Commit d4ffd5df authored by Jiashuo Liang's avatar Jiashuo Liang Committed by Borislav Petkov
Browse files

x86/fault: Fix wrong signal when vsyscall fails with pkey 

The function __bad_area_nosemaphore() calls kernelmode_fixup_or_oops()
with the parameter @signal being actually @pkey, which will send a
signal numbered with the argument in @pkey.

This bug can be triggered when the kernel fails to access user-given
memory pages that are protected by a pkey, so it can go down the
do_user_addr_fault() path and pass the !user_mode() check in
__bad_area_nosemaphore().

Most cases will simply run the kernel fixup code to make an -EFAULT. But
when another condition current->thread.sig_on_uaccess_err is met, which
is only used to emulate vsyscall, the kernel will generate the wrong
signal.

Add a new parameter @pkey to kernelmode_fixup_or_oops() to fix this.

 [ bp: Massage commit message, fix build error as reported by the 0day
   bot: https://lkml.kernel.org/r/202109202245.APvuT8BX-lkp@intel.com

 ]

Fixes: 5042d40a ("x86/fault: Bypass no_context() for implicit kernel faults from usermode")
Reported-by: default avatarkernel test robot <lkp@intel.com>
Signed-off-by: default avatarJiashuo Liang <liangjs@pku.edu.cn>
Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
Acked-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
Link: https://lkml.kernel.org/r/20210730030152.249106-1-liangjs@pku.edu.cn
parent e4e737bb

arch/x86/include/asm/pkeys.h

+0 −2
Original line number Diff line number Diff line
@@ -2,8 +2,6 @@ 
#ifndef _ASM_X86_PKEYS_H

#define _ASM_X86_PKEYS_H



#define ARCH_DEFAULT_PKEY	0



/*

 * If more than 16 keys are ever supported, a thorough audit

 * will be necessary to ensure that the types that store key

arch/x86/mm/fault.c

+18 −8
Original line number Diff line number Diff line
@@ -710,7 +710,8 @@ page_fault_oops(struct pt_regs *regs, unsigned long error_code, 


static noinline void

kernelmode_fixup_or_oops(struct pt_regs *regs, unsigned long error_code,

			 unsigned long address, int signal, int si_code)

			 unsigned long address, int signal, int si_code,

			 u32 pkey)

{

	WARN_ON_ONCE(user_mode(regs));
@@ -735,9 +736,13 @@ kernelmode_fixup_or_oops(struct pt_regs *regs, unsigned long error_code, 


			set_signal_archinfo(address, error_code);



			if (si_code == SEGV_PKUERR) {

				force_sig_pkuerr((void __user *)address, pkey);

			} else {

				/* XXX: hwpoison faults will set the wrong code. */

				force_sig_fault(signal, si_code, (void __user *)address);

			}

		}



		/*

		 * Barring that, we can do the fixup and be happy.
@@ -798,7 +803,8 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, 
	struct task_struct *tsk = current;



	if (!user_mode(regs)) {

		kernelmode_fixup_or_oops(regs, error_code, address, pkey, si_code);

		kernelmode_fixup_or_oops(regs, error_code, address,

					 SIGSEGV, si_code, pkey);

		return;

	}
@@ -930,7 +936,8 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address, 
{

	/* Kernel mode? Handle exceptions or die: */

	if (!user_mode(regs)) {

		kernelmode_fixup_or_oops(regs, error_code, address, SIGBUS, BUS_ADRERR);

		kernelmode_fixup_or_oops(regs, error_code, address,

					 SIGBUS, BUS_ADRERR, ARCH_DEFAULT_PKEY);

		return;

	}
@@ -1396,7 +1403,8 @@ void do_user_addr_fault(struct pt_regs *regs, 
		 */

		if (!user_mode(regs))

			kernelmode_fixup_or_oops(regs, error_code, address,

						 SIGBUS, BUS_ADRERR);

						 SIGBUS, BUS_ADRERR,

						 ARCH_DEFAULT_PKEY);

		return;

	}
@@ -1416,7 +1424,8 @@ void do_user_addr_fault(struct pt_regs *regs, 
		return;



	if (fatal_signal_pending(current) && !user_mode(regs)) {

		kernelmode_fixup_or_oops(regs, error_code, address, 0, 0);

		kernelmode_fixup_or_oops(regs, error_code, address,

					 0, 0, ARCH_DEFAULT_PKEY);

		return;

	}
@@ -1424,7 +1433,8 @@ void do_user_addr_fault(struct pt_regs *regs, 
		/* Kernel mode? Handle exceptions or die: */

		if (!user_mode(regs)) {

			kernelmode_fixup_or_oops(regs, error_code, address,

						 SIGSEGV, SEGV_MAPERR);

						 SIGSEGV, SEGV_MAPERR,

						 ARCH_DEFAULT_PKEY);

			return;

		}

include/linux/pkeys.h

+2 −0
Original line number Diff line number Diff line
@@ -4,6 +4,8 @@ 


#include <linux/mm.h>



#define ARCH_DEFAULT_PKEY	0



#ifdef CONFIG_ARCH_HAS_PKEYS

#include <asm/pkeys.h>

#else /* ! CONFIG_ARCH_HAS_PKEYS */