From: chenlifu <chenlifu@huawei.com>
To: <paul.walmsley@sifive.com>, <palmer@dabbelt.com>,
<aou@eecs.berkeley.edu>, <akira.tsukamoto@gmail.com>,
<jszhang@kernel.org>, <wangkefeng.wang@huawei.com>,
<linux-riscv@lists.infradead.org>, <linux-kernel@vger.kernel.org>,
<alankao@andestech.com>
Subject: Re: [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit
Date: Fri, 15 Jul 2022 11:47:01 +0800 [thread overview]
Message-ID: <606b1f5a-ea1e-f756-a00b-6b622238b453@huawei.com> (raw)
In-Reply-To: <11a0698c-5726-15e8-2448-3529d2d0b098@huawei.com>
>> Since commit 5d8544e2d007 ("RISC-V: Generic library routines and
>> assembly")
>> and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup
>> code"),
>> if __clear_user and __copy_user return from an fixup branch,
>> CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that
>> S-mode memory accesses to pages that are accessible by U-mode will
>> success.
>> Disable S-mode access to U-mode memory should clear SR_SUM bit.
>>
>> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
>> Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")
>>
>> Signed-off-by: Chen Lifu <chenlifu@huawei.com>
>> ---
>> arch/riscv/lib/uaccess.S | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
>> index 8c475f4da308..ec486e5369d9 100644
>> --- a/arch/riscv/lib/uaccess.S
>> +++ b/arch/riscv/lib/uaccess.S
>> @@ -173,11 +173,11 @@ ENTRY(__asm_copy_from_user)
>> ret
>> /* Exception fixup code */
>> 10:
>> /* Disable access to user memory */
>> - csrs CSR_STATUS, t6
>> + csrc CSR_STATUS, t6
>> mv a0, t5
>> ret
>> ENDPROC(__asm_copy_to_user)
>> ENDPROC(__asm_copy_from_user)
>> EXPORT_SYMBOL(__asm_copy_to_user)
>> @@ -225,10 +225,10 @@ ENTRY(__clear_user)
>> j 3b
>> /* Exception fixup code */
>> 11:
>> /* Disable access to user memory */
>> - csrs CSR_STATUS, t6
>> + csrc CSR_STATUS, t6
>> mv a0, a1
>> ret
>> ENDPROC(__clear_user)
>> EXPORT_SYMBOL(__clear_user)
>>
>
> friendly ping ...
>
friendly ping ...
> _______________________________________________
> linux-riscv mailing list
> linux-riscv@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv
> .
next prev parent reply other threads:[~2022-07-15 3:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-15 1:47 [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit Chen Lifu
2022-06-28 12:58 ` chenlifu
2022-07-15 3:47 ` chenlifu [this message]
2022-08-09 11:01 ` chenlifu
2022-07-18 15:10 ` Ben Dooks
2022-08-10 22:01 ` Palmer Dabbelt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=606b1f5a-ea1e-f756-a00b-6b622238b453@huawei.com \
--to=chenlifu@huawei.com \
--cc=akira.tsukamoto@gmail.com \
--cc=alankao@andestech.com \
--cc=aou@eecs.berkeley.edu \
--cc=jszhang@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=wangkefeng.wang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).