Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp405228pxu;
        Tue, 1 Dec 2020 14:25:58 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwN886oAaUauU3wcc7SFn9VQbD1Owf/3mwH4dge34dPujHAF5C+hYRzA4GCr/2pZuZMpMsF
X-Received: by 2002:a17:906:1e84:: with SMTP id e4mr5124212ejj.57.1606861558561;
        Tue, 01 Dec 2020 14:25:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1606861558; cv=none;
        d=google.com; s=arc-20160816;
        b=i0QdwXaB1X82KLBEND0D42+i7cgis0uF1vosgGPTNCqB0RXEqjRqJYtxh6C+hT29RP
         cHHTAwMtdWMhN7CM2gaSHp/rLkgQ83UEfny2QJ4kzp39UTjPaicOlD2FOS58E59mM5cD
         BZw+BDnASOBnUVWbDN2d+Q78KdLtftDdRw17/rdNaOzfVIsPpzzodigPbvOgOcT1eUaR
         8h6X1l2BSxD2Vk+T4frMZ2wvWWQuAxTts5Dzx/NHjuNsknQO/c5WFwdm2FeMVsy+fmy1
         0dJBqKSIO4aXUD7bycXKFWY5ZOQAkGjlRKHo+MCpkU1BOYmO1+VR4vuj/ZAB2xFIvlCw
         osLg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=jN91HeakRBXC1hSuIrzNqzsUxPxIiv3IF3uydd/vPEI=;
        b=d6REVWIxzeoR3SJP2b1b/vZNZPvcvDA/xNsEPn9rjFQc0ICLyNIZ7KF7e+yj1cLzsF
         WCKm6EARkpXZL6Hv1UY4LiO2fpR7kNJDUxXMUhCyRPfwTqBmIwyrj0MhrLo/52+eB2ca
         YNexm3qeu0nu7wxk2BfL1oyA3n18Kb50dm3BgbyoJwz490XR74j0P2RGFs+CZ8XcYuSs
         zowhMGQqKCl16hhAhiqNEHpizOzMjO3g2uZkJnv13W2Hxb7yXm/mBFn+V4bAwH/n8Bh1
         hxu2KQP4MXhkBuo0/YAxDgWvh+ZyU7JFZ0TTCCSls/qm0Bx+i0GBZaHuJ4Jl9aJCjLh8
         6q4w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="xpIoD5/3";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id rn21si850627ejb.130.2020.12.01.14.25.36;
        Tue, 01 Dec 2020 14:25:58 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="xpIoD5/3";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2389730AbgLAJKg (ORCPT <rfc822;shibaboy@gmail.com> + 99 others);
        Tue, 1 Dec 2020 04:10:36 -0500
Received: from mail.kernel.org ([198.145.29.99]:47692 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2389696AbgLAJK1 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 1 Dec 2020 04:10:27 -0500
Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id ECEAA206C1;
        Tue,  1 Dec 2020 09:10:10 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1606813811;
        bh=COJWvQprogJhw6tbRAjpeaYUGHO8WEq8+3EtbMG2z0s=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=xpIoD5/3zK9BBnbPe+7aCXXZ/8Fympq9hpy6FpncwOZrZmmOovbOPrbAb/N94amko
         TA7Ksh+9nhtZxV5Pn70dvIcTN91kolbNx4MX3PMhRjRYeBSHfRebgCCO2YvSitRKPP
         NJiqFOJNcBmcD4jVB50labxRkVTAj4EfRDTJ8GRo=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Oleg Nesterov <oleg@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Borislav Petkov <bp@suse.de>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.9 067/152] x86/dumpstack: Do not try to access user space code of other tasks
Date:   Tue,  1 Dec 2020 09:53:02 +0100
Message-Id: <20201201084720.710439341@linuxfoundation.org>
X-Mailer: git-send-email 2.29.2
In-Reply-To: <20201201084711.707195422@linuxfoundation.org>
References: <20201201084711.707195422@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Thomas Gleixner <tglx@linutronix.de>

[ Upstream commit 860aaabac8235cfde10fe556aa82abbbe3117888 ]

sysrq-t ends up invoking show_opcodes() for each task which tries to access
the user space code of other processes, which is obviously bogus.

It either manages to dump where the foreign task's regs->ip points to in a
valid mapping of the current task or triggers a pagefault and prints "Code:
Bad RIP value.". Both is just wrong.

Add a safeguard in copy_code() and check whether the @regs pointer matches
currents pt_regs. If not, do not even try to access it.

While at it, add commentary why using copy_from_user_nmi() is safe in
copy_code() even if the function name suggests otherwise.

Reported-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Borislav Petkov <bp@suse.de>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Tested-by: Borislav Petkov <bp@suse.de>
Link: https://lkml.kernel.org/r/20201117202753.667274723@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kernel/dumpstack.c | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
index ea8d51ec251bb..4da8345d34bb0 100644
--- a/arch/x86/kernel/dumpstack.c
+++ b/arch/x86/kernel/dumpstack.c
@@ -77,6 +77,9 @@ static int copy_code(struct pt_regs *regs, u8 *buf, unsigned long src,
 	if (!user_mode(regs))
 		return copy_from_kernel_nofault(buf, (u8 *)src, nbytes);
 
+	/* The user space code from other tasks cannot be accessed. */
+	if (regs != task_pt_regs(current))
+		return -EPERM;
 	/*
 	 * Make sure userspace isn't trying to trick us into dumping kernel
 	 * memory by pointing the userspace instruction pointer at it.
@@ -84,6 +87,12 @@ static int copy_code(struct pt_regs *regs, u8 *buf, unsigned long src,
 	if (__chk_range_not_ok(src, nbytes, TASK_SIZE_MAX))
 		return -EINVAL;
 
+	/*
+	 * Even if named copy_from_user_nmi() this can be invoked from
+	 * other contexts and will not try to resolve a pagefault, which is
+	 * the correct thing to do here as this code can be called from any
+	 * context.
+	 */
 	return copy_from_user_nmi(buf, (void __user *)src, nbytes);
 }
 
@@ -114,13 +123,19 @@ void show_opcodes(struct pt_regs *regs, const char *loglvl)
 	u8 opcodes[OPCODE_BUFSIZE];
 	unsigned long prologue = regs->ip - PROLOGUE_SIZE;
 
-	if (copy_code(regs, opcodes, prologue, sizeof(opcodes))) {
-		printk("%sCode: Unable to access opcode bytes at RIP 0x%lx.\n",
-		       loglvl, prologue);
-	} else {
+	switch (copy_code(regs, opcodes, prologue, sizeof(opcodes))) {
+	case 0:
 		printk("%sCode: %" __stringify(PROLOGUE_SIZE) "ph <%02x> %"
 		       __stringify(EPILOGUE_SIZE) "ph\n", loglvl, opcodes,
 		       opcodes[PROLOGUE_SIZE], opcodes + PROLOGUE_SIZE + 1);
+		break;
+	case -EPERM:
+		/* No access to the user space stack of other tasks. Ignore. */
+		break;
+	default:
+		printk("%sCode: Unable to access opcode bytes at RIP 0x%lx.\n",
+		       loglvl, prologue);
+		break;
 	}
 }
 
-- 
2.27.0