On Thu, Jan 10, 2019 at 05:47:42PM +0000, Paul Burton wrote:
> commit adcc81f148d733b7e8e641300c5590a2cdc13bf3 upstream.
>
> Mapping the delay slot emulation page as both writeable & executable
> presents a security risk, in that if an exploit can write to & jump into
> the page then it can be used as an easy way to execute arbitrary code.
>
> Prevent this by mapping the page read-only for userland, and using
> access_process_vm() with the FOLL_FORCE flag to write to it from
> mips_dsemul().
>
> This will likely be less efficient due to copy_to_user_page() performing
> cache maintenance on a whole page, rather than a single line as in the
> previous use of flush_cache_sigtramp(). However this delay slot
> emulation code ought not to be running in any performance critical paths
> anyway so this isn't really a problem, and we can probably do better in
> copy_to_user_page() anyway in future.
>
> A major advantage of this approach is that the fix is small & simple to
> backport to stable kernels.
>
> Reported-by: Andy Lutomirski <l...@kernel.org>
> Signed-off-by: Paul Burton <paul.bur...@mips.com>
> Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot
> instructions")
> Cc: sta...@vger.kernel.org # v4.8+
> Cc: linux-m...@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org
> Cc: Rich Felker <dal...@libc.org>
> Cc: David Daney <david.da...@cavium.com>
> ---
> arch/mips/kernel/vdso.c | 4 ++--
> arch/mips/math-emu/dsemul.c | 38 +++++++++++++++++++------------------
> 2 files changed, 22 insertions(+), 20 deletions(-)
>
Thanks for the backport, now queued up.
greg k-h
