Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp2127523iof; Tue, 7 Jun 2022 20:39:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxLCyPXdgxzFBKiZhGuBGIBZZTKraNgtSpa4Pci5gmUm8xO8wB7h+Ii/4veNPVTkATR3JNU X-Received: by 2002:a05:6a00:24c1:b0:50d:33cf:811f with SMTP id d1-20020a056a0024c100b0050d33cf811fmr32710209pfv.78.1654659571551; Tue, 07 Jun 2022 20:39:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654659571; cv=none; d=google.com; s=arc-20160816; b=m1kFLLd959Xut50Q88lUXUpF9HO0Cmz8EsAFgVYSJmlo/pRh/RhopvPP5irDo2ttxk o5Gvn2dtvg/s6t01Aml8N359pyQldERoK8tjDfUSlD0KL7f1H3HPf+LO0ghHQXGI6uLb 0m0seRUJzG+EyFwGgG+L17IS2kajDFFcTkTUDsDSfVoLNY8upS0m567JlXSM8Vo1HmxG xa3YqhbIJTycqGvGzmv6fiVgaaMq22zVamfAahRpoYsbVpeHgcxMtt2pZm8AkFmEMIZO cUS3cENrQOhtAp49L5Ma2asiRaA6Xay7ipdHCGxV0e4EvQleKQimV4+o2X/ktOc6K+qT MjAA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=U+YKznYbeuaZtxV7X8LVj+ovqKz1Lvr+LLpbkpg7s4k=; b=Iycjfip1u7bNufjDQB6rSpgzxfvrUijd4a7N2bfB/zM2leQ+tyRsODzuXTiuogXVx7 aWvvb/TBOgsfHr2pB6akURdyl8IeWSya9igLwTQzoxxkIYld2dhV/6Lz10YJY/InuQx1 EKZ7wFMZV3tZVibzeth384n2w3pYTnS1Xoj9/PWrK/C/yIvZB1rPEZRA5ajA5m+PWHiS KX/m/hSyimgzR+PTg7pfK6nqVYHAocf4B6ei5zKbe1uXyLB5yOBTt3mKB6/EQK//vk4Q UU+aaJ49G9uixYLyrP0+LzSv6wH3mfOfFVYEfPh0KTtuNPetabedVylNyps0CYPIP+aa IrVg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=1oGaZmh5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id d5-20020a170902728500b001624d97d474si24360872pll.183.2022.06.07.20.39.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jun 2022 20:39:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=1oGaZmh5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id DDF6F27236D; Tue, 7 Jun 2022 19:56:59 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1384328AbiFGWK4 (ORCPT + 99 others); Tue, 7 Jun 2022 18:10:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34216 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1379044AbiFGVIn (ORCPT ); Tue, 7 Jun 2022 17:08:43 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 80C80213295; Tue, 7 Jun 2022 11:50:58 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 38B85616AF; Tue, 7 Jun 2022 18:50:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 47D90C385A2; Tue, 7 Jun 2022 18:50:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1654627857; bh=vCRnmPPAkAz3/aZj4ABaUxpyCMnNCPoQsR3C6GEciKE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1oGaZmh5+HOZP+0AOFO2VQ7RRCvPRQ7xn+uQCslgFJ+XLKEpcIH0WjqQz0e7WBFzj xMi50PxMsHng/5XnlXtO51Lw7lmP5D0NPlYKdKERC/+z9DhaoA57yOIbbbHX7MWdUn 56ZAnxVsxT094PPEcqqidZ+QnJ1ebPjP9NP6FVUo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alexandru Elisei , Marc Zyngier , Catalin Marinas , Sasha Levin Subject: [PATCH 5.18 119/879] arm64: compat: Do not treat syscall number as ESR_ELx for a bad syscall Date: Tue, 7 Jun 2022 18:53:57 +0200 Message-Id: <20220607165006.156133667@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220607165002.659942637@linuxfoundation.org> References: <20220607165002.659942637@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alexandru Elisei [ Upstream commit 3fed9e551417b84038b15117732ea4505eee386b ] If a compat process tries to execute an unknown system call above the __ARM_NR_COMPAT_END number, the kernel sends a SIGILL signal to the offending process. Information about the error is printed to dmesg in compat_arm_syscall() -> arm64_notify_die() -> arm64_force_sig_fault() -> arm64_show_signal(). arm64_show_signal() interprets a non-zero value for current->thread.fault_code as an exception syndrome and displays the message associated with the ESR_ELx.EC field (bits 31:26). current->thread.fault_code is set in compat_arm_syscall() -> arm64_notify_die() with the bad syscall number instead of a valid ESR_ELx value. This means that the ESR_ELx.EC field has the value that the user set for the syscall number and the kernel can end up printing bogus exception messages*. For example, for the syscall number 0x68000000, which evaluates to ESR_ELx.EC value of 0x1A (ESR_ELx_EC_FPAC) the kernel prints this error: [ 18.349161] syscall[300]: unhandled exception: ERET/ERETAA/ERETAB, ESR 0x68000000, Oops - bad compat syscall(2) in syscall[10000+50000] [ 18.350639] CPU: 2 PID: 300 Comm: syscall Not tainted 5.18.0-rc1 #79 [ 18.351249] Hardware name: Pine64 RockPro64 v2.0 (DT) [..] which is misleading, as the bad compat syscall has nothing to do with pointer authentication. Stop arm64_show_signal() from printing exception syndrome information by having compat_arm_syscall() set the ESR_ELx value to 0, as it has no meaning for an invalid system call number. The example above now becomes: [ 19.935275] syscall[301]: unhandled exception: Oops - bad compat syscall(2) in syscall[10000+50000] [ 19.936124] CPU: 1 PID: 301 Comm: syscall Not tainted 5.18.0-rc1-00005-g7e08006d4102 #80 [ 19.936894] Hardware name: Pine64 RockPro64 v2.0 (DT) [..] which although shows less information because the syscall number, wrongfully advertised as the ESR value, is missing, it is better than showing plainly wrong information. The syscall number can be easily obtained with strace. *A 32-bit value above or equal to 0x8000_0000 is interpreted as a negative integer in compat_arm_syscal() and the condition scno < __ARM_NR_COMPAT_END evaluates to true; the syscall will exit to userspace in this case with the ENOSYS error code instead of arm64_notify_die() being called. Signed-off-by: Alexandru Elisei Reviewed-by: Marc Zyngier Link: https://lore.kernel.org/r/20220425114444.368693-3-alexandru.elisei@arm.com Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin --- arch/arm64/kernel/sys_compat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/kernel/sys_compat.c b/arch/arm64/kernel/sys_compat.c index 12c6864e51e1..df14336c3a29 100644 --- a/arch/arm64/kernel/sys_compat.c +++ b/arch/arm64/kernel/sys_compat.c @@ -113,6 +113,6 @@ long compat_arm_syscall(struct pt_regs *regs, int scno) addr = instruction_pointer(regs) - (compat_thumb_mode(regs) ? 2 : 4); arm64_notify_die("Oops - bad compat syscall(2)", regs, - SIGILL, ILL_ILLTRP, addr, scno); + SIGILL, ILL_ILLTRP, addr, 0); return 0; } -- 2.35.1