Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1015115imu;
        Fri, 9 Nov 2018 09:33:37 -0800 (PST)
X-Google-Smtp-Source: AJdET5eBh+boKRLSyYrSPX0QDkdEp5GOnZ8xnfQoEI0V0wb82PV9+DcNbDSenRrfoTQD6hoEl38I
X-Received: by 2002:a17:902:bccc:: with SMTP id o12-v6mr9949455pls.281.1541784817252;
        Fri, 09 Nov 2018 09:33:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1541784817; cv=none;
        d=google.com; s=arc-20160816;
        b=BiRqftSnnhWBeP52MktNTMa4xuNP7Re36JrVeyg/2gs3G5MUZY2Ta9RlP/PvRKQ6RH
         VhAOUTSDqK31Lf8pr/tlbAA0mbEClxlYywfXJRa78WLJR+DnVgSfE9rwK5Hsy5jAKia3
         7ZA9TWlDfEktRZVXsBwBBPaNfy3MwH+UQdSzAjNR0teNjqmrBSt04DdBrZ7Pj9yyA4o4
         16el2dpSwfUMsxGJIyQmNEZd/zjqW2Q6cBAIrG580Rzf3mnJ6k8a9iSa8kZfkjxbB5Xo
         bRAqDwQkHhXJJnO2thVCSXl4C0/y5tl7s0jDWZ526d71MEmaJOQScDyXsCINn2NAHlx9
         usQA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:autocrypt:openpgp:from:references:newsgroups:cc:to
         :subject:dkim-signature;
        bh=4Ukuzi9lb2pjJjk7QCmM13CYh6ojetSlcx0XGTeftmI=;
        b=MYkfotwwYVyx9pLOg5omiIc3lCSZKu0Mp1P4zxCpphRLEFe9vJ5YN/6qG4AAicfkgT
         CYS9ph9R6enAe0uI2M1TejqNoOKzlkq8qn/y04eabW9pFoRUHnCCOsEHAfWBdTsyex3D
         +nsNFxaY26XPvokFNqBWfjTAlS/S+xQndia4b8WP/UO1pdmqeN2A3e0TZ1rEZKt+gRYL
         Ciy4s9yGSZVr5YSzuNtEVvbIPTQ1MTi/3m3XOnlzWgbEf1GumGBmVryLWuTkRDgyFitS
         VSmkpqgtE+Wo3A4xNGfCodv//QQN1kpGcNEnsKp6+BuTzXl/ju5iMNtLM1SvUcOVFOf/
         iF6w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@synopsys.com header.s=mail header.b=QaymM5tL;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=synopsys.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 11si7453780pgs.126.2018.11.09.09.33.08;
        Fri, 09 Nov 2018 09:33:37 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@synopsys.com header.s=mail header.b=QaymM5tL;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=synopsys.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728647AbeKJDNy (ORCPT <rfc822;hubert.jasudowicz@gmail.com>
        + 99 others); Fri, 9 Nov 2018 22:13:54 -0500
Received: from smtprelay.synopsys.com ([198.182.47.9]:57948 "EHLO
        smtprelay.synopsys.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728007AbeKJDNy (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 9 Nov 2018 22:13:54 -0500
Received: from mailhost.synopsys.com (mailhost3.synopsys.com [10.12.238.238])
        by smtprelay.synopsys.com (Postfix) with ESMTP id 132AE24E01D3;
        Fri,  9 Nov 2018 09:32:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=synopsys.com; s=mail;
        t=1541784741; bh=7I/pOctJXKwqF5+aG/Z80Z1TgRCyR81ex4udOKC1QvI=;
        h=Subject:To:CC:References:From:Date:In-Reply-To:From;
        b=QaymM5tLits9InzA+5tkcb4ZJfFdvrdQDaLl95OUubcN6w42k6Jk6+VJJ4J0qP5BY
         wdravpm0kk4GT+bvERcMiOJ9SsG3NSv2K2cY0Jk1s9JSt2B2f9Ey5cOb9Qk6q+2tDU
         t2BpTTieRh3cNKcObIC3RRYw6eM+qPZRRnQRjjM93UaqIvj8oDxmlZH4U8vIiBfszF
         J8ZC2OAMbnEteUtMVXIV0iwIVLI2aUuVjifqNf4ZAzwXy93MCeMQHS+ZRM6sEQ+gko
         P8rmdSGORqQjlfCdwvkDcfZ7z6/k+f3CfdoBkNUbryiSjZ2j+G6BuLEMqFS9eEAJdk
         hxcuCIDxL1uHQ==
Received: from us01wehtc1.internal.synopsys.com (us01wehtc1-vip.internal.synopsys.com [10.12.239.236])
        by mailhost.synopsys.com (Postfix) with ESMTP id E91CA301B;
        Fri,  9 Nov 2018 09:32:20 -0800 (PST)
Received: from IN01WEHTCB.internal.synopsys.com (10.144.199.106) by
 us01wehtc1.internal.synopsys.com (10.12.239.235) with Microsoft SMTP Server
 (TLS) id 14.3.408.0; Fri, 9 Nov 2018 09:32:21 -0800
Received: from IN01WEHTCA.internal.synopsys.com (10.144.199.103) by
 IN01WEHTCB.internal.synopsys.com (10.144.199.105) with Microsoft SMTP Server
 (TLS) id 14.3.408.0; Fri, 9 Nov 2018 23:02:18 +0530
Received: from [10.10.161.72] (10.10.161.72) by
 IN01WEHTCA.internal.synopsys.com (10.144.199.243) with Microsoft SMTP Server
 (TLS) id 14.3.408.0; Fri, 9 Nov 2018 23:02:17 +0530
Subject: Re: [PATCH] ARC: MM: fix UB and kernel resourse leak in do_page_fault
To:     Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>,
        <linux-snps-arc@lists.infradead.org>
CC:     <linux-kernel@vger.kernel.org>,
        Alexey Brodkin <alexey.brodkin@synopsys.com>,
        "Eric W . Biederman" <ebiederm@xmission.com>,
        <linux-arch@vger.kernel.org>
Newsgroups: gmane.linux.kernel,gmane.linux.kernel.arc,gmane.linux.kernel.cross-arch
References: <20181107121249.6657-1-Eugeniy.Paltsev@synopsys.com>
From:   Vineet Gupta <vineet.gupta1@synopsys.com>
Openpgp: preference=signencrypt
Autocrypt: addr=vgupta@synopsys.com; keydata=
 xsFNBFEffBMBEADIXSn0fEQcM8GPYFZyvBrY8456hGplRnLLFimPi/BBGFA24IR+B/Vh/EFk
 B5LAyKuPEEbR3WSVB1x7TovwEErPWKmhHFbyugdCKDv7qWVj7pOB+vqycTG3i16eixB69row
 lDkZ2RQyy1i/wOtHt8Kr69V9aMOIVIlBNjx5vNOjxfOLux3C0SRl1veA8sdkoSACY3McOqJ8
 zR8q1mZDRHCfz+aNxgmVIVFN2JY29zBNOeCzNL1b6ndjU73whH/1hd9YMx2Sp149T8MBpkuQ
 cFYUPYm8Mn0dQ5PHAide+D3iKCHMupX0ux1Y6g7Ym9jhVtxq3OdUI5I5vsED7NgV9c8++baM
 7j7ext5v0l8UeulHfj4LglTaJIvwbUrCGgtyS9haKlUHbmey/af1j0sTrGxZs1ky1cTX7yeF
 nSYs12GRiVZkh/Pf3nRLkjV+kH++ZtR1GZLqwamiYZhAHjo1Vzyl50JT9EuX07/XTyq/Bx6E
 dcJWr79ZphJ+mR2HrMdvZo3VSpXEgjROpYlD4GKUApFxW6RrZkvMzuR2bqi48FThXKhFXJBd
 JiTfiO8tpXaHg/yh/V9vNQqdu7KmZIuZ0EdeZHoXe+8lxoNyQPcPSj7LcmE6gONJR8ZqAzyk
 F5voeRIy005ZmJJ3VOH3Gw6Gz49LVy7Kz72yo1IPHZJNpSV5xwARAQABzS1WaW5lZXQgR3Vw
 dGEgKHBlcnNvbmFsKSA8dmluZWV0Zzc2QGdtYWlsLmNvbT7CwX4EEwECACgCGwMGCwkIBwMC
 BhUIAgkKCwQWAgMBAh4BAheABQJbBYpwBQkLx0HcAAoJEGnX8d3iisJe9TAP/3ljkSlRwToH
 O0E9QimJJqF52uZ0phSg1ZoavgHhGtz1mRykgeOzOITpFmYGBnf3v2Z33fDltIxTaN5TkRwl
 DjYvz1NTBlTLyPRbYwdCn6YyVSWj75hiGwdD0/N5M7Rb3XYsyDHvZ/tns1oGwipPmu9G+JoB
 VOkZw/bviE8AmGEK54PWdU1t3AnJ/3wtT6FSIPlTtCREiuZdQItjFkH0sYL1/BOXcE+XoBoQ
 9hx6IEb46pop9ix/IRov2y6ZBUtDbF+SOSvImRadvD8A1ttvH51naP21Bra3ypV/GmZOR1/U
 8azvgKmimYvC0345za/dS8eqrDuSh2IbEkDR0juQsFbkWS4IY5uqckzRWxHVZBas9CjpjipO
 C4iTzxq3CgmCyAD5qlQndJdhbsTgN18PXVAAI/phC1BtjNOoCgWgNsr8JK2TbXNF9wSR17T7
 jDWCZ+Up8k5CTVQywLwJl91u5dV82WAnHnv3U1dwUX46DFMenV16ADfRrm7ib+D/O0XZMP7B
 sGC7PPleU+Ej/rt6V4H6VZ5RC9CXVCdUjM+ZZsqJc6/f5od4gSyswWQzCb/izU5ebxrehTUJ
 lPh2QCa6e46G1WzLWwZCFmQU3uUQtCXU1BBId/nL+Y3hQW0XKapvTx+zr8cZAZDXb83YE8Qs
 inBoGE5y9nj+ZveaVZHZRy63zsFNBFEffBMBEADXZ2pWw4Regpfw+V+Vr6tvZFRl245PV9rW
 FU72xNuvZKq/WE3xMu+ZE7l2JKpSjrEoeOHejtT0cILeQ/Yhf2t2xAlrBLlGOMmMYKK/K0Dc
 2zf0MiPRbW/NCivMbGRZdhAAMx1bpVhInKjU/6/4mT7gcE57Ep0tl3HBfpxCK8RRlZc3v8BH
 OaEfcWSQD7QNTZK/kYJo+Oyux+fzyM5TTuKAaVE63NHCgWtFglH2vt2IyJ1XoPkAMueLXay6
 enSKNci7qAG2UwicyVDCK9AtEub+ps8NakkeqdSkDRp5tQldJbfDaMXuWxJuPjfSojHIAbFq
 P6QaANXvTCSuBgkmGZ58skeNopasrJA4z7OsKRUBvAnharU82HGemtIa4Z83zotOGNdaBBOH
 NN2MHyfGLm+kEoccQheH+my8GtbH1a8eRBtxlk4c02ONkq1Vg1EbIzvgi4a56SrENFx4+4sZ
 cm8oItShAoKGIE/UCkj/jPlWqOcM/QIqJ2bR8hjBny83ONRf2O9nJuEYw9vZAPFViPwWG8tZ
 7J+ReuXKai4DDr+8oFOi/40mIDe/Bat3ftyd+94Z1RxDCngd3Q85bw13t2ttNLw5eHufLIpo
 EyAhTCLNQ58eT91YGVGvFs39IuH0b8ovVvdkKGInCT59Vr0MtfgcsqpDxWQXJXYZYTFHd3/R
 swARAQABwsFlBBgBAgAPAhsMBQJbBYpwBQkLx0HdAAoJEGnX8d3iisJewe8P/36pkZrVTfO+
 U+Gl1OQh4m6weozuI8Y98/DHLMxEujKAmRzy+zMHYlIl3WgSih1UMOZ7U84yVZQwXQkLItcw
 XoihChKD5D2BKnZYEOLM+7f9DuJuWhXpee80aNPzEaubBYQ7dYt8rcmB7SdRz/yZq3lALOrF
 /zb6SRleBh0DiBLP/jKUV74UAYV3OYEDHN9blvhWUEFFE0Z+j96M4/kuRdxvbDmp04Nfx79A
 mJEnfv1Vvc9CFiWVbBrNPKomIN+JV7a7m2lhbfhlLpUk0zGFDTWcWejl4qz/pCYSoIUU4r/V
 BsCVZrOun4vd4cSi/yYJRY4kaAJGCL5k7qhflL2tgldUs+wERH8ZCzimWVDBzHTBojz0Ff3w
 2+gY6FUbAJBrBZANkymPpdAB/lTsl8D2ZRWyy90f4VVc8LB/QIWY/GiS2towRXQBjHOfkUB1
 JiEXYH/i93k71mCaKfzKGXTVxObU2I441w7r4vtNlu0sADRHCMUqHmkpkjV1YbnYPvBPFrDB
 S1V9OfD9SutXeDjJYe3N+WaLRp3T3x7fYVnkfjQIjDSOdyPWlTzqQv0I3YlUk7KjFrh1rxtr
 poYSIQKf5HuMowUNtjyiK2VhA5V2XDqd+ZUT3RqfAPf3Y5HjkhKJRqoIDggUKMUKmXaxCkPG
 i91ThhqBJlyU6MVUa6vZNv8E
Message-ID: <fc14368c-bf00-1e55-5b0e-eb50a848c952@synopsys.com>
Date:   Fri, 9 Nov 2018 09:32:12 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <20181107121249.6657-1-Eugeniy.Paltsev@synopsys.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.10.161.72]
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 11/7/18 4:12 AM, Eugeniy Paltsev wrote:
> Commit 15773ae938d8 ("signal/arc: Use force_sig_fault where
> appropriate") adds undefined behaviour and kernel resource leak
> to userspace in ARC do_page_fault() implementation.
> 
> This happens because we don't initialize si_code variable after we
> switch to force_sig_fault using. si_code (as a part of siginfo_t
> structure) was previously initialized by clear_siginfo(&info) call
> which was removed.
> 
> Undefined behaviour path:
> -------------------->8---------------------------
> }}} a/arch/arc/mm/fault.c
> !! -67,6 +67,7 @@ void do_page_fault(unsigned long address, struct pt_regs *regs)
>         struct task_struct *tsk = current;
>         struct mm_struct *mm = tsk->mm;
> +       /// >>> si_code - uninitialized
>         int si_code;
>         int ret;
>         vm_fault_t fault;
>         int write = regs->ecr_cause & ECR_C_PROTV_STORE;  /* ST/EX */
> !! -81,8 +82,10 @@ void do_page_fault(unsigned long address, struct pt_regs *regs)
>          * only copy the information from the master page table,
>          * nothing more.
>          */
> +       /// >>> take true branch
>         if (address >= VMALLOC_START) {
>                 ret = handle_kernel_vaddr_fault(address);
> +               /// >>> take true branch
>                 if (unlikely(ret))

While the fix is legit, are you sure this code path was taken. VMALLOC_START is
memory for kernel modules and/or vmalloc. So the fault was induced in kernel space
in which case user_mode)r) will not be true.


> +                       /// >>> jump to label "bad_area_nosemaphore"
>                         goto bad_area_nosemaphore;
>                 else
> !! -193,10 +196,13 @@ void do_page_fault(unsigned long address, struct pt_regs *regs)
>  bad_area:
>         up_read(&mm->mmap_sem);
> 
> +       /// >>> reach label "bad_area_nosemaphore"
>  bad_area_nosemaphore:
>         /* User mode accesses just cause a SIGSEGV */
> +       /// >>> take true branch
>         if (user_mode(regs)) {
>                 tsk->thread.fault_address = address;
> +               /// >>> Ooops:
> +               /// >>> use uninitialized value "si_code"
> +               /// >>> when calling "force_sig_fault"
>                 force_sig_fault(SIGSEGV, si_code, (void __user *)address, tsk);
>                 return;
>         }
> -------------------->8---------------------------
> 
> Fixes: 15773ae938d8 ("signal/arc: Use force_sig_fault where appropriate")
> Signed-off-by: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>

Added to for-curr after trimming the changelog

Thx,
-Vineet