From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7D87CC433EF for ; Mon, 18 Jul 2022 15:26:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235507AbiGRP04 (ORCPT ); Mon, 18 Jul 2022 11:26:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40656 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235435AbiGRP0t (ORCPT ); Mon, 18 Jul 2022 11:26:49 -0400 Received: from imap4.hz.codethink.co.uk (imap4.hz.codethink.co.uk [188.40.203.114]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0E00E29805 for ; Mon, 18 Jul 2022 08:26:46 -0700 (PDT) Received: from [167.98.27.226] (helo=[10.35.4.171]) by imap4.hz.codethink.co.uk with esmtpsa (Exim 4.94.2 #2 (Debian)) id 1oDSO7-002C7q-5v; Mon, 18 Jul 2022 16:10:23 +0100 Message-ID: <5dcbc6e6-a5f4-a28e-b78a-9eddce1b7ca8@codethink.co.uk> Date: Mon, 18 Jul 2022 16:10:22 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0 Subject: Re: [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit Content-Language: en-GB To: Chen Lifu , paul.walmsley@sifive.com, palmer@dabbelt.com, aou@eecs.berkeley.edu, akira.tsukamoto@gmail.com, jszhang@kernel.org, wangkefeng.wang@huawei.com, linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org, alankao@andestech.com References: <20220615014714.1650349-1-chenlifu@huawei.com> From: Ben Dooks Organization: Codethink Limited. In-Reply-To: <20220615014714.1650349-1-chenlifu@huawei.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 15/06/2022 02:47, Chen Lifu wrote: > Since commit 5d8544e2d007 ("RISC-V: Generic library routines and assembly") > and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code"), > if __clear_user and __copy_user return from an fixup branch, > CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that > S-mode memory accesses to pages that are accessible by U-mode will success. > Disable S-mode access to U-mode memory should clear SR_SUM bit. > > Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly") > Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code") > > Signed-off-by: Chen Lifu I've not run tested this, but it does look correct Reviewed-by: Ben Dooks > --- > arch/riscv/lib/uaccess.S | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S > index 8c475f4da308..ec486e5369d9 100644 > --- a/arch/riscv/lib/uaccess.S > +++ b/arch/riscv/lib/uaccess.S > @@ -173,11 +173,11 @@ ENTRY(__asm_copy_from_user) > ret > > /* Exception fixup code */ > 10: > /* Disable access to user memory */ > - csrs CSR_STATUS, t6 > + csrc CSR_STATUS, t6 > mv a0, t5 > ret > ENDPROC(__asm_copy_to_user) > ENDPROC(__asm_copy_from_user) > EXPORT_SYMBOL(__asm_copy_to_user) > @@ -225,10 +225,10 @@ ENTRY(__clear_user) > j 3b > > /* Exception fixup code */ > 11: > /* Disable access to user memory */ > - csrs CSR_STATUS, t6 > + csrc CSR_STATUS, t6 > mv a0, a1 > ret > ENDPROC(__clear_user) > EXPORT_SYMBOL(__clear_user) -- Ben Dooks http://www.codethink.co.uk/ Senior Engineer Codethink - Providing Genius https://www.codethink.co.uk/privacy.html