Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp893036pxb;
        Wed, 6 Apr 2022 03:28:04 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwZvGdU4wIZefF5rnQCereQBNDZfAosDDbx5r232dajNtvfUY5VpxWREayDVpA3/2Z5VxxT
X-Received: by 2002:a63:5522:0:b0:398:f8a1:c8bd with SMTP id j34-20020a635522000000b00398f8a1c8bdmr6481746pgb.118.1649240884594;
        Wed, 06 Apr 2022 03:28:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649240884; cv=none;
        d=google.com; s=arc-20160816;
        b=jVtjJQOO9soXzw89LV17wi9OClAIKP5ykCLznwU6yU+pG70lrkIdiRGfkm5+jNMhHl
         QnieN3vYZ5mb2NEPgkLUlUrGFXUPIIu4mrQnP5UbKjZx88RceDzO1s2/cgxag+SV405Q
         tTJKEW+UvMoum292Y7AfMZVpImfvuFKlZKQsReMPLlyvKF7IvO05r6J2N9OWIK9nrbC7
         650q/kvtDw0BPXM9iU3ejbctQyzTkWjfFzlzgHMY8MOsYyboGgkgRpdJz7yDJp76EbFM
         uXoBfF1StCLh1kYyYnyN+uIvzjxURpQTIWanR4tokkM3+mR4bQhv8zxy0GkOvSTqrBqa
         55WA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=7ttKqKizvpzmbmGSxxXZ20bC0AhU8hWlpsx6M/4REUU=;
        b=RJi5ddwhfZPnuRh0r572pvHzV5TXdq1bWiDjvXoTZBm3zYm2276D7/Fr+E8nXXc+r/
         r9Pw3aciG/3baNefaSDIdgwEmOqIkwm+JItXJpD+oHm0wolr9L5bCMe6izDDG6pyiUCz
         TIwLZHaEnGMFnj0GF7lPZVXEVEtekqRFvsVeu4CMTZ8yS2HO1jtyOb9CjJTfdhnpGxTy
         2AIO3s7Oo8V8ZJ5PgIsvzA+kMWtoQjMt9gcLJRGyAunm6oWui7ef6GB4YDhqIkW7V+57
         gJdAJ3+Fy1X9LuuKuyiuMACcxENSBTlEkpOB93vYKMM8x52B4KvkH48KwfunZaA1vH9t
         4ANw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=hwx3qXTW;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id e16-20020a170902ef5000b00153b2d16535si14819699plx.317.2022.04.06.03.28.04
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 06 Apr 2022 03:28:04 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=hwx3qXTW;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id B5F734C169E;
	Wed,  6 Apr 2022 01:50:12 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1389325AbiDEV7S (ORCPT <rfc822;02joepater06@gmail.com>
        + 99 others); Tue, 5 Apr 2022 17:59:18 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54238 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1349554AbiDEJuP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 5 Apr 2022 05:50:15 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CDA389B;
        Tue,  5 Apr 2022 02:48:17 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 8C220B818F3;
        Tue,  5 Apr 2022 09:48:16 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 05763C385A2;
        Tue,  5 Apr 2022 09:48:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1649152095;
        bh=xc5tT771KBxay9UwO9nhcapUuxOWzNj8GgPN+OHumyg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=hwx3qXTWwKb04BYfesn1bHmSSwkxxs/KYdGmuC0r94HDY87Of9VY9ucpsXJKslpf1
         EmHwOh8mepmkWiVRQrBbPdkZ1oLZasmmlV5UhrxSpTovCA7KS0vr7bwc8msQ5Sfl5q
         2FFlcSA3ezPC6WfFqFI/1RXFSc4NscUnyxpDOBe4=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Daniel Thompson <daniel.thompson@linaro.org>,
        Douglas Anderson <dianders@chromium.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 652/913] kdb: Fix the putarea helper function
Date:   Tue,  5 Apr 2022 09:28:34 +0200
Message-Id: <20220405070359.382969619@linuxfoundation.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220405070339.801210740@linuxfoundation.org>
References: <20220405070339.801210740@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Daniel Thompson <daniel.thompson@linaro.org>

[ Upstream commit c1cb81429df462eca1b6ba615cddd21dd3103c46 ]

Currently kdb_putarea_size() uses copy_from_kernel_nofault() to write *to*
arbitrary kernel memory. This is obviously wrong and means the memory
modify ('mm') command is a serious risk to debugger stability: if we poke
to a bad address we'll double-fault and lose our debug session.

Fix this the (very) obvious way.

Note that there are two Fixes: tags because the API was renamed and this
patch will only trivially backport as far as the rename (and this is
probably enough). Nevertheless Christoph's rename did not introduce this
problem so I wanted to record that!

Fixes: fe557319aa06 ("maccess: rename probe_kernel_{read,write} to copy_{from,to}_kernel_nofault")
Fixes: 5d5314d6795f ("kdb: core for kgdb back end (1 of 2)")
Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Link: https://lore.kernel.org/r/20220128144055.207267-1-daniel.thompson@linaro.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/debug/kdb/kdb_support.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/debug/kdb/kdb_support.c b/kernel/debug/kdb/kdb_support.c
index df2bface866e..85cb51c4a17e 100644
--- a/kernel/debug/kdb/kdb_support.c
+++ b/kernel/debug/kdb/kdb_support.c
@@ -291,7 +291,7 @@ int kdb_getarea_size(void *res, unsigned long addr, size_t size)
  */
 int kdb_putarea_size(unsigned long addr, void *res, size_t size)
 {
-	int ret = copy_from_kernel_nofault((char *)addr, (char *)res, size);
+	int ret = copy_to_kernel_nofault((char *)addr, (char *)res, size);
 	if (ret) {
 		if (!KDB_STATE(SUPPRESS)) {
 			kdb_func_printf("Bad address 0x%lx\n", addr);
-- 
2.34.1