LinuxLists.cc - [PATCH v2 0/2] Let illegal access to user-space memory die

2020-12-03 06:54:01

Subject: [PATCH v2 0/2] Let illegal access to user-space memory die

Accesses to user-space memory without calling uaccess routine
leads to hanging in page fault handler. Like arm64, we let it
die earlier in page fault handler.

Changes in v2:
-Add a die_kernel_fault() helper
-Split one long line code into two

Eric Lin (2):
riscv/mm: Introduce a die_kernel_fault() helper function
riscv/mm: Prevent kernel module to access user memory without uaccess
routines

arch/riscv/mm/fault.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)

--
2.17.0

2020-12-03 06:54:30

by Eric Lin

[permalink] [raw]

Subject: [PATCH v2 2/2] riscv/mm: Prevent kernel module to access user memory without uaccess routines

We found this issue in an legacy out-of-tree kernel module
which didn't properly access user space pointer by get/put_user().
Such an illegal access loops in the page fault handler.
To resolve this, let it die here.

Signed-off-by: Eric Lin <[email protected]>
Cc: Alan Kao <[email protected]>
---
arch/riscv/mm/fault.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c
index 0bcfd0e1b39e..00884c1bac28 100644
--- a/arch/riscv/mm/fault.c
+++ b/arch/riscv/mm/fault.c
@@ -245,6 +245,11 @@ asmlinkage void do_page_fault(struct pt_regs *regs)
if (user_mode(regs))
flags |= FAULT_FLAG_USER;

+ if (!user_mode(regs) && addr < TASK_SIZE &&
+ unlikely(!(regs->status & SR_SUM)))
+ die_kernel_fault("access to user memory without uaccess routines",
+ addr, regs);
+
perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, addr);

if (cause == EXC_STORE_PAGE_FAULT)
--
2.17.0

2020-12-03 07:32:57

by Pekka Enberg

[permalink] [raw]

Subject: Re: [PATCH v2 0/2] Let illegal access to user-space memory die

Hi Eric,

On Thu, Dec 3, 2020 at 8:51 AM Eric Lin <[email protected]> wrote:
>
> Accesses to user-space memory without calling uaccess routine
> leads to hanging in page fault handler. Like arm64, we let it
> die earlier in page fault handler.
>
> Changes in v2:
> -Add a die_kernel_fault() helper
> -Split one long line code into two

Please also make no_context() use the new helper. Other than that:

Reviewed-by: Pekka Enberg <[email protected]>

2020-12-03 08:22:23

by Eric Lin

[permalink] [raw]

Subject: Re: [PATCH v2 0/2] Let illegal access to user-space memory die

On Thu, Dec 03, 2020 at 03:29:57PM +0800, Pekka Enberg wrote:

Hi Pekka,

> Hi Eric,
>
> On Thu, Dec 3, 2020 at 8:51 AM Eric Lin <[email protected]> wrote:
> >
> > Accesses to user-space memory without calling uaccess routine
> > leads to hanging in page fault handler. Like arm64, we let it
> > die earlier in page fault handler.
> >
> > Changes in v2:
> > -Add a die_kernel_fault() helper
> > -Split one long line code into two
>
> Please also make no_context() use the new helper. Other than that:
>

OK, I'll make no_context() use the new helper in v3.
Thanks for your review.

> Reviewed-by: Pekka Enberg <[email protected]>