 0 replies; 6+ messages in thread
From: Ben Dooks @ 2022-07-18 15:10 UTC (permalink / raw)
To: Chen Lifu, paul.walmsley, palmer, aou, akira.tsukamoto, jszhang,
wangkefeng.wang, linux-riscv, linux-kernel, alankao
On 15/06/2022 02:47, Chen Lifu wrote:
> Since commit 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code"),
> if __clear_user and __copy_user return from an fixup branch,
> CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that
> S-mode memory accesses to pages that are accessible by U-mode will success.
> Disable S-mode access to U-mode memory should clear SR_SUM bit.
>
> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")
>
> Signed-off-by: Chen Lifu <chenlifu@huawei.com>
I've not run tested this, but it does look correct
Reviewed-by: Ben Dooks <ben.dooks@codethink.co.uk>
> ---
> arch/riscv/lib/uaccess.S | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
> index 8c475f4da308..ec486e5369d9 100644
> --- a/arch/riscv/lib/uaccess.S
> +++ b/arch/riscv/lib/uaccess.S
> @@ -173,11 +173,11 @@ ENTRY(__asm_copy_from_user)
> ret
>
> /* Exception fixup code */
> 10:
> /* Disable access to user memory */
> - csrs CSR_STATUS, t6
> + csrc CSR_STATUS, t6
> mv a0, t5
> ret
> ENDPROC(__asm_copy_to_user)
> ENDPROC(__asm_copy_from_user)
> EXPORT_SYMBOL(__asm_copy_to_user)
> @@ -225,10 +225,10 @@ ENTRY(__clear_user)
> j 3b
>
> /* Exception fixup code */
> 11:
> /* Disable access to user memory */
> - csrs CSR_STATUS, t6
> + csrc CSR_STATUS, t6
> mv a0, a1
> ret
> ENDPROC(__clear_user)
> EXPORT_SYMBOL(__clear_user)
--
Ben Dooks http://www.codethink.co.uk/
Senior Engineer Codethink - Providing Genius
https://www.codethink.co.uk/privacy.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit
2022-07-15 3:47 ` chenlifu
@ 2022-08-09 11:01 ` chenlifu
0 siblings, 0 replies; 6+ messages in thread
From: chenlifu @ 2022-08-09 11:01 UTC (permalink / raw)
To: paul.walmsley, palmer, aou, akira.tsukamoto, jszhang,
wangkefeng.wang, linux-riscv, linux-kernel, alankao
在 2022/7/15 11:47, chenlifu 写道:
>>> Since commit 5d8544e2d007 ("RISC-V: Generic library routines and
>>> assembly")
>>> and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup
>>> code"),
>>> if __clear_user and __copy_user return from an fixup branch,
>>> CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that
>>> S-mode memory accesses to pages that are accessible by U-mode will
>>> success.
>>> Disable S-mode access to U-mode memory should clear SR_SUM bit.
>>>
>>> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
>>> Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")
>>>
>>> Signed-off-by: Chen Lifu <chenlifu@huawei.com>
>>> ---
>>> arch/riscv/lib/uaccess.S | 4 ++--
>>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
>>> index 8c475f4da308..ec486e5369d9 100644
>>> --- a/arch/riscv/lib/uaccess.S
>>> +++ b/arch/riscv/lib/uaccess.S
>>> @@ -173,11 +173,11 @@ ENTRY(__asm_copy_from_user)
>>> ret
>>> /* Exception fixup code */
>>> 10:
>>> /* Disable access to user memory */
>>> - csrs CSR_STATUS, t6
>>> + csrc CSR_STATUS, t6
>>> mv a0, t5
>>> ret
>>> ENDPROC(__asm_copy_to_user)
>>> ENDPROC(__asm_copy_from_user)
>>> EXPORT_SYMBOL(__asm_copy_to_user)
>>> @@ -225,10 +225,10 @@ ENTRY(__clear_user)
>>> j 3b
>>> /* Exception fixup code */
>>> 11:
>>> /* Disable access to user memory */
>>> - csrs CSR_STATUS, t6
>>> + csrc CSR_STATUS, t6
>>> mv a0, a1
>>> ret
>>> ENDPROC(__clear_user)
>>> EXPORT_SYMBOL(__clear_user)
>>>
>>
>> friendly ping ...
>>
>
> friendly ping ...
>
>> _______________________________________________
>> linux-riscv mailing list
>> linux-riscv@lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/linux-riscv
>> .
> .
friendly ping ...
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit
2022-06-15 1:47 [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit Chen Lifu
2022-06-28 12:58 ` chenlifu
2022-07-18 15:10 ` Ben Dooks
@ 2022-08-10 22:01 ` Palmer Dabbelt
2 siblings, 0 replies; 6+ messages in thread
From: Palmer Dabbelt @ 2022-08-10 22:01 UTC (permalink / raw)
To: chenlifu
Cc: Paul Walmsley, aou, akira.tsukamoto, jszhang, wangkefeng.wang,
linux-riscv, linux-kernel, alankao, chenlifu
On Tue, 14 Jun 2022 18:47:14 PDT (-0700), chenlifu@huawei.com wrote:
> Since commit 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code"),
> if __clear_user and __copy_user return from an fixup branch,
> CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that
> S-mode memory accesses to pages that are accessible by U-mode will success.
> Disable S-mode access to U-mode memory should clear SR_SUM bit.
>
> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")
>
> Signed-off-by: Chen Lifu <chenlifu@huawei.com>
> ---
> arch/riscv/lib/uaccess.S | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
> index 8c475f4da308..ec486e5369d9 100644
> --- a/arch/riscv/lib/uaccess.S
> +++ b/arch/riscv/lib/uaccess.S
> @@ -173,11 +173,11 @@ ENTRY(__asm_copy_from_user)
> ret
>
> /* Exception fixup code */
> 10:
> /* Disable access to user memory */
> - csrs CSR_STATUS, t6
> + csrc CSR_STATUS, t6
> mv a0, t5
> ret
> ENDPROC(__asm_copy_to_user)
> ENDPROC(__asm_copy_from_user)
> EXPORT_SYMBOL(__asm_copy_to_user)
> @@ -225,10 +225,10 @@ ENTRY(__clear_user)
> j 3b
>
> /* Exception fixup code */
> 11:
> /* Disable access to user memory */
> - csrs CSR_STATUS, t6
> + csrc CSR_STATUS, t6
> mv a0, a1
> ret
> ENDPROC(__clear_user)
> EXPORT_SYMBOL(__clear_user)
Thanks, this is on for-next (still for 5.20).
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-08-10 22:01 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-15 1:47 [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit Chen Lifu
2022-06-28 12:58 ` chenlifu
2022-07-15 3:47 ` chenlifu
2022-08-09 11:01 ` chenlifu
2022-07-18 15:10 ` Ben Dooks
2022-08-10 22:01 ` Palmer Dabbelt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).