On Fri, 2016-02-09 at 11:47:59 UTC, Paul Mackerras wrote: > In commit c60ac5693c47 ("powerpc: Update kernel VSID range", 2013-03-13) > we lost a check on the region number (the top four bits of the effective > address) for addresses below PAGE_OFFSET. That commit replaced a check > that the top 18 bits were all zero with a check that bits 46 - 59 were > zero (performed for all addresses, not just user addresses). > > This means that userspace can access an address like 0x1000_0xxx_xxxx_xxxx > and we will insert a valid SLB entry for it. The VSID used will be the > same as if the top 4 bits were 0, but the page size will be some random > value obtained by indexing beyond the end of the mm_ctx_high_slices_psize > array in the paca. If that page size is the same as would be used for > region 0, then userspace just has an alias of the region 0 space. If the > page size is different, then no HPTE will be found for the access, and > the process will get a SIGSEGV (since hash_page_mm() will refuse to create > a HPTE for the bogus address). > > The access beyond the end of the mm_ctx_high_slices_psize can be at most > 5.5MB past the array, and so will be in RAM somewhere. Since the access > is a load performed in real mode, it won't fault or crash the kernel. > At most this bug could perhaps leak a little bit of information about > blocks of 32 bytes of memory located at offsets of i * 512kB past the > paca->mm_ctx_high_slices_psize array, for 1 <= i <= 11. > > Cc: sta...@vger.kernel.org # v3.10+ > Signed-off-by: Paul Mackerras <pau...@ozlabs.org> > Reviewed-by: Aneesh Kumar K.V <aneesh.ku...@linux.vnet.ibm.com>
Applied to powerpc fixes, thanks. https://git.kernel.org/powerpc/c/f077aaf0754bcba0fffdbd925b cheers