From: tip-bot for Andy Lutomirski <tipbot@zytor.com>
To: linux-tip-commits@vger.kernel.org
Cc: luto@kernel.org, tglx@linutronix.de, yu-cheng.yu@intel.com,
dvlasenk@redhat.com, peterz@infradead.org, riel@surriel.com,
brgerst@gmail.com, hpa@zytor.com, mingo@kernel.org,
luto@amacapital.net, dave.hansen@linux.intel.com,
linux-kernel@vger.kernel.org, bp@alien8.de,
torvalds@linux-foundation.org
Subject: [tip:x86/mm] x86/fault: Make error_code sanitization more robust
Date: Tue, 20 Nov 2018 00:17:24 -0800 [thread overview]
Message-ID: <tip-e49d3cbef0176c182b86206185f137a87f16ab91@git.kernel.org> (raw)
In-Reply-To: <b31159bd55bd0c4fa061a20dfd6c429c094bebaa.1542667307.git.luto@kernel.org>
Commit-ID: e49d3cbef0176c182b86206185f137a87f16ab91
Gitweb: https://git.kernel.org/tip/e49d3cbef0176c182b86206185f137a87f16ab91
Author: Andy Lutomirski <luto@kernel.org>
AuthorDate: Mon, 19 Nov 2018 14:45:31 -0800
Committer: Ingo Molnar <mingo@kernel.org>
CommitDate: Tue, 20 Nov 2018 08:44:29 +0100
x86/fault: Make error_code sanitization more robust
The error code in a page fault on a kernel address indicates
whether that address is mapped, which should not be revealed in a signal.
The normal code path for a page fault on a kernel address sanitizes the bit,
but the paths for vsyscall emulation and SIGBUS do not. Both are
harmless, but for subtle reasons. SIGBUS is never sent for a kernel
address, and vsyscall emulation will never fault on a kernel address
per se because it will fail an access_ok() check instead.
Make the code more robust by adding a helper that sets the relevant
fields and sanitizing the error code in the helper. This also
cleans up the code -- we had three copies of roughly the same thing.
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@surriel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Yu-cheng Yu <yu-cheng.yu@intel.com>
Link: http://lkml.kernel.org/r/b31159bd55bd0c4fa061a20dfd6c429c094bebaa.1542667307.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
arch/x86/mm/fault.c | 30 +++++++++++++++++++++---------
1 file changed, 21 insertions(+), 9 deletions(-)
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 3c9aed03d18e..b5ec1ca2f4a0 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -631,6 +631,24 @@ pgtable_bad(struct pt_regs *regs, unsigned long error_code,
oops_end(flags, regs, sig);
}
+static void set_signal_archinfo(unsigned long address,
+ unsigned long error_code)
+{
+ struct task_struct *tsk = current;
+
+ /*
+ * To avoid leaking information about the kernel page
+ * table layout, pretend that user-mode accesses to
+ * kernel addresses are always protection faults.
+ */
+ if (address >= TASK_SIZE_MAX)
+ error_code |= X86_PF_PROT;
+
+ tsk->thread.trap_nr = X86_TRAP_PF;
+ tsk->thread.error_code = error_code | X86_PF_USER;
+ tsk->thread.cr2 = address;
+}
+
static noinline void
no_context(struct pt_regs *regs, unsigned long error_code,
unsigned long address, int signal, int si_code)
@@ -656,9 +674,7 @@ no_context(struct pt_regs *regs, unsigned long error_code,
* faulting through the emulate_vsyscall() logic.
*/
if (current->thread.sig_on_uaccess_err && signal) {
- tsk->thread.trap_nr = X86_TRAP_PF;
- tsk->thread.error_code = error_code | X86_PF_USER;
- tsk->thread.cr2 = address;
+ set_signal_archinfo(address, error_code);
/* XXX: hwpoison faults will set the wrong code. */
force_sig_fault(signal, si_code, (void __user *)address,
@@ -821,9 +837,7 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
if (likely(show_unhandled_signals))
show_signal_msg(regs, error_code, address, tsk);
- tsk->thread.cr2 = address;
- tsk->thread.error_code = error_code;
- tsk->thread.trap_nr = X86_TRAP_PF;
+ set_signal_archinfo(address, error_code);
if (si_code == SEGV_PKUERR)
force_sig_pkuerr((void __user *)address, pkey);
@@ -937,9 +951,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
if (is_prefetch(regs, error_code, address))
return;
- tsk->thread.cr2 = address;
- tsk->thread.error_code = error_code;
- tsk->thread.trap_nr = X86_TRAP_PF;
+ set_signal_archinfo(address, error_code);
#ifdef CONFIG_MEMORY_FAILURE
if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) {
next prev parent reply other threads:[~2018-11-20 8:19 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-19 22:45 [PATCH 00/13] x86/fault: #PF improvements, mostly related to USER bit Andy Lutomirski
2018-11-19 22:45 ` [PATCH 01/13] x86/fault: Check user_mode(regs) when avoiding an mmap_sem deadlock Andy Lutomirski
2018-11-20 8:14 ` [tip:x86/mm] " tip-bot for Andy Lutomirski
2018-11-20 8:15 ` [PATCH 01/13] " Peter Zijlstra
2018-11-19 22:45 ` [PATCH 02/13] x86/fault: Check user_mode(regs) when validating a stack extension Andy Lutomirski
2018-11-20 7:39 ` Ingo Molnar
2018-11-20 8:13 ` Ingo Molnar
2018-11-19 22:45 ` [PATCH 03/13] x86/cpufeatures, x86/fault: Mark SMAP as disabled when configured out Andy Lutomirski
2018-11-20 8:15 ` [tip:x86/mm] " tip-bot for Andy Lutomirski
2018-11-19 22:45 ` [PATCH 04/13] x86/fault: Fold smap_violation() into do_user_addr_fault() Andy Lutomirski
2018-11-20 8:15 ` [tip:x86/mm] " tip-bot for Andy Lutomirski
2018-11-19 22:45 ` [PATCH 05/13] x86/fault: Fix SMAP #PF handling buglet for implicit supervisor accesses Andy Lutomirski
2018-11-20 8:16 ` [tip:x86/mm] " tip-bot for Andy Lutomirski
2018-11-19 22:45 ` [PATCH 06/13] x86/fault: Improve the condition for signalling vs OOPSing Andy Lutomirski
2018-11-20 8:16 ` [tip:x86/mm] " tip-bot for Andy Lutomirski
2018-11-19 22:45 ` [PATCH 07/13] x86/fault: Make error_code sanitization more robust Andy Lutomirski
2018-11-20 8:17 ` tip-bot for Andy Lutomirski [this message]
2018-11-19 22:45 ` [PATCH 08/13] x86/fault: Don't set thread.cr2, etc before OOPSing Andy Lutomirski
2018-11-20 8:17 ` [tip:x86/mm] " tip-bot for Andy Lutomirski
2018-11-19 22:45 ` [PATCH 09/13] x86/fault: Remove sw_error_code Andy Lutomirski
2018-11-19 22:45 ` [PATCH 10/13] x86/fault: Don't try to recover from an implicit supervisor access Andy Lutomirski
2018-11-19 22:45 ` [PATCH 11/13] x86/oops: Show the correct CS value in show_regs() Andy Lutomirski
2018-11-19 22:45 ` [PATCH 12/13] x86/fault: Decode page fault OOPSes better Andy Lutomirski
2018-11-27 14:46 ` Sean Christopherson
2018-11-19 22:45 ` [PATCH 13/13] x86/vsyscall/64: Use X86_PF constants in the simulated #PF error code Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tip-e49d3cbef0176c182b86206185f137a87f16ab91@git.kernel.org \
--to=tipbot@zytor.com \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=dave.hansen@linux.intel.com \
--cc=dvlasenk@redhat.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-tip-commits@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=riel@surriel.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=yu-cheng.yu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.