diff options
author | Paul Burton <paul.burton@mips.com> | 2018-12-20 20:45:43 +0300 |
---|---|---|
committer | Paul Burton <paul.burton@mips.com> | 2018-12-20 21:00:01 +0300 |
commit | adcc81f148d733b7e8e641300c5590a2cdc13bf3 (patch) | |
tree | 95ae4624fa8b2011aa09d5ac9de40f2eef609110 /lib | |
parent | 41e486f4f66d3e646fedd60469bc60e73662de50 (diff) | |
download | linux-adcc81f148d733b7e8e641300c5590a2cdc13bf3.tar.xz |
MIPS: math-emu: Write-protect delay slot emulation pages
Mapping the delay slot emulation page as both writeable & executable
presents a security risk, in that if an exploit can write to & jump into
the page then it can be used as an easy way to execute arbitrary code.
Prevent this by mapping the page read-only for userland, and using
access_process_vm() with the FOLL_FORCE flag to write to it from
mips_dsemul().
This will likely be less efficient due to copy_to_user_page() performing
cache maintenance on a whole page, rather than a single line as in the
previous use of flush_cache_sigtramp(). However this delay slot
emulation code ought not to be running in any performance critical paths
anyway so this isn't really a problem, and we can probably do better in
copy_to_user_page() anyway in future.
A major advantage of this approach is that the fix is small & simple to
backport to stable kernels.
Reported-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions")
Cc: stable@vger.kernel.org # v4.8+
Cc: linux-mips@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: Rich Felker <dalias@libc.org>
Cc: David Daney <david.daney@cavium.com>
Diffstat (limited to 'lib')
0 files changed, 0 insertions, 0 deletions