linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Willy Tarreau <w@1wt.eu>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org, linux@roeck-us.net
Cc: Paul Mackerras <paulus@ozlabs.org>,
	Michael Ellerman <mpe@ellerman.id.au>, Willy Tarreau <w@1wt.eu>
Subject: [PATCH 3.10 064/319] powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET
Date: Sun,  5 Feb 2017 20:20:51 +0100	[thread overview]
Message-ID: <1486322486-8024-35-git-send-email-w@1wt.eu> (raw)
In-Reply-To: <1486322486-8024-1-git-send-email-w@1wt.eu>

From: Paul Mackerras <paulus@ozlabs.org>

commit f077aaf0754bcba0fffdbd925bc12f09cd1e38aa upstream.

In commit c60ac5693c47 ("powerpc: Update kernel VSID range", 2013-03-13)
we lost a check on the region number (the top four bits of the effective
address) for addresses below PAGE_OFFSET.  That commit replaced a check
that the top 18 bits were all zero with a check that bits 46 - 59 were
zero (performed for all addresses, not just user addresses).

This means that userspace can access an address like 0x1000_0xxx_xxxx_xxxx
and we will insert a valid SLB entry for it.  The VSID used will be the
same as if the top 4 bits were 0, but the page size will be some random
value obtained by indexing beyond the end of the mm_ctx_high_slices_psize
array in the paca.  If that page size is the same as would be used for
region 0, then userspace just has an alias of the region 0 space.  If the
page size is different, then no HPTE will be found for the access, and
the process will get a SIGSEGV (since hash_page_mm() will refuse to create
a HPTE for the bogus address).

The access beyond the end of the mm_ctx_high_slices_psize can be at most
5.5MB past the array, and so will be in RAM somewhere.  Since the access
is a load performed in real mode, it won't fault or crash the kernel.
At most this bug could perhaps leak a little bit of information about
blocks of 32 bytes of memory located at offsets of i * 512kB past the
paca->mm_ctx_high_slices_psize array, for 1 <= i <= 11.

Fixes: c60ac5693c47 ("powerpc: Update kernel VSID range")
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
 arch/powerpc/mm/slb_low.S | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/arch/powerpc/mm/slb_low.S b/arch/powerpc/mm/slb_low.S
index 17aa6df..e507f5e 100644
--- a/arch/powerpc/mm/slb_low.S
+++ b/arch/powerpc/mm/slb_low.S
@@ -110,7 +110,12 @@ BEGIN_FTR_SECTION
 END_MMU_FTR_SECTION_IFCLR(MMU_FTR_1T_SEGMENT)
 	b	slb_finish_load_1T
 
-0:
+0:	/*
+	 * For userspace addresses, make sure this is region 0.
+	 */
+	cmpdi	r9, 0
+	bne	8f
+
 	/* when using slices, we extract the psize off the slice bitmaps
 	 * and then we need to get the sllp encoding off the mmu_psize_defs
 	 * array.
-- 
2.8.0.rc2.1.gbe9624a

  parent reply	other threads:[~2017-02-05 20:24 UTC|newest]

Thread overview: 72+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-02-05 19:20 [PATCH 3.10 030/319] PM / devfreq: Fix incorrect type issue Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 031/319] ppp: defer netns reference release for ppp channel Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 032/319] x86/mm/xen: Suppress hugetlbfs in PV guests Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 033/319] xen: Add RING_COPY_REQUEST() Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 034/319] xen-netback: don't use last request to determine minimum Tx credit Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 035/319] xen-netback: use RING_COPY_REQUEST() throughout Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 036/319] xen-blkback: only read request operation from shared ring once Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 037/319] xen/pciback: Save xen_pci_op commands before processing it Willy Tarreau
2017-02-06 14:33   ` Konrad Rzeszutek Wilk
2017-02-06 22:33     ` Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 038/319] xen/pciback: Return error on XEN_PCI_OP_enable_msi when device has MSI or MSI-X enabled Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 039/319] xen/pciback: Return error on XEN_PCI_OP_enable_msix " Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 040/319] xen/pciback: Do not install an IRQ handler for MSI interrupts Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 041/319] xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 042/319] xen/pciback: Don't allow MSI-X ops if PCI_COMMAND_MEMORY is not set Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 043/319] xen-pciback: Add name prefix to global 'permissive' variable Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 044/319] x86/xen: fix upper bound of pmd loop in xen_cleanhighmap() Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 045/319] x86/traps: Ignore high word of regs->cs in early_idt_handler_common Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 046/319] x86/mm: Disable preemption during CR3 read+write Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 047/319] x86/apic: Do not init irq remapping if ioapic is disabled Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 048/319] x86/mm/pat, /dev/mem: Remove superfluous error message Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 049/319] x86/paravirt: Do not trace _paravirt_ident_*() functions Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 050/319] x86/build: Build compressed x86 kernels as PIE Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 051/319] x86/um: reuse asm-generic/barrier.h Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 052/319] iommu/amd: Update Alias-DTE in update_device_table() Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 053/319] iommu/amd: Free domain id when free a domain of struct dma_ops_domain Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 054/319] ARM: 8616/1: dt: Respect property size when parsing CPUs Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 055/319] ARM: 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7 Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 056/319] ARM: sa1100: clear reset status prior to reboot Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 057/319] ARM: sa1111: fix pcmcia suspend/resume Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 058/319] arm64: avoid returning from bad_mode Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 059/319] arm64: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 060/319] arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 061/319] arm64: debug: avoid resetting stepping state machine when TIF_SINGLESTEP Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 062/319] MIPS: Malta: Fix IOCU disable switch read for MIPS64 Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 063/319] MIPS: ptrace: Fix regs_return_value for kernel context Willy Tarreau
2017-02-05 19:20 ` Willy Tarreau [this message]
2017-02-05 19:20 ` [PATCH 3.10 065/319] powerpc/vdso64: Use double word compare on pointers Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 066/319] powerpc/powernv: Use CPU-endian PEST in pnv_pci_dump_p7ioc_diag_data() Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 067/319] powerpc/64: Fix incorrect return value from __copy_tofrom_user Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 068/319] powerpc/nvram: Fix an incorrect partition merge Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 069/319] avr32: fix copy_from_user() Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 070/319] avr32: fix 'undefined reference to `___copy_from_user' Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 071/319] avr32: off by one in at32_init_pio() Willy Tarreau
2017-02-05 19:20 ` [PATCH 3.10 072/319] s390/dasd: fix hanging device after clear subchannel Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 073/319] parisc: Ensure consistent state when switching to kernel stack at syscall entry Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 074/319] microblaze: fix __get_user() Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 075/319] microblaze: fix copy_from_user() Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 076/319] mn10300: failing __get_user() and get_user() should zero Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 077/319] m32r: fix __get_user() Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 078/319] sh64: failing __get_user() should zero Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 079/319] score: fix __get_user/get_user Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 080/319] s390: get_user() should zero on failure Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 081/319] ARC: uaccess: get_user to zero out dest in cause of fault Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 082/319] asm-generic: make get_user() clear the destination on errors Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 083/319] frv: fix clear_user() Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 084/319] cris: buggered copy_from_user/copy_to_user/clear_user Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 085/319] blackfin: fix copy_from_user() Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 086/319] score: fix copy_from_user() and friends Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 087/319] sh: fix copy_from_user() Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 088/319] hexagon: fix strncpy_from_user() error return Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 089/319] mips: copy_from_user() must zero the destination on access_ok() failure Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 090/319] asm-generic: make copy_from_user() zero the destination properly Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 091/319] alpha: fix copy_from_user() Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 092/319] metag: copy_from_user() should zero the destination on access_ok() failure Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 093/319] parisc: fix copy_from_user() Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 094/319] openrisc: " Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 095/319] openrisc: fix the fix of copy_from_user() Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 096/319] mn10300: copy_from_user() should zero on access_ok() failure Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 097/319] sparc32: fix copy_from_user() Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 098/319] ppc32: " Willy Tarreau
2017-02-05 19:21 ` [PATCH 3.10 099/319] ia64: copy_from_user() should zero the destination on access_ok() failure Willy Tarreau

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1486322486-8024-35-git-send-email-w@1wt.eu \
    --to=w@1wt.eu \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@roeck-us.net \
    --cc=mpe@ellerman.id.au \
    --cc=paulus@ozlabs.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).