Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1795208ybl; Tue, 3 Dec 2019 12:49:50 -0800 (PST) X-Google-Smtp-Source: APXvYqyIj+iRR8hI5NGYikH/gltfNF8SqjYES85WjlHHOjLa52Xro0lt/+Sys0YbMGjB0gafGo6u X-Received: by 2002:a9d:22e3:: with SMTP id y90mr4856632ota.218.1575406190720; Tue, 03 Dec 2019 12:49:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575406190; cv=none; d=google.com; s=arc-20160816; b=S02/+9Hk9fPzlnnD1cagea954Z9oRzqeAqYFy7nu3akadIaYA/PvlYbLQivCl+LjRO kNWV2cfR5yYpJtEp9NfRPFmtdKBZ+SEr6cy8BRVGZiTsy2EoovTZaAoZWm1jrsMGhjd9 Jwww2A389DBXdMsbXvMXxrJaBEFw5YQ/AY99EqITDZBsnyuF0lb3L6Irx+WbTTzak1Ar GPfeJ2EshdnaRHh4anOyKnckKjglse+zmkppIJU84MXbiHjojx9bevQpEnsntqvfZ5ik aM9ZZRBaxjiP3/QdxGbGN92XD34Za2uELbcOrzZX+IMPuR5cxtZ6OSFVJlUTFAB9LJIY Ta+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=1G+L1iXyg9WsvAhiBU0plOD98ZEEqTeAJKnio8PQGVI=; b=gf5sZdjGI19wO87C88Q+m/76k0Nuij8zXegJuLxgRBMT6meUqOoDfw15J2i8w9oBg2 IemgIjuSNSwtiBdi+ceKdbIWjflWa9t5Dav1pylZHR4Mza9TjSowZX1NDbQDN8+ILSdm tiQXr0XoZcZKRoxdXAx39wmILoejN8OhcXkAReOHzfLUjc0b1OzM2oRtxM7Can2jLK1B B+YLlolN//fBFIfinKto/VJ14paDCCltE38nE4yZslnNGdbS/AehOGbO/kuaOAcvI7iF KB4vWmOAehHS5rqOLIjigFSB4pWgXjH8RO9Bw7+hTBpYXVNPOF5T9njA/FF0pADOzRj2 98Gg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 2si1873112oii.67.2019.12.03.12.49.37; Tue, 03 Dec 2019 12:49:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727450AbfLCUtK (ORCPT + 99 others); Tue, 3 Dec 2019 15:49:10 -0500 Received: from mail-pl1-f194.google.com ([209.85.214.194]:40551 "EHLO mail-pl1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727244AbfLCUtK (ORCPT ); Tue, 3 Dec 2019 15:49:10 -0500 Received: by mail-pl1-f194.google.com with SMTP id g6so2161217plp.7; Tue, 03 Dec 2019 12:49:10 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=1G+L1iXyg9WsvAhiBU0plOD98ZEEqTeAJKnio8PQGVI=; b=VAn4c43hRYNSW9YkW6dId/qpM9dnxo4p4wAtBaWee3y7TG49LiyZXvkwVZBFFV2ZG+ 9wYbscEz9tKyiJ+3Ir1QqSAjKkXYERWTucu8usmLXmFvdcJ9PuWFZQhz6IYhXOBqvwsq cfe4qD0Mw5F6jDWComWSKa3tXnCmDlpbBH5wPQ9ne3S4C7/owKORmvfCiOtGxlrguBtM Mn4wyEDpUpOVlijoeQYv+YiMlMTj3oRUD1fmxLXZ5cYekS9bpulDPnjn1nkD1+h1fbJB g3FY8seMYL4r30oxZoeb3GIWqVgBrwf8tCnyQWIBIfwvtZ0yFsIbn5DcVygIYF6F/s/k FTQQ== X-Gm-Message-State: APjAAAXHAklSrQyMYm10YoX+omDdL9558g2cHPHwicaCZh0mw/gB2Rzz q2llT/doQK+I9unIMGxBMeCCEedwnqg= X-Received: by 2002:a17:902:6b8a:: with SMTP id p10mr7129455plk.10.1575406149016; Tue, 03 Dec 2019 12:49:09 -0800 (PST) Received: from localhost ([2601:646:8a00:9810:5af3:56d9:f882:39d4]) by smtp.gmail.com with ESMTPSA id fz12sm3711580pjb.15.2019.12.03.12.49.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Dec 2019 12:49:08 -0800 (PST) From: Paul Burton To: linux-mips@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Paul Burton , stable@vger.kernel.org Subject: [PATCH] MIPS: Use __copy_{to,from}_user() for emulated FP loads/stores Date: Tue, 3 Dec 2019 12:49:33 -0800 Message-Id: <20191203204933.1642259-1-paulburton@kernel.org> X-Mailer: git-send-email 2.24.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Our FPU emulator currently uses __get_user() & __put_user() to perform emulated loads & stores. This is problematic because __get_user() & __put_user() are only suitable for naturally aligned memory accesses, and the address we're accessing is entirely under the control of userland. This allows userland to cause a kernel panic by simply performing an unaligned floating point load or store - the kernel will handle the address error exception by attempting to emulate the instruction, and in the process it may generate another address error exception itself. This time the exception is taken with EPC pointing at the kernels FPU emulation code, and we hit a die_if_kernel() in emulate_load_store_insn(). Fix this up by using __copy_from_user() instead of __get_user() and __copy_to_user() instead of __put_user(). These replacements will handle arbitrary alignment without problems. Signed-off-by: Paul Burton Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: # v2.6.12+ --- arch/mips/math-emu/cp1emu.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/arch/mips/math-emu/cp1emu.c b/arch/mips/math-emu/cp1emu.c index 710e1f804a54..d2009b4b5209 100644 --- a/arch/mips/math-emu/cp1emu.c +++ b/arch/mips/math-emu/cp1emu.c @@ -1056,7 +1056,7 @@ static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx, *fault_addr = dva; return SIGBUS; } - if (__get_user(dval, dva)) { + if (__copy_from_user(&dval, dva, sizeof(u64))) { MIPS_FPU_EMU_INC_STATS(errors); *fault_addr = dva; return SIGSEGV; @@ -1074,7 +1074,7 @@ static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx, *fault_addr = dva; return SIGBUS; } - if (__put_user(dval, dva)) { + if (__copy_to_user(dva, &dval, sizeof(u64))) { MIPS_FPU_EMU_INC_STATS(errors); *fault_addr = dva; return SIGSEGV; @@ -1090,7 +1090,7 @@ static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx, *fault_addr = wva; return SIGBUS; } - if (__get_user(wval, wva)) { + if (__copy_from_user(&wval, wva, sizeof(u32))) { MIPS_FPU_EMU_INC_STATS(errors); *fault_addr = wva; return SIGSEGV; @@ -1108,7 +1108,7 @@ static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx, *fault_addr = wva; return SIGBUS; } - if (__put_user(wval, wva)) { + if (__copy_to_user(wva, &wval, sizeof(u32))) { MIPS_FPU_EMU_INC_STATS(errors); *fault_addr = wva; return SIGSEGV; @@ -1486,7 +1486,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, *fault_addr = va; return SIGBUS; } - if (__get_user(val, va)) { + if (__copy_from_user(&val, va, sizeof(u32))) { MIPS_FPU_EMU_INC_STATS(errors); *fault_addr = va; return SIGSEGV; @@ -1506,7 +1506,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, *fault_addr = va; return SIGBUS; } - if (put_user(val, va)) { + if (__copy_to_user(va, &val, sizeof(u32))) { MIPS_FPU_EMU_INC_STATS(errors); *fault_addr = va; return SIGSEGV; @@ -1583,7 +1583,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, *fault_addr = va; return SIGBUS; } - if (__get_user(val, va)) { + if (__copy_from_user(&val, va, sizeof(u64))) { MIPS_FPU_EMU_INC_STATS(errors); *fault_addr = va; return SIGSEGV; @@ -1602,7 +1602,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, *fault_addr = va; return SIGBUS; } - if (__put_user(val, va)) { + if (__copy_to_user(va, &val, sizeof(u64))) { MIPS_FPU_EMU_INC_STATS(errors); *fault_addr = va; return SIGSEGV; -- 2.24.0