From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9EC00C43460 for ; Mon, 5 Apr 2021 16:05:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 82281613F0 for ; Mon, 5 Apr 2021 16:05:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241969AbhDEQFM (ORCPT ); Mon, 5 Apr 2021 12:05:12 -0400 Received: from mail.kernel.org ([198.145.29.99]:56144 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241953AbhDEQEf (ORCPT ); Mon, 5 Apr 2021 12:04:35 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 1D867613CB; Mon, 5 Apr 2021 16:04:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1617638668; bh=FmeEp9DlJn1O6l/gDwyedOEMenAYz7+FkaYusJwSGo0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KPERcj/ZTr60rXzkvluvhEXJVzd8pYT7+OxCeUS4DoD0FqWN9Q7vFqwhpODdECW+p vxjZhp8bQj1nuMw+k+fEXeR9lFJ81rKW83ajbYhP+Nw+K0JrFdTEw0hRvcHuN+N2Ov MPPmo7iIrGLOAGnqxy3eHHHcdNfYnT0ezN981mhbHwxpgo7qdWul8OLGR5y7WwbyIx Ahh2b/f4w0OfyXF2o7nJwGbvWwCJZrXXPZ/H8g69k0r31mhdDMFo6iZne06jjIJOA9 SeqWb7SL/rpINaRRHPbjbJ7Mgk7ZMfhNbaENmay3WX46UT8rN1cO3gnZzO5ihChRPc BxUVlG+x1y4Qg== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Ben Dooks , syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com, Arnd Bergman , Palmer Dabbelt , Sasha Levin , linux-riscv@lists.infradead.org Subject: [PATCH AUTOSEL 5.11 20/22] riscv: evaluate put_user() arg before enabling user access Date: Mon, 5 Apr 2021 12:04:03 -0400 Message-Id: <20210405160406.268132-20-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210405160406.268132-1-sashal@kernel.org> References: <20210405160406.268132-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Ben Dooks [ Upstream commit 285a76bb2cf51b0c74c634f2aaccdb93e1f2a359 ] The header has a problem with put_user(a, ptr) if the 'a' is not a simple variable, such as a function. This can lead to the compiler producing code as so: 1: enable_user_access() 2: evaluate 'a' into register 'r' 3: put 'r' to 'ptr' 4: disable_user_acess() The issue is that 'a' is now being evaluated with the user memory protections disabled. So we try and force the evaulation by assigning 'x' to __val at the start, and hoping the compiler barriers in enable_user_access() do the job of ordering step 2 before step 1. This has shown up in a bug where 'a' sleeps and thus schedules out and loses the SR_SUM flag. This isn't sufficient to fully fix, but should reduce the window of opportunity. The first instance of this we found is in scheudle_tail() where the code does: $ less -N kernel/sched/core.c 4263 if (current->set_child_tid) 4264 put_user(task_pid_vnr(current), current->set_child_tid); Here, the task_pid_vnr(current) is called within the block that has enabled the user memory access. This can be made worse with KASAN which makes task_pid_vnr() a rather large call with plenty of opportunity to sleep. Signed-off-by: Ben Dooks Reported-by: syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com Suggested-by: Arnd Bergman -- Changes since v1: - fixed formatting and updated the patch description with more info Changes since v2: - fixed commenting on __put_user() (schwab@linux-m68k.org) Change since v3: - fixed RFC in patch title. Should be ready to merge. Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin --- arch/riscv/include/asm/uaccess.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/arch/riscv/include/asm/uaccess.h b/arch/riscv/include/asm/uaccess.h index 824b2c9da75b..f944062c9d99 100644 --- a/arch/riscv/include/asm/uaccess.h +++ b/arch/riscv/include/asm/uaccess.h @@ -306,7 +306,9 @@ do { \ * data types like structures or arrays. * * @ptr must have pointer-to-simple-variable type, and @x must be assignable - * to the result of dereferencing @ptr. + * to the result of dereferencing @ptr. The value of @x is copied to avoid + * re-ordering where @x is evaluated inside the block that enables user-space + * access (thus bypassing user space protection if @x is a function). * * Caller must check the pointer with access_ok() before calling this * function. @@ -316,12 +318,13 @@ do { \ #define __put_user(x, ptr) \ ({ \ __typeof__(*(ptr)) __user *__gu_ptr = (ptr); \ + __typeof__(*__gu_ptr) __val = (x); \ long __pu_err = 0; \ \ __chk_user_ptr(__gu_ptr); \ \ __enable_user_access(); \ - __put_user_nocheck(x, __gu_ptr, __pu_err); \ + __put_user_nocheck(__val, __gu_ptr, __pu_err); \ __disable_user_access(); \ \ __pu_err; \ -- 2.30.2