From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CA0961E32B1; Mon, 21 Oct 2024 10:50:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729507810; cv=none; b=A0GS8XweULGoW4V+oR+wLmaW/8T6cRrwEJ2CiRCfjqU5jqDKwDCW9MCehW5DyFFJk61LlS7VKviGswxW/MYPWICa1xy4oQYAs4KSUOcYbdT+q8vEs5CSS8pMGkkXWyBdaQQyzpob26VQpGtfJIqjhTyMcXxa8qeQQdEqxngInPg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729507810; c=relaxed/simple; bh=KfnK5xyHrg7P/tzZ2+cPt0MEDzTBmsOFPko0mCvNttw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HYlha7c+UH5DShWBUnATgCs+qITQ3jgnOjgKRZr0bj9hdoILVQSj1Epd45sfPiFPgjU/Hzs9gBPyMdc128hDfgoHchO4Ld8k7E1yFPzNrCfa/KFPHDpUrdYU4nyZlzL81SGLBXvSwnuFoN5Lf0Cd1d5IdhRnMSYF5FSjEwc4k9Q= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=2Hrgsq2o; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="2Hrgsq2o" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4B3A5C4CEC7; Mon, 21 Oct 2024 10:50:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1729507810; bh=KfnK5xyHrg7P/tzZ2+cPt0MEDzTBmsOFPko0mCvNttw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2Hrgsq2oox5d8TunGVZ4bLKyColhTvyaHRV6KX4tYp0FRUcVBqv2GCKMODhWbchSb EMffhaz6KP4wcy3U3YdXtKK1fXFMw0JNjpayReaXUVDZTh8aCQ18bz+xkw5ZiENhLx F3xSY+AGKd2j+lhFGO2BGO+MfFYdKf6tP9+8CcIY= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Mark Rutland , Catalin Marinas , Will Deacon Subject: [PATCH 5.10 05/52] arm64: probes: Fix simulate_ldr*_literal() Date: Mon, 21 Oct 2024 12:25:26 +0200 Message-ID: <20241021102241.838183913@linuxfoundation.org> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20241021102241.624153108@linuxfoundation.org> References: <20241021102241.624153108@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.10-stable review patch. If anyone has any objections, please let me know. ------------------ From: Mark Rutland commit 50f813e57601c22b6f26ced3193b9b94d70a2640 upstream. The simulate_ldr_literal() code always loads a 64-bit quantity, and when simulating a 32-bit load into a 'W' register, it discards the most significant 32 bits. For big-endian kernels this means that the relevant bits are discarded, and the value returned is the the subsequent 32 bits in memory (i.e. the value at addr + 4). Additionally, simulate_ldr_literal() and simulate_ldrsw_literal() use a plain C load, which the compiler may tear or elide (e.g. if the target is the zero register). Today this doesn't happen to matter, but it may matter in future if trampoline code uses a LDR (literal) or LDRSW (literal). Update simulate_ldr_literal() and simulate_ldrsw_literal() to use an appropriately-sized READ_ONCE() to perform the access, which avoids these problems. Fixes: 39a67d49ba35 ("arm64: kprobes instruction simulation support") Cc: stable@vger.kernel.org Signed-off-by: Mark Rutland Cc: Catalin Marinas Cc: Will Deacon Link: https://lore.kernel.org/r/20241008155851.801546-3-mark.rutland@arm.com Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman --- arch/arm64/kernel/probes/simulate-insn.c | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) --- a/arch/arm64/kernel/probes/simulate-insn.c +++ b/arch/arm64/kernel/probes/simulate-insn.c @@ -170,17 +170,15 @@ simulate_tbz_tbnz(u32 opcode, long addr, void __kprobes simulate_ldr_literal(u32 opcode, long addr, struct pt_regs *regs) { - u64 *load_addr; + unsigned long load_addr; int xn = opcode & 0x1f; - int disp; - disp = ldr_displacement(opcode); - load_addr = (u64 *) (addr + disp); + load_addr = addr + ldr_displacement(opcode); if (opcode & (1 << 30)) /* x0-x30 */ - set_x_reg(regs, xn, *load_addr); + set_x_reg(regs, xn, READ_ONCE(*(u64 *)load_addr)); else /* w0-w30 */ - set_w_reg(regs, xn, *load_addr); + set_w_reg(regs, xn, READ_ONCE(*(u32 *)load_addr)); instruction_pointer_set(regs, instruction_pointer(regs) + 4); } @@ -188,14 +186,12 @@ simulate_ldr_literal(u32 opcode, long ad void __kprobes simulate_ldrsw_literal(u32 opcode, long addr, struct pt_regs *regs) { - s32 *load_addr; + unsigned long load_addr; int xn = opcode & 0x1f; - int disp; - disp = ldr_displacement(opcode); - load_addr = (s32 *) (addr + disp); + load_addr = addr + ldr_displacement(opcode); - set_x_reg(regs, xn, *load_addr); + set_x_reg(regs, xn, READ_ONCE(*(s32 *)load_addr)); instruction_pointer_set(regs, instruction_pointer(regs) + 4); }