[OpenWrt-Devel] [PATCH] kernel: MIPS: math-emu Write-protect delay slot emulation pages

Rosen Penev rosenp at gmail.com
Fri Dec 21 22:43:28 EST 2018


On Fri, Dec 21, 2018 at 9:21 AM Kevin 'ldir' Darbyshire-Bryant
<ldir at darbyshire-bryant.me.uk> wrote:
>
> Backport https://git.kernel.org/pub/scm/linux/kernel/git/mips/linux.git/commit/?id=adcc81f148d733b7e8e641300c5590a2cdc13bf3
>
> "Mapping the delay slot emulation page as both writeable & executable
> presents a security risk, in that if an exploit can write to & jump into
> the page then it can be used as an easy way to execute arbitrary code.
>
> Prevent this by mapping the page read-only for userland, and using
> access_process_vm() with the FOLL_FORCE flag to write to it from
> mips_dsemul().
>
> This will likely be less efficient due to copy_to_user_page() performing
> cache maintenance on a whole page, rather than a single line as in the
> previous use of flush_cache_sigtramp(). However this delay slot
> emulation code ought not to be running in any performance critical paths
> anyway so this isn't really a problem, and we can probably do better in
> copy_to_user_page() anyway in future.
>
> A major advantage of this approach is that the fix is small & simple to
> backport to stable kernels.
>
> Reported-by: Andy Lutomirski <luto at kernel.org>
> Signed-off-by: Paul Burton <paul.burton at mips.com>
> Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions")"
>
> Without patch:
>
> cat /proc/self/maps
> 00400000-0047a000 r-xp 00000000 1f:03 1823       /bin/busybox
> 00489000-0048a000 r-xp 00079000 1f:03 1823       /bin/busybox
> 0048a000-0048b000 rwxp 0007a000 1f:03 1823       /bin/busybox
> 77ec8000-77eed000 r-xp 00000000 1f:03 2296       /lib/libgcc_s.so.1
> 77eed000-77eee000 rwxp 00015000 1f:03 2296       /lib/libgcc_s.so.1
> 77eee000-77f81000 r-xp 00000000 1f:03 2470       /lib/libc.so
> 77f90000-77f92000 rwxp 00092000 1f:03 2470       /lib/libc.so
> 77f92000-77f94000 rwxp 00000000 00:00 0
> 7f946000-7f967000 rw-p 00000000 00:00 0          [stack]
> 7fefb000-7fefc000 rwxp 00000000 00:00 0
> 7ffac000-7ffad000 r--p 00000000 00:00 0          [vvar]
> 7ffad000-7ffae000 r-xp 00000000 00:00 0          [vdso]
>
> Patch applied:
>
> cat /proc/self/maps
> 00400000-0047a000 r-xp 00000000 1f:03 1825       /bin/busybox
> 00489000-0048a000 r-xp 00079000 1f:03 1825       /bin/busybox
> 0048a000-0048b000 rwxp 0007a000 1f:03 1825       /bin/busybox
> 77ed0000-77ef5000 r-xp 00000000 1f:03 2298       /lib/libgcc_s.so.1
> 77ef5000-77ef6000 rwxp 00015000 1f:03 2298       /lib/libgcc_s.so.1
> 77ef6000-77f89000 r-xp 00000000 1f:03 2474       /lib/libc.so
> 77f98000-77f9a000 rwxp 00092000 1f:03 2474       /lib/libc.so
> 77f9a000-77f9c000 rwxp 00000000 00:00 0
> 7fbed000-7fc0e000 rw-p 00000000 00:00 0          [stack]
> 7fefb000-7fefc000 r-xp 00000000 00:00 0
> 7fff6000-7fff7000 r--p 00000000 00:00 0          [vvar]
> 7fff7000-7fff8000 r-xp 00000000 00:00 0          [vdso]
>
> Note lack of write permission to 7fefb000-7fefc000
>
> This has received minimal testing on ath79 4.14 Archer C7 v2 only
>
> Signed-off-by: Kevin Darbyshire-Bryant <ldir at darbyshire-bryant.me.uk>
This will make it in the stable kernels within a few releases. Might
as well add in in the meantime.

> ---
>  ...e-protect-delay-slot-emulation-pages.patch | 119 ++++++++++++++++++
>  ...e-protect-delay-slot-emulation-pages.patch | 119 ++++++++++++++++++
>  ...e-protect-delay-slot-emulation-pages.patch | 119 ++++++++++++++++++
>  3 files changed, 357 insertions(+)
>  create mode 100644 target/linux/generic/backport-4.14/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch
>  create mode 100644 target/linux/generic/backport-4.19/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch
>  create mode 100644 target/linux/generic/backport-4.9/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch
>
> diff --git a/target/linux/generic/backport-4.14/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch b/target/linux/generic/backport-4.14/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch
> new file mode 100644
> index 0000000000..f428285a64
> --- /dev/null
> +++ b/target/linux/generic/backport-4.14/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch
> @@ -0,0 +1,119 @@
> +From adcc81f148d733b7e8e641300c5590a2cdc13bf3 Mon Sep 17 00:00:00 2001
> +From: Paul Burton <paul.burton at mips.com>
> +Date: Thu, 20 Dec 2018 17:45:43 +0000
> +Subject: MIPS: math-emu: Write-protect delay slot emulation pages
> +
> +Mapping the delay slot emulation page as both writeable & executable
> +presents a security risk, in that if an exploit can write to & jump into
> +the page then it can be used as an easy way to execute arbitrary code.
> +
> +Prevent this by mapping the page read-only for userland, and using
> +access_process_vm() with the FOLL_FORCE flag to write to it from
> +mips_dsemul().
> +
> +This will likely be less efficient due to copy_to_user_page() performing
> +cache maintenance on a whole page, rather than a single line as in the
> +previous use of flush_cache_sigtramp(). However this delay slot
> +emulation code ought not to be running in any performance critical paths
> +anyway so this isn't really a problem, and we can probably do better in
> +copy_to_user_page() anyway in future.
> +
> +A major advantage of this approach is that the fix is small & simple to
> +backport to stable kernels.
> +
> +Reported-by: Andy Lutomirski <luto at kernel.org>
> +Signed-off-by: Paul Burton <paul.burton at mips.com>
> +Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions")
> +Cc: stable at vger.kernel.org # v4.8+
> +Cc: linux-mips at vger.kernel.org
> +Cc: linux-kernel at vger.kernel.org
> +Cc: Rich Felker <dalias at libc.org>
> +Cc: David Daney <david.daney at cavium.com>
> +---
> + arch/mips/kernel/vdso.c     |  4 ++--
> + arch/mips/math-emu/dsemul.c | 38 ++++++++++++++++++++------------------
> + 2 files changed, 22 insertions(+), 20 deletions(-)
> +
> +--- a/arch/mips/kernel/vdso.c
> ++++ b/arch/mips/kernel/vdso.c
> +@@ -126,8 +126,8 @@ int arch_setup_additional_pages(struct l
> +
> +       /* Map delay slot emulation page */
> +       base = mmap_region(NULL, STACK_TOP, PAGE_SIZE,
> +-                         VM_READ|VM_WRITE|VM_EXEC|
> +-                         VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
> ++                         VM_READ | VM_EXEC |
> ++                         VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
> +                          0, NULL);
> +       if (IS_ERR_VALUE(base)) {
> +               ret = base;
> +--- a/arch/mips/math-emu/dsemul.c
> ++++ b/arch/mips/math-emu/dsemul.c
> +@@ -214,8 +214,9 @@ int mips_dsemul(struct pt_regs *regs, mi
> + {
> +       int isa16 = get_isa16_mode(regs->cp0_epc);
> +       mips_instruction break_math;
> +-      struct emuframe __user *fr;
> +-      int err, fr_idx;
> ++      unsigned long fr_uaddr;
> ++      struct emuframe fr;
> ++      int fr_idx, ret;
> +
> +       /* NOP is easy */
> +       if (ir == 0)
> +@@ -250,27 +251,31 @@ int mips_dsemul(struct pt_regs *regs, mi
> +               fr_idx = alloc_emuframe();
> +       if (fr_idx == BD_EMUFRAME_NONE)
> +               return SIGBUS;
> +-      fr = &dsemul_page()[fr_idx];
> +
> +       /* Retrieve the appropriately encoded break instruction */
> +       break_math = BREAK_MATH(isa16);
> +
> +       /* Write the instructions to the frame */
> +       if (isa16) {
> +-              err = __put_user(ir >> 16,
> +-                               (u16 __user *)(&fr->emul));
> +-              err |= __put_user(ir & 0xffff,
> +-                                (u16 __user *)((long)(&fr->emul) + 2));
> +-              err |= __put_user(break_math >> 16,
> +-                                (u16 __user *)(&fr->badinst));
> +-              err |= __put_user(break_math & 0xffff,
> +-                                (u16 __user *)((long)(&fr->badinst) + 2));
> ++              union mips_instruction _emul = {
> ++                      .halfword = { ir >> 16, ir }
> ++              };
> ++              union mips_instruction _badinst = {
> ++                      .halfword = { break_math >> 16, break_math }
> ++              };
> ++
> ++              fr.emul = _emul.word;
> ++              fr.badinst = _badinst.word;
> +       } else {
> +-              err = __put_user(ir, &fr->emul);
> +-              err |= __put_user(break_math, &fr->badinst);
> ++              fr.emul = ir;
> ++              fr.badinst = break_math;
> +       }
> +
> +-      if (unlikely(err)) {
> ++      /* Write the frame to user memory */
> ++      fr_uaddr = (unsigned long)&dsemul_page()[fr_idx];
> ++      ret = access_process_vm(current, fr_uaddr, &fr, sizeof(fr),
> ++                              FOLL_FORCE | FOLL_WRITE);
> ++      if (unlikely(ret != sizeof(fr))) {
> +               MIPS_FPU_EMU_INC_STATS(errors);
> +               free_emuframe(fr_idx, current->mm);
> +               return SIGBUS;
> +@@ -282,10 +287,7 @@ int mips_dsemul(struct pt_regs *regs, mi
> +       atomic_set(&current->thread.bd_emu_frame, fr_idx);
> +
> +       /* Change user register context to execute the frame */
> +-      regs->cp0_epc = (unsigned long)&fr->emul | isa16;
> +-
> +-      /* Ensure the icache observes our newly written frame */
> +-      flush_cache_sigtramp((unsigned long)&fr->emul);
> ++      regs->cp0_epc = fr_uaddr | isa16;
> +
> +       return 0;
> + }
> diff --git a/target/linux/generic/backport-4.19/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch b/target/linux/generic/backport-4.19/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch
> new file mode 100644
> index 0000000000..f428285a64
> --- /dev/null
> +++ b/target/linux/generic/backport-4.19/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch
> @@ -0,0 +1,119 @@
> +From adcc81f148d733b7e8e641300c5590a2cdc13bf3 Mon Sep 17 00:00:00 2001
> +From: Paul Burton <paul.burton at mips.com>
> +Date: Thu, 20 Dec 2018 17:45:43 +0000
> +Subject: MIPS: math-emu: Write-protect delay slot emulation pages
> +
> +Mapping the delay slot emulation page as both writeable & executable
> +presents a security risk, in that if an exploit can write to & jump into
> +the page then it can be used as an easy way to execute arbitrary code.
> +
> +Prevent this by mapping the page read-only for userland, and using
> +access_process_vm() with the FOLL_FORCE flag to write to it from
> +mips_dsemul().
> +
> +This will likely be less efficient due to copy_to_user_page() performing
> +cache maintenance on a whole page, rather than a single line as in the
> +previous use of flush_cache_sigtramp(). However this delay slot
> +emulation code ought not to be running in any performance critical paths
> +anyway so this isn't really a problem, and we can probably do better in
> +copy_to_user_page() anyway in future.
> +
> +A major advantage of this approach is that the fix is small & simple to
> +backport to stable kernels.
> +
> +Reported-by: Andy Lutomirski <luto at kernel.org>
> +Signed-off-by: Paul Burton <paul.burton at mips.com>
> +Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions")
> +Cc: stable at vger.kernel.org # v4.8+
> +Cc: linux-mips at vger.kernel.org
> +Cc: linux-kernel at vger.kernel.org
> +Cc: Rich Felker <dalias at libc.org>
> +Cc: David Daney <david.daney at cavium.com>
> +---
> + arch/mips/kernel/vdso.c     |  4 ++--
> + arch/mips/math-emu/dsemul.c | 38 ++++++++++++++++++++------------------
> + 2 files changed, 22 insertions(+), 20 deletions(-)
> +
> +--- a/arch/mips/kernel/vdso.c
> ++++ b/arch/mips/kernel/vdso.c
> +@@ -126,8 +126,8 @@ int arch_setup_additional_pages(struct l
> +
> +       /* Map delay slot emulation page */
> +       base = mmap_region(NULL, STACK_TOP, PAGE_SIZE,
> +-                         VM_READ|VM_WRITE|VM_EXEC|
> +-                         VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
> ++                         VM_READ | VM_EXEC |
> ++                         VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
> +                          0, NULL);
> +       if (IS_ERR_VALUE(base)) {
> +               ret = base;
> +--- a/arch/mips/math-emu/dsemul.c
> ++++ b/arch/mips/math-emu/dsemul.c
> +@@ -214,8 +214,9 @@ int mips_dsemul(struct pt_regs *regs, mi
> + {
> +       int isa16 = get_isa16_mode(regs->cp0_epc);
> +       mips_instruction break_math;
> +-      struct emuframe __user *fr;
> +-      int err, fr_idx;
> ++      unsigned long fr_uaddr;
> ++      struct emuframe fr;
> ++      int fr_idx, ret;
> +
> +       /* NOP is easy */
> +       if (ir == 0)
> +@@ -250,27 +251,31 @@ int mips_dsemul(struct pt_regs *regs, mi
> +               fr_idx = alloc_emuframe();
> +       if (fr_idx == BD_EMUFRAME_NONE)
> +               return SIGBUS;
> +-      fr = &dsemul_page()[fr_idx];
> +
> +       /* Retrieve the appropriately encoded break instruction */
> +       break_math = BREAK_MATH(isa16);
> +
> +       /* Write the instructions to the frame */
> +       if (isa16) {
> +-              err = __put_user(ir >> 16,
> +-                               (u16 __user *)(&fr->emul));
> +-              err |= __put_user(ir & 0xffff,
> +-                                (u16 __user *)((long)(&fr->emul) + 2));
> +-              err |= __put_user(break_math >> 16,
> +-                                (u16 __user *)(&fr->badinst));
> +-              err |= __put_user(break_math & 0xffff,
> +-                                (u16 __user *)((long)(&fr->badinst) + 2));
> ++              union mips_instruction _emul = {
> ++                      .halfword = { ir >> 16, ir }
> ++              };
> ++              union mips_instruction _badinst = {
> ++                      .halfword = { break_math >> 16, break_math }
> ++              };
> ++
> ++              fr.emul = _emul.word;
> ++              fr.badinst = _badinst.word;
> +       } else {
> +-              err = __put_user(ir, &fr->emul);
> +-              err |= __put_user(break_math, &fr->badinst);
> ++              fr.emul = ir;
> ++              fr.badinst = break_math;
> +       }
> +
> +-      if (unlikely(err)) {
> ++      /* Write the frame to user memory */
> ++      fr_uaddr = (unsigned long)&dsemul_page()[fr_idx];
> ++      ret = access_process_vm(current, fr_uaddr, &fr, sizeof(fr),
> ++                              FOLL_FORCE | FOLL_WRITE);
> ++      if (unlikely(ret != sizeof(fr))) {
> +               MIPS_FPU_EMU_INC_STATS(errors);
> +               free_emuframe(fr_idx, current->mm);
> +               return SIGBUS;
> +@@ -282,10 +287,7 @@ int mips_dsemul(struct pt_regs *regs, mi
> +       atomic_set(&current->thread.bd_emu_frame, fr_idx);
> +
> +       /* Change user register context to execute the frame */
> +-      regs->cp0_epc = (unsigned long)&fr->emul | isa16;
> +-
> +-      /* Ensure the icache observes our newly written frame */
> +-      flush_cache_sigtramp((unsigned long)&fr->emul);
> ++      regs->cp0_epc = fr_uaddr | isa16;
> +
> +       return 0;
> + }
> diff --git a/target/linux/generic/backport-4.9/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch b/target/linux/generic/backport-4.9/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch
> new file mode 100644
> index 0000000000..69cc493bba
> --- /dev/null
> +++ b/target/linux/generic/backport-4.9/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch
> @@ -0,0 +1,119 @@
> +From adcc81f148d733b7e8e641300c5590a2cdc13bf3 Mon Sep 17 00:00:00 2001
> +From: Paul Burton <paul.burton at mips.com>
> +Date: Thu, 20 Dec 2018 17:45:43 +0000
> +Subject: MIPS: math-emu: Write-protect delay slot emulation pages
> +
> +Mapping the delay slot emulation page as both writeable & executable
> +presents a security risk, in that if an exploit can write to & jump into
> +the page then it can be used as an easy way to execute arbitrary code.
> +
> +Prevent this by mapping the page read-only for userland, and using
> +access_process_vm() with the FOLL_FORCE flag to write to it from
> +mips_dsemul().
> +
> +This will likely be less efficient due to copy_to_user_page() performing
> +cache maintenance on a whole page, rather than a single line as in the
> +previous use of flush_cache_sigtramp(). However this delay slot
> +emulation code ought not to be running in any performance critical paths
> +anyway so this isn't really a problem, and we can probably do better in
> +copy_to_user_page() anyway in future.
> +
> +A major advantage of this approach is that the fix is small & simple to
> +backport to stable kernels.
> +
> +Reported-by: Andy Lutomirski <luto at kernel.org>
> +Signed-off-by: Paul Burton <paul.burton at mips.com>
> +Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions")
> +Cc: stable at vger.kernel.org # v4.8+
> +Cc: linux-mips at vger.kernel.org
> +Cc: linux-kernel at vger.kernel.org
> +Cc: Rich Felker <dalias at libc.org>
> +Cc: David Daney <david.daney at cavium.com>
> +---
> + arch/mips/kernel/vdso.c     |  4 ++--
> + arch/mips/math-emu/dsemul.c | 38 ++++++++++++++++++++------------------
> + 2 files changed, 22 insertions(+), 20 deletions(-)
> +
> +--- a/arch/mips/kernel/vdso.c
> ++++ b/arch/mips/kernel/vdso.c
> +@@ -111,8 +111,8 @@ int arch_setup_additional_pages(struct l
> +
> +       /* Map delay slot emulation page */
> +       base = mmap_region(NULL, STACK_TOP, PAGE_SIZE,
> +-                         VM_READ|VM_WRITE|VM_EXEC|
> +-                         VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
> ++                         VM_READ | VM_EXEC |
> ++                         VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
> +                          0);
> +       if (IS_ERR_VALUE(base)) {
> +               ret = base;
> +--- a/arch/mips/math-emu/dsemul.c
> ++++ b/arch/mips/math-emu/dsemul.c
> +@@ -211,8 +211,9 @@ int mips_dsemul(struct pt_regs *regs, mi
> + {
> +       int isa16 = get_isa16_mode(regs->cp0_epc);
> +       mips_instruction break_math;
> +-      struct emuframe __user *fr;
> +-      int err, fr_idx;
> ++      unsigned long fr_uaddr;
> ++      struct emuframe fr;
> ++      int fr_idx, ret;
> +
> +       /* NOP is easy */
> +       if (ir == 0)
> +@@ -247,27 +248,31 @@ int mips_dsemul(struct pt_regs *regs, mi
> +               fr_idx = alloc_emuframe();
> +       if (fr_idx == BD_EMUFRAME_NONE)
> +               return SIGBUS;
> +-      fr = &dsemul_page()[fr_idx];
> +
> +       /* Retrieve the appropriately encoded break instruction */
> +       break_math = BREAK_MATH(isa16);
> +
> +       /* Write the instructions to the frame */
> +       if (isa16) {
> +-              err = __put_user(ir >> 16,
> +-                               (u16 __user *)(&fr->emul));
> +-              err |= __put_user(ir & 0xffff,
> +-                                (u16 __user *)((long)(&fr->emul) + 2));
> +-              err |= __put_user(break_math >> 16,
> +-                                (u16 __user *)(&fr->badinst));
> +-              err |= __put_user(break_math & 0xffff,
> +-                                (u16 __user *)((long)(&fr->badinst) + 2));
> ++              union mips_instruction _emul = {
> ++                      .halfword = { ir >> 16, ir }
> ++              };
> ++              union mips_instruction _badinst = {
> ++                      .halfword = { break_math >> 16, break_math }
> ++              };
> ++
> ++              fr.emul = _emul.word;
> ++              fr.badinst = _badinst.word;
> +       } else {
> +-              err = __put_user(ir, &fr->emul);
> +-              err |= __put_user(break_math, &fr->badinst);
> ++              fr.emul = ir;
> ++              fr.badinst = break_math;
> +       }
> +
> +-      if (unlikely(err)) {
> ++      /* Write the frame to user memory */
> ++      fr_uaddr = (unsigned long)&dsemul_page()[fr_idx];
> ++      ret = access_process_vm(current, fr_uaddr, &fr, sizeof(fr),
> ++                              FOLL_FORCE | FOLL_WRITE);
> ++      if (unlikely(ret != sizeof(fr))) {
> +               MIPS_FPU_EMU_INC_STATS(errors);
> +               free_emuframe(fr_idx, current->mm);
> +               return SIGBUS;
> +@@ -279,10 +284,7 @@ int mips_dsemul(struct pt_regs *regs, mi
> +       atomic_set(&current->thread.bd_emu_frame, fr_idx);
> +
> +       /* Change user register context to execute the frame */
> +-      regs->cp0_epc = (unsigned long)&fr->emul | isa16;
> +-
> +-      /* Ensure the icache observes our newly written frame */
> +-      flush_cache_sigtramp((unsigned long)&fr->emul);
> ++      regs->cp0_epc = fr_uaddr | isa16;
> +
> +       return 0;
> + }
> --
> 2.17.2 (Apple Git-113)
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list