Commit a30056f9 authored by Helge Deller's avatar Helge Deller Committed by Cheng Yu
Browse files

parisc: Fix random data corruption from exception handler 

mainline inclusion
from mainline-v6.8-rc3
commit 8b1d72395635af45410b66cc4c4ab37a12c4a831
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9E2GP
CVE: CVE-2024-26706

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8b1d72395635af45410b66cc4c4ab37a12c4a831



--------------------------------

The current exception handler implementation, which assists when accessing
user space memory, may exhibit random data corruption if the compiler decides
to use a different register than the specified register %r29 (defined in
ASM_EXCEPTIONTABLE_REG) for the error code. If the compiler choose another
register, the fault handler will nevertheless store -EFAULT into %r29 and thus
trash whatever this register is used for.
Looking at the assembly I found that this happens sometimes in emulate_ldd().

To solve the issue, the easiest solution would be if it somehow is
possible to tell the fault handler which register is used to hold the error
code. Using %0 or %1 in the inline assembly is not posssible as it will show
up as e.g. %r29 (with the "%r" prefix), which the GNU assembler can not
convert to an integer.

This patch takes another, better and more flexible approach:
We extend the __ex_table (which is out of the execution path) by one 32-word.
In this word we tell the compiler to insert the assembler instruction
"or %r0,%r0,%reg", where %reg references the register which the compiler
choosed for the error return code.
In case of an access failure, the fault handler finds the __ex_table entry and
can examine the opcode. The used register is encoded in the lowest 5 bits, and
the fault handler can then store -EFAULT into this register.

Since we extend the __ex_table to 3 words we can't use the BUILDTIME_TABLE_SORT
config option any longer.

Signed-off-by: default avatarHelge Deller <deller@gmx.de>
Cc: <stable@vger.kernel.org> # v6.0+
Signed-off-by: default avatarCheng Yu <serein.chengyu@huawei.com>
parent 244aff3b

arch/parisc/Kconfig

+0 −1
Original line number Diff line number Diff line
@@ -20,7 +20,6 @@ config PARISC 
	select RTC_DRV_GENERIC

	select INIT_ALL_POSSIBLE

	select BUG

	select BUILDTIME_TABLE_SORT

	select HAVE_PCI

	select HAVE_PERF_EVENTS

	select HAVE_KERNEL_BZIP2

arch/parisc/include/asm/assembly.h

+1 −0
Original line number Diff line number Diff line
@@ -506,6 +506,7 @@ 
#define ASM_EXCEPTIONTABLE_ENTRY(fault_addr, except_addr)	\

	.section __ex_table,"aw"			!	\

	.word (fault_addr - .), (except_addr - .)	!	\

	or %r0,%r0,%r0					!	\

	.previous

arch/parisc/include/asm/extable.h

0 → 100644
+64 −0
Original line number Diff line number Diff line 
/* SPDX-License-Identifier: GPL-2.0 */

#ifndef __PARISC_EXTABLE_H

#define __PARISC_EXTABLE_H



#include <asm/ptrace.h>

#include <linux/compiler.h>



/*

 * The exception table consists of three addresses:

 *

 * - A relative address to the instruction that is allowed to fault.

 * - A relative address at which the program should continue (fixup routine)

 * - An asm statement which specifies which CPU register will

 *   receive -EFAULT when an exception happens if the lowest bit in

 *   the fixup address is set.

 *

 * Note: The register specified in the err_opcode instruction will be

 * modified at runtime if a fault happens. Register %r0 will be ignored.

 *

 * Since relative addresses are used, 32bit values are sufficient even on

 * 64bit kernel.

 */



struct pt_regs;

int fixup_exception(struct pt_regs *regs);



#define ARCH_HAS_RELATIVE_EXTABLE

struct exception_table_entry {

	int insn;	/* relative address of insn that is allowed to fault. */

	int fixup;	/* relative address of fixup routine */

	int err_opcode; /* sample opcode with register which holds error code */

};



#define ASM_EXCEPTIONTABLE_ENTRY( fault_addr, except_addr, opcode )\

	".section __ex_table,\"aw\"\n"			   \

	".align 4\n"					   \

	".word (" #fault_addr " - .), (" #except_addr " - .)\n" \

	opcode "\n"					   \

	".previous\n"



/*

 * ASM_EXCEPTIONTABLE_ENTRY_EFAULT() creates a special exception table entry

 * (with lowest bit set) for which the fault handler in fixup_exception() will

 * load -EFAULT on fault into the register specified by the err_opcode instruction,

 * and zeroes the target register in case of a read fault in get_user().

 */

#define ASM_EXCEPTIONTABLE_VAR(__err_var)		\

	int __err_var = 0

#define ASM_EXCEPTIONTABLE_ENTRY_EFAULT( fault_addr, except_addr, register )\

	ASM_EXCEPTIONTABLE_ENTRY( fault_addr, except_addr + 1, "or %%r0,%%r0," register)



static inline void swap_ex_entry_fixup(struct exception_table_entry *a,

				       struct exception_table_entry *b,

				       struct exception_table_entry tmp,

				       int delta)

{

	a->fixup = b->fixup + delta;

	b->fixup = tmp.fixup - delta;

	a->err_opcode = b->err_opcode;

	b->err_opcode = tmp.err_opcode;

}

#define swap_ex_entry_fixup swap_ex_entry_fixup



#endif

arch/parisc/include/asm/special_insns.h

+4 −2
Original line number Diff line number Diff line
@@ -8,7 +8,8 @@ 
		"copy %%r0,%0\n"			\

		"8:\tlpa %%r0(%1),%0\n"			\

		"9:\n"					\

		ASM_EXCEPTIONTABLE_ENTRY(8b, 9b)	\

		ASM_EXCEPTIONTABLE_ENTRY(8b, 9b,	\

				"or %%r0,%%r0,%%r0")	\

		: "=&r" (pa)				\

		: "r" (va)				\

		: "memory"				\
@@ -22,7 +23,8 @@ 
		"copy %%r0,%0\n"			\

		"8:\tlpa %%r0(%%sr3,%1),%0\n"		\

		"9:\n"					\

		ASM_EXCEPTIONTABLE_ENTRY(8b, 9b)	\

		ASM_EXCEPTIONTABLE_ENTRY(8b, 9b,	\

				"or %%r0,%%r0,%%r0")	\

		: "=&r" (pa)				\

		: "r" (va)				\

		: "memory"				\

arch/parisc/include/asm/uaccess.h

+7 −41
Original line number Diff line number Diff line
@@ -7,6 +7,7 @@ 
 */

#include <asm/page.h>

#include <asm/cache.h>

#include <asm/extable.h>



#include <linux/bug.h>

#include <linux/string.h>
@@ -32,37 +33,6 @@ 
#define STD_USER(sr, x, ptr)	__put_user_asm(sr, "std", x, ptr)

#endif



/*

 * The exception table contains two values: the first is the relative offset to

 * the address of the instruction that is allowed to fault, and the second is

 * the relative offset to the address of the fixup routine. Since relative

 * addresses are used, 32bit values are sufficient even on 64bit kernel.

 */



#define ARCH_HAS_RELATIVE_EXTABLE

struct exception_table_entry {

	int insn;	/* relative address of insn that is allowed to fault. */

	int fixup;	/* relative address of fixup routine */

};



#define ASM_EXCEPTIONTABLE_ENTRY( fault_addr, except_addr )\

	".section __ex_table,\"aw\"\n"			   \

	".align 4\n"					   \

	".word (" #fault_addr " - .), (" #except_addr " - .)\n\t" \

	".previous\n"



/*

 * ASM_EXCEPTIONTABLE_ENTRY_EFAULT() creates a special exception table entry

 * (with lowest bit set) for which the fault handler in fixup_exception() will

 * load -EFAULT into %r29 for a read or write fault, and zeroes the target

 * register in case of a read fault in get_user().

 */

#define ASM_EXCEPTIONTABLE_REG	29

#define ASM_EXCEPTIONTABLE_VAR(__variable)		\

	register long __variable __asm__ ("r29") = 0

#define ASM_EXCEPTIONTABLE_ENTRY_EFAULT( fault_addr, except_addr )\

	ASM_EXCEPTIONTABLE_ENTRY( fault_addr, except_addr + 1)



#define __get_user_internal(sr, val, ptr)		\

({							\

	ASM_EXCEPTIONTABLE_VAR(__gu_err);		\
@@ -89,7 +59,7 @@ struct exception_table_entry { 
							\

	__asm__("1: " ldx " 0(" sr "%2),%0\n"		\

		"9:\n"					\

		ASM_EXCEPTIONTABLE_ENTRY_EFAULT(1b, 9b)	\

		ASM_EXCEPTIONTABLE_ENTRY_EFAULT(1b, 9b, "%1")	\

		: "=r"(__gu_val), "+r"(__gu_err)        \

		: "r"(ptr));				\

							\
@@ -122,8 +92,8 @@ struct exception_table_entry { 
		"1: ldw 0(" sr "%2),%0\n"		\

		"2: ldw 4(" sr "%2),%R0\n"		\

		"9:\n"					\

		ASM_EXCEPTIONTABLE_ENTRY_EFAULT(1b, 9b)	\

		ASM_EXCEPTIONTABLE_ENTRY_EFAULT(2b, 9b)	\

		ASM_EXCEPTIONTABLE_ENTRY_EFAULT(1b, 9b, "%1")	\

		ASM_EXCEPTIONTABLE_ENTRY_EFAULT(2b, 9b, "%1")	\

		: "=&r"(__gu_tmp.l), "+r"(__gu_err)	\

		: "r"(ptr));				\

							\
@@ -181,7 +151,7 @@ struct exception_table_entry { 
	__asm__ __volatile__ (					\

		"1: " stx " %2,0(" sr "%1)\n"			\

		"9:\n"						\

		ASM_EXCEPTIONTABLE_ENTRY_EFAULT(1b, 9b)		\

		ASM_EXCEPTIONTABLE_ENTRY_EFAULT(1b, 9b, "%0")	\

		: "+r"(__pu_err)				\

		: "r"(ptr), "r"(x))
@@ -193,15 +163,14 @@ struct exception_table_entry { 
		"1: stw %2,0(" sr "%1)\n"			\

		"2: stw %R2,4(" sr "%1)\n"			\

		"9:\n"						\

		ASM_EXCEPTIONTABLE_ENTRY_EFAULT(1b, 9b)		\

		ASM_EXCEPTIONTABLE_ENTRY_EFAULT(2b, 9b)		\

		ASM_EXCEPTIONTABLE_ENTRY_EFAULT(1b, 9b, "%0")	\

		ASM_EXCEPTIONTABLE_ENTRY_EFAULT(2b, 9b, "%0")	\

		: "+r"(__pu_err)				\

		: "r"(ptr), "r"(__val));			\

} while (0)



#endif /* !defined(CONFIG_64BIT) */





/*

 * Complex access routines -- external declarations

 */
@@ -225,7 +194,4 @@ unsigned long __must_check raw_copy_in_user(void __user *dst, const void __user 
#define INLINE_COPY_TO_USER

#define INLINE_COPY_FROM_USER



struct pt_regs;

int fixup_exception(struct pt_regs *regs);



#endif /* __PARISC_UACCESS_H */