forked from luck/tmp_suning_uos_patched
riscv: evaluate put_user() arg before enabling user access
commit 285a76bb2cf51b0c74c634f2aaccdb93e1f2a359 upstream. The <asm/uaccess.h> header has a problem with put_user(a, ptr) if the 'a' is not a simple variable, such as a function. This can lead to the compiler producing code as so: 1: enable_user_access() 2: evaluate 'a' into register 'r' 3: put 'r' to 'ptr' 4: disable_user_acess() The issue is that 'a' is now being evaluated with the user memory protections disabled. So we try and force the evaulation by assigning 'x' to __val at the start, and hoping the compiler barriers in enable_user_access() do the job of ordering step 2 before step 1. This has shown up in a bug where 'a' sleeps and thus schedules out and loses the SR_SUM flag. This isn't sufficient to fully fix, but should reduce the window of opportunity. The first instance of this we found is in scheudle_tail() where the code does: $ less -N kernel/sched/core.c 4263 if (current->set_child_tid) 4264 put_user(task_pid_vnr(current), current->set_child_tid); Here, the task_pid_vnr(current) is called within the block that has enabled the user memory access. This can be made worse with KASAN which makes task_pid_vnr() a rather large call with plenty of opportunity to sleep. Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk> Reported-by: syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com Suggested-by: Arnd Bergman <arnd@arndb.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -- Changes since v1: - fixed formatting and updated the patch description with more info Changes since v2: - fixed commenting on __put_user() (schwab@linux-m68k.org) Change since v3: - fixed RFC in patch title. Should be ready to merge. Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
This commit is contained in:
parent
61f0c3e809
commit
6ae5eaee1e
|
@ -306,7 +306,9 @@ do { \
|
|||
* data types like structures or arrays.
|
||||
*
|
||||
* @ptr must have pointer-to-simple-variable type, and @x must be assignable
|
||||
* to the result of dereferencing @ptr.
|
||||
* to the result of dereferencing @ptr. The value of @x is copied to avoid
|
||||
* re-ordering where @x is evaluated inside the block that enables user-space
|
||||
* access (thus bypassing user space protection if @x is a function).
|
||||
*
|
||||
* Caller must check the pointer with access_ok() before calling this
|
||||
* function.
|
||||
|
@ -316,12 +318,13 @@ do { \
|
|||
#define __put_user(x, ptr) \
|
||||
({ \
|
||||
__typeof__(*(ptr)) __user *__gu_ptr = (ptr); \
|
||||
__typeof__(*__gu_ptr) __val = (x); \
|
||||
long __pu_err = 0; \
|
||||
\
|
||||
__chk_user_ptr(__gu_ptr); \
|
||||
\
|
||||
__enable_user_access(); \
|
||||
__put_user_nocheck(x, __gu_ptr, __pu_err); \
|
||||
__put_user_nocheck(__val, __gu_ptr, __pu_err); \
|
||||
__disable_user_access(); \
|
||||
\
|
||||
__pu_err; \
|
||||
|
|
Loading…
Reference in New Issue
Block a user