From: Ard Biesheuvel <ardb+git@google.com>
To: linux-arm-kernel@lists.infradead.org
Cc: Ard Biesheuvel <ardb@kernel.org>,
Kees Cook <keescook@chromium.org>,
Russell King <rmk+kernel@armlinux.org.uk>,
Mark Brown <broonie@kernel.org>,
Zhen Lei <thunder.leizhen@huawei.com>,
Linus Walleij <linus.walleij@linaro.org>
Subject: [PATCH] ARM: mm: Disregard user space addresses in BUG() address check
Date: Wed, 17 Jan 2024 16:07:34 +0100 [thread overview]
Message-ID: <20240117150733.2608655-2-ardb+git@google.com> (raw)
From: Ard Biesheuvel <ardb@kernel.org>
is_valid_bugaddr() dereferences the faulting PC to fetch the instruction
that triggered the fault, to decide whether it is a BRK instruction used
to force an exception. This is used by the BUG() infrastructure to keep
the handling logic (which should never execute) separate from the code
that normally runs.
This dereference may attempt to access user memory if the faulting PC
happens to contain a user address. One way this might happen is when
the kernel is tricked into executing from user space while PAN
protections (Privileged Access Never) are in effect: the instruction
fetch will trigger a prefetch abort, the handling of which involves a
check whether the instruction that caused it is a BRK, requiring a
load from the same address. This load is privileged too, and so it will
trigger another exception, which we fail to recover from.
Given that BRK instructions tied to BUG() handling can only appear in
kernel code, let's check first that the PC actually points into kernel
memory.
Cc: Kees Cook <keescook@chromium.org>
Cc: Russell King <rmk+kernel@armlinux.org.uk>
Cc: Mark Brown <broonie@kernel.org>
Cc: Zhen Lei <thunder.leizhen@huawei.com>
Cc: Linus Walleij <linus.walleij@linaro.org>
Link: https://lkml.kernel.org/r/202401111544.18EBB6AA%40keescook
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
arch/arm/kernel/traps.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
index 3bad79db5d6e..f342bd6b2a5d 100644
--- a/arch/arm/kernel/traps.c
+++ b/arch/arm/kernel/traps.c
@@ -402,6 +402,9 @@ int is_valid_bugaddr(unsigned long pc)
u32 insn = __opcode_to_mem_arm(BUG_INSTR_VALUE);
#endif
+ if (pc < TASK_SIZE)
+ return 0;
+
if (get_kernel_nofault(bkpt, (void *)pc))
return 0;
--
2.43.0.381.gb435a96ce8-goog
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next reply other threads:[~2024-01-17 15:08 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-17 15:07 Ard Biesheuvel [this message]
2024-01-17 18:25 ` [PATCH] ARM: mm: Disregard user space addresses in BUG() address check Mark Brown
2024-01-18 13:16 ` Ard Biesheuvel
2024-01-18 20:15 ` Kees Cook
2024-01-19 11:52 ` Ard Biesheuvel
2024-01-19 12:14 ` Russell King (Oracle)
2024-01-19 12:24 ` Ard Biesheuvel
2024-01-18 20:35 ` Linus Walleij
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240117150733.2608655-2-ardb+git@google.com \
--to=ardb+git@google.com \
--cc=ardb@kernel.org \
--cc=broonie@kernel.org \
--cc=keescook@chromium.org \
--cc=linus.walleij@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=rmk+kernel@armlinux.org.uk \
--cc=thunder.leizhen@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.