Re: [PATCH] riscv/mm: Prevent kernel module access user-space memory without uaccess routines

[Eric Lin <tesheng@andestech.com>]

On Mon, Nov 30, 2020 at 04:07:03PM +0800, Pekka Enberg wrote:

Hi Pekka,
> On Mon, Nov 30, 2020 at 7:33 AM Eric Lin <tesheng@andestech.com> wrote:
> >
> > In the page fault handler, an access to user-space memory
> > without get/put_user() or copy_from/to_user() routines is
> > not resolved properly. Like arm and other architectures,
> > we need to let it die earlier in page fault handler.
> 
> Fix looks good to me. Can you elaborate on how you found the issue and
> how the bug manifests itself?

OK, I'll elaborate more on the commit message.

> 
> >
> > Signed-off-by: Eric Lin <tesheng@andestech.com>
> > Cc: Alan Kao <alankao@andestech.com>
> > ---
> >  arch/riscv/mm/fault.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c
> > index 3c8b9e433c67..a452cfa266a2 100644
> > --- a/arch/riscv/mm/fault.c
> > +++ b/arch/riscv/mm/fault.c
> > @@ -232,6 +232,9 @@ asmlinkage void do_page_fault(struct pt_regs *regs)
> >         if (user_mode(regs))
> >                 flags |= FAULT_FLAG_USER;
> >
> > +       if (!user_mode(regs) && addr < TASK_SIZE && unlikely(!(regs->status & SR_SUM)))
> > +               die(regs, "Accessing user space memory without uaccess routines\n");
> 
> Let's introduce a die_kernel_fault() helper (similar to arm64, for
> example) to ensure same semantics for the different kernel faults. You
> can extract the helper from no_context().

OK, I'll add a die_kernel_fault() helper function in v2.

Thanks for your review.

> 
> > +
> >         perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, addr);
> >
> >         if (cause == EXC_STORE_PAGE_FAULT)
> > --
> > 2.17.0
> >
> >
> > _______________________________________________
> > linux-riscv mailing list
> > linux-riscv@lists.infradead.org
> > http://lists.infradead.org/mailman/listinfo/linux-riscv