On Thu, Jan 10, 2019 at 05:47:42PM +0000, Paul Burton wrote: > commit adcc81f148d733b7e8e641300c5590a2cdc13bf3 upstream. > > Mapping the delay slot emulation page as both writeable & executable > presents a security risk, in that if an exploit can write to & jump into > the page then it can be used as an easy way to execute arbitrary code. > > Prevent this by mapping the page read-only for userland, and using > access_process_vm() with the FOLL_FORCE flag to write to it from > mips_dsemul(). > > This will likely be less efficient due to copy_to_user_page() performing > cache maintenance on a whole page, rather than a single line as in the > previous use of flush_cache_sigtramp(). However this delay slot > emulation code ought not to be running in any performance critical paths > anyway so this isn't really a problem, and we can probably do better in > copy_to_user_page() anyway in future. > > A major advantage of this approach is that the fix is small & simple to > backport to stable kernels. > > Reported-by: Andy Lutomirski <l...@kernel.org> > Signed-off-by: Paul Burton <paul.bur...@mips.com> > Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot > instructions") > Cc: sta...@vger.kernel.org # v4.8+ > Cc: linux-m...@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > Cc: Rich Felker <dal...@libc.org> > Cc: David Daney <david.da...@cavium.com> > --- > arch/mips/kernel/vdso.c | 4 ++-- > arch/mips/math-emu/dsemul.c | 38 +++++++++++++++++++------------------ > 2 files changed, 22 insertions(+), 20 deletions(-) >
Thanks for the backport, now queued up. greg k-h