From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 845CA29D273; Tue, 26 Aug 2025 11:39:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756208395; cv=none; b=dA3bQLYDp9svHYn/ykrKZ854+TpCBZxMLHXUZBJrEdP2ZveQtnOd6vKVKn0RzuT8mX5ncUxeQZPq+sHFLMslJ931bm5k341tXJBPPP8TvR1OlJXJQpzdnzA0AZ/m+lN5WOxZjHnNxDMKY7dkv89qWcDskVvJaAnMNIpflwAMnYY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756208395; c=relaxed/simple; bh=VQZDR+ttHWc/zDcaCZ+6alghASQIPnlsxxP/rkv3qTA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=SFy8m2Yesr1dlupBOpnh0hxEa6N7P/1909NkDzWBXmroaFFlYF1X/nTy7IKLq0i2Y21XVmzolFPsrYOHAbLI3QmOsqcRz1dHlqv/SzOk/5dmWbzhSBxFrHD4xr64+KoZvW4OCdLQ+h2kejFtA8MhbJB5KVis1LY5dCjHLAppU68= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=DtjsH/t5; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="DtjsH/t5" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A4CAFC4CEF1; Tue, 26 Aug 2025 11:39:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1756208395; bh=VQZDR+ttHWc/zDcaCZ+6alghASQIPnlsxxP/rkv3qTA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DtjsH/t5/bblnrdwGtsfbHxF4fd5Bk3II+4/xthcOkbpVokp0xsn6Huftc3z0pTnF /3tZYrS/Kug/VVxgn7GzC+muOQeoZq450G46cNjoP4qcgjPmic9zQbn5yFTMEVxRRc r4X4J0CSPkL/guO33VxmMJ3a1Zz77jjpE8Xtfcxg= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, John David Anglin , Helge Deller Subject: [PATCH 6.12 094/322] parisc: Revise __get_user() to probe user read access Date: Tue, 26 Aug 2025 13:08:29 +0200 Message-ID: <20250826110917.997549795@linuxfoundation.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250826110915.169062587@linuxfoundation.org> References: <20250826110915.169062587@linuxfoundation.org> User-Agent: quilt/0.68 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: John David Anglin commit 89f686a0fb6e473a876a9a60a13aec67a62b9a7e upstream. Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The kernel executes at privilege level 0, so __get_user() never triggers a read access interruption (code 26). Thus, it is currently possible for user code to access a read protected address via a system call. Fix this by probing read access rights at privilege level 3 (PRIV_USER) and setting __gu_err to -EFAULT (-14) if access isn't allowed. Note the cmpiclr instruction does a 32-bit compare because COND macro doesn't work inside asm. Signed-off-by: John David Anglin Signed-off-by: Helge Deller Cc: stable@vger.kernel.org # v5.12+ Signed-off-by: Greg Kroah-Hartman --- arch/parisc/include/asm/uaccess.h | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) --- a/arch/parisc/include/asm/uaccess.h +++ b/arch/parisc/include/asm/uaccess.h @@ -42,9 +42,24 @@ __gu_err; \ }) -#define __get_user(val, ptr) \ -({ \ - __get_user_internal(SR_USER, val, ptr); \ +#define __probe_user_internal(sr, error, ptr) \ +({ \ + __asm__("\tproberi (%%sr%1,%2),%3,%0\n" \ + "\tcmpiclr,= 1,%0,%0\n" \ + "\tldi %4,%0\n" \ + : "=r"(error) \ + : "i"(sr), "r"(ptr), "i"(PRIV_USER), \ + "i"(-EFAULT)); \ +}) + +#define __get_user(val, ptr) \ +({ \ + register long __gu_err; \ + \ + __gu_err = __get_user_internal(SR_USER, val, ptr); \ + if (likely(!__gu_err)) \ + __probe_user_internal(SR_USER, __gu_err, ptr); \ + __gu_err; \ }) #define __get_user_asm(sr, val, ldx, ptr) \