On Fri, Dec 21, 2018 at 9:21 AM Kevin 'ldir' Darbyshire-Bryant <[email protected]> wrote: > > Backport > https://git.kernel.org/pub/scm/linux/kernel/git/mips/linux.git/commit/?id=adcc81f148d733b7e8e641300c5590a2cdc13bf3 > > "Mapping the delay slot emulation page as both writeable & executable > presents a security risk, in that if an exploit can write to & jump into > the page then it can be used as an easy way to execute arbitrary code. > > Prevent this by mapping the page read-only for userland, and using > access_process_vm() with the FOLL_FORCE flag to write to it from > mips_dsemul(). > > This will likely be less efficient due to copy_to_user_page() performing > cache maintenance on a whole page, rather than a single line as in the > previous use of flush_cache_sigtramp(). However this delay slot > emulation code ought not to be running in any performance critical paths > anyway so this isn't really a problem, and we can probably do better in > copy_to_user_page() anyway in future. > > A major advantage of this approach is that the fix is small & simple to > backport to stable kernels. > > Reported-by: Andy Lutomirski <[email protected]> > Signed-off-by: Paul Burton <[email protected]> > Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot > instructions")" > > Without patch: > > cat /proc/self/maps > 00400000-0047a000 r-xp 00000000 1f:03 1823 /bin/busybox > 00489000-0048a000 r-xp 00079000 1f:03 1823 /bin/busybox > 0048a000-0048b000 rwxp 0007a000 1f:03 1823 /bin/busybox > 77ec8000-77eed000 r-xp 00000000 1f:03 2296 /lib/libgcc_s.so.1 > 77eed000-77eee000 rwxp 00015000 1f:03 2296 /lib/libgcc_s.so.1 > 77eee000-77f81000 r-xp 00000000 1f:03 2470 /lib/libc.so > 77f90000-77f92000 rwxp 00092000 1f:03 2470 /lib/libc.so > 77f92000-77f94000 rwxp 00000000 00:00 0 > 7f946000-7f967000 rw-p 00000000 00:00 0 [stack] > 7fefb000-7fefc000 rwxp 00000000 00:00 0 > 7ffac000-7ffad000 r--p 00000000 00:00 0 [vvar] > 7ffad000-7ffae000 r-xp 00000000 00:00 0 [vdso] > > Patch applied: > > cat /proc/self/maps > 00400000-0047a000 r-xp 00000000 1f:03 1825 /bin/busybox > 00489000-0048a000 r-xp 00079000 1f:03 1825 /bin/busybox > 0048a000-0048b000 rwxp 0007a000 1f:03 1825 /bin/busybox > 77ed0000-77ef5000 r-xp 00000000 1f:03 2298 /lib/libgcc_s.so.1 > 77ef5000-77ef6000 rwxp 00015000 1f:03 2298 /lib/libgcc_s.so.1 > 77ef6000-77f89000 r-xp 00000000 1f:03 2474 /lib/libc.so > 77f98000-77f9a000 rwxp 00092000 1f:03 2474 /lib/libc.so > 77f9a000-77f9c000 rwxp 00000000 00:00 0 > 7fbed000-7fc0e000 rw-p 00000000 00:00 0 [stack] > 7fefb000-7fefc000 r-xp 00000000 00:00 0 > 7fff6000-7fff7000 r--p 00000000 00:00 0 [vvar] > 7fff7000-7fff8000 r-xp 00000000 00:00 0 [vdso] > > Note lack of write permission to 7fefb000-7fefc000 > > This has received minimal testing on ath79 4.14 Archer C7 v2 only > > Signed-off-by: Kevin Darbyshire-Bryant <[email protected]> This will make it in the stable kernels within a few releases. Might as well add in in the meantime.
> --- > ...e-protect-delay-slot-emulation-pages.patch | 119 ++++++++++++++++++ > ...e-protect-delay-slot-emulation-pages.patch | 119 ++++++++++++++++++ > ...e-protect-delay-slot-emulation-pages.patch | 119 ++++++++++++++++++ > 3 files changed, 357 insertions(+) > create mode 100644 > target/linux/generic/backport-4.14/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch > create mode 100644 > target/linux/generic/backport-4.19/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch > create mode 100644 > target/linux/generic/backport-4.9/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch > > diff --git > a/target/linux/generic/backport-4.14/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch > > b/target/linux/generic/backport-4.14/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch > new file mode 100644 > index 0000000000..f428285a64 > --- /dev/null > +++ > b/target/linux/generic/backport-4.14/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch > @@ -0,0 +1,119 @@ > +From adcc81f148d733b7e8e641300c5590a2cdc13bf3 Mon Sep 17 00:00:00 2001 > +From: Paul Burton <[email protected]> > +Date: Thu, 20 Dec 2018 17:45:43 +0000 > +Subject: MIPS: math-emu: Write-protect delay slot emulation pages > + > +Mapping the delay slot emulation page as both writeable & executable > +presents a security risk, in that if an exploit can write to & jump into > +the page then it can be used as an easy way to execute arbitrary code. > + > +Prevent this by mapping the page read-only for userland, and using > +access_process_vm() with the FOLL_FORCE flag to write to it from > +mips_dsemul(). > + > +This will likely be less efficient due to copy_to_user_page() performing > +cache maintenance on a whole page, rather than a single line as in the > +previous use of flush_cache_sigtramp(). However this delay slot > +emulation code ought not to be running in any performance critical paths > +anyway so this isn't really a problem, and we can probably do better in > +copy_to_user_page() anyway in future. > + > +A major advantage of this approach is that the fix is small & simple to > +backport to stable kernels. > + > +Reported-by: Andy Lutomirski <[email protected]> > +Signed-off-by: Paul Burton <[email protected]> > +Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot > instructions") > +Cc: [email protected] # v4.8+ > +Cc: [email protected] > +Cc: [email protected] > +Cc: Rich Felker <[email protected]> > +Cc: David Daney <[email protected]> > +--- > + arch/mips/kernel/vdso.c | 4 ++-- > + arch/mips/math-emu/dsemul.c | 38 ++++++++++++++++++++------------------ > + 2 files changed, 22 insertions(+), 20 deletions(-) > + > +--- a/arch/mips/kernel/vdso.c > ++++ b/arch/mips/kernel/vdso.c > +@@ -126,8 +126,8 @@ int arch_setup_additional_pages(struct l > + > + /* Map delay slot emulation page */ > + base = mmap_region(NULL, STACK_TOP, PAGE_SIZE, > +- VM_READ|VM_WRITE|VM_EXEC| > +- VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC, > ++ VM_READ | VM_EXEC | > ++ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC, > + 0, NULL); > + if (IS_ERR_VALUE(base)) { > + ret = base; > +--- a/arch/mips/math-emu/dsemul.c > ++++ b/arch/mips/math-emu/dsemul.c > +@@ -214,8 +214,9 @@ int mips_dsemul(struct pt_regs *regs, mi > + { > + int isa16 = get_isa16_mode(regs->cp0_epc); > + mips_instruction break_math; > +- struct emuframe __user *fr; > +- int err, fr_idx; > ++ unsigned long fr_uaddr; > ++ struct emuframe fr; > ++ int fr_idx, ret; > + > + /* NOP is easy */ > + if (ir == 0) > +@@ -250,27 +251,31 @@ int mips_dsemul(struct pt_regs *regs, mi > + fr_idx = alloc_emuframe(); > + if (fr_idx == BD_EMUFRAME_NONE) > + return SIGBUS; > +- fr = &dsemul_page()[fr_idx]; > + > + /* Retrieve the appropriately encoded break instruction */ > + break_math = BREAK_MATH(isa16); > + > + /* Write the instructions to the frame */ > + if (isa16) { > +- err = __put_user(ir >> 16, > +- (u16 __user *)(&fr->emul)); > +- err |= __put_user(ir & 0xffff, > +- (u16 __user *)((long)(&fr->emul) + 2)); > +- err |= __put_user(break_math >> 16, > +- (u16 __user *)(&fr->badinst)); > +- err |= __put_user(break_math & 0xffff, > +- (u16 __user *)((long)(&fr->badinst) + 2)); > ++ union mips_instruction _emul = { > ++ .halfword = { ir >> 16, ir } > ++ }; > ++ union mips_instruction _badinst = { > ++ .halfword = { break_math >> 16, break_math } > ++ }; > ++ > ++ fr.emul = _emul.word; > ++ fr.badinst = _badinst.word; > + } else { > +- err = __put_user(ir, &fr->emul); > +- err |= __put_user(break_math, &fr->badinst); > ++ fr.emul = ir; > ++ fr.badinst = break_math; > + } > + > +- if (unlikely(err)) { > ++ /* Write the frame to user memory */ > ++ fr_uaddr = (unsigned long)&dsemul_page()[fr_idx]; > ++ ret = access_process_vm(current, fr_uaddr, &fr, sizeof(fr), > ++ FOLL_FORCE | FOLL_WRITE); > ++ if (unlikely(ret != sizeof(fr))) { > + MIPS_FPU_EMU_INC_STATS(errors); > + free_emuframe(fr_idx, current->mm); > + return SIGBUS; > +@@ -282,10 +287,7 @@ int mips_dsemul(struct pt_regs *regs, mi > + atomic_set(¤t->thread.bd_emu_frame, fr_idx); > + > + /* Change user register context to execute the frame */ > +- regs->cp0_epc = (unsigned long)&fr->emul | isa16; > +- > +- /* Ensure the icache observes our newly written frame */ > +- flush_cache_sigtramp((unsigned long)&fr->emul); > ++ regs->cp0_epc = fr_uaddr | isa16; > + > + return 0; > + } > diff --git > a/target/linux/generic/backport-4.19/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch > > b/target/linux/generic/backport-4.19/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch > new file mode 100644 > index 0000000000..f428285a64 > --- /dev/null > +++ > b/target/linux/generic/backport-4.19/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch > @@ -0,0 +1,119 @@ > +From adcc81f148d733b7e8e641300c5590a2cdc13bf3 Mon Sep 17 00:00:00 2001 > +From: Paul Burton <[email protected]> > +Date: Thu, 20 Dec 2018 17:45:43 +0000 > +Subject: MIPS: math-emu: Write-protect delay slot emulation pages > + > +Mapping the delay slot emulation page as both writeable & executable > +presents a security risk, in that if an exploit can write to & jump into > +the page then it can be used as an easy way to execute arbitrary code. > + > +Prevent this by mapping the page read-only for userland, and using > +access_process_vm() with the FOLL_FORCE flag to write to it from > +mips_dsemul(). > + > +This will likely be less efficient due to copy_to_user_page() performing > +cache maintenance on a whole page, rather than a single line as in the > +previous use of flush_cache_sigtramp(). However this delay slot > +emulation code ought not to be running in any performance critical paths > +anyway so this isn't really a problem, and we can probably do better in > +copy_to_user_page() anyway in future. > + > +A major advantage of this approach is that the fix is small & simple to > +backport to stable kernels. > + > +Reported-by: Andy Lutomirski <[email protected]> > +Signed-off-by: Paul Burton <[email protected]> > +Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot > instructions") > +Cc: [email protected] # v4.8+ > +Cc: [email protected] > +Cc: [email protected] > +Cc: Rich Felker <[email protected]> > +Cc: David Daney <[email protected]> > +--- > + arch/mips/kernel/vdso.c | 4 ++-- > + arch/mips/math-emu/dsemul.c | 38 ++++++++++++++++++++------------------ > + 2 files changed, 22 insertions(+), 20 deletions(-) > + > +--- a/arch/mips/kernel/vdso.c > ++++ b/arch/mips/kernel/vdso.c > +@@ -126,8 +126,8 @@ int arch_setup_additional_pages(struct l > + > + /* Map delay slot emulation page */ > + base = mmap_region(NULL, STACK_TOP, PAGE_SIZE, > +- VM_READ|VM_WRITE|VM_EXEC| > +- VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC, > ++ VM_READ | VM_EXEC | > ++ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC, > + 0, NULL); > + if (IS_ERR_VALUE(base)) { > + ret = base; > +--- a/arch/mips/math-emu/dsemul.c > ++++ b/arch/mips/math-emu/dsemul.c > +@@ -214,8 +214,9 @@ int mips_dsemul(struct pt_regs *regs, mi > + { > + int isa16 = get_isa16_mode(regs->cp0_epc); > + mips_instruction break_math; > +- struct emuframe __user *fr; > +- int err, fr_idx; > ++ unsigned long fr_uaddr; > ++ struct emuframe fr; > ++ int fr_idx, ret; > + > + /* NOP is easy */ > + if (ir == 0) > +@@ -250,27 +251,31 @@ int mips_dsemul(struct pt_regs *regs, mi > + fr_idx = alloc_emuframe(); > + if (fr_idx == BD_EMUFRAME_NONE) > + return SIGBUS; > +- fr = &dsemul_page()[fr_idx]; > + > + /* Retrieve the appropriately encoded break instruction */ > + break_math = BREAK_MATH(isa16); > + > + /* Write the instructions to the frame */ > + if (isa16) { > +- err = __put_user(ir >> 16, > +- (u16 __user *)(&fr->emul)); > +- err |= __put_user(ir & 0xffff, > +- (u16 __user *)((long)(&fr->emul) + 2)); > +- err |= __put_user(break_math >> 16, > +- (u16 __user *)(&fr->badinst)); > +- err |= __put_user(break_math & 0xffff, > +- (u16 __user *)((long)(&fr->badinst) + 2)); > ++ union mips_instruction _emul = { > ++ .halfword = { ir >> 16, ir } > ++ }; > ++ union mips_instruction _badinst = { > ++ .halfword = { break_math >> 16, break_math } > ++ }; > ++ > ++ fr.emul = _emul.word; > ++ fr.badinst = _badinst.word; > + } else { > +- err = __put_user(ir, &fr->emul); > +- err |= __put_user(break_math, &fr->badinst); > ++ fr.emul = ir; > ++ fr.badinst = break_math; > + } > + > +- if (unlikely(err)) { > ++ /* Write the frame to user memory */ > ++ fr_uaddr = (unsigned long)&dsemul_page()[fr_idx]; > ++ ret = access_process_vm(current, fr_uaddr, &fr, sizeof(fr), > ++ FOLL_FORCE | FOLL_WRITE); > ++ if (unlikely(ret != sizeof(fr))) { > + MIPS_FPU_EMU_INC_STATS(errors); > + free_emuframe(fr_idx, current->mm); > + return SIGBUS; > +@@ -282,10 +287,7 @@ int mips_dsemul(struct pt_regs *regs, mi > + atomic_set(¤t->thread.bd_emu_frame, fr_idx); > + > + /* Change user register context to execute the frame */ > +- regs->cp0_epc = (unsigned long)&fr->emul | isa16; > +- > +- /* Ensure the icache observes our newly written frame */ > +- flush_cache_sigtramp((unsigned long)&fr->emul); > ++ regs->cp0_epc = fr_uaddr | isa16; > + > + return 0; > + } > diff --git > a/target/linux/generic/backport-4.9/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch > > b/target/linux/generic/backport-4.9/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch > new file mode 100644 > index 0000000000..69cc493bba > --- /dev/null > +++ > b/target/linux/generic/backport-4.9/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch > @@ -0,0 +1,119 @@ > +From adcc81f148d733b7e8e641300c5590a2cdc13bf3 Mon Sep 17 00:00:00 2001 > +From: Paul Burton <[email protected]> > +Date: Thu, 20 Dec 2018 17:45:43 +0000 > +Subject: MIPS: math-emu: Write-protect delay slot emulation pages > + > +Mapping the delay slot emulation page as both writeable & executable > +presents a security risk, in that if an exploit can write to & jump into > +the page then it can be used as an easy way to execute arbitrary code. > + > +Prevent this by mapping the page read-only for userland, and using > +access_process_vm() with the FOLL_FORCE flag to write to it from > +mips_dsemul(). > + > +This will likely be less efficient due to copy_to_user_page() performing > +cache maintenance on a whole page, rather than a single line as in the > +previous use of flush_cache_sigtramp(). However this delay slot > +emulation code ought not to be running in any performance critical paths > +anyway so this isn't really a problem, and we can probably do better in > +copy_to_user_page() anyway in future. > + > +A major advantage of this approach is that the fix is small & simple to > +backport to stable kernels. > + > +Reported-by: Andy Lutomirski <[email protected]> > +Signed-off-by: Paul Burton <[email protected]> > +Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot > instructions") > +Cc: [email protected] # v4.8+ > +Cc: [email protected] > +Cc: [email protected] > +Cc: Rich Felker <[email protected]> > +Cc: David Daney <[email protected]> > +--- > + arch/mips/kernel/vdso.c | 4 ++-- > + arch/mips/math-emu/dsemul.c | 38 ++++++++++++++++++++------------------ > + 2 files changed, 22 insertions(+), 20 deletions(-) > + > +--- a/arch/mips/kernel/vdso.c > ++++ b/arch/mips/kernel/vdso.c > +@@ -111,8 +111,8 @@ int arch_setup_additional_pages(struct l > + > + /* Map delay slot emulation page */ > + base = mmap_region(NULL, STACK_TOP, PAGE_SIZE, > +- VM_READ|VM_WRITE|VM_EXEC| > +- VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC, > ++ VM_READ | VM_EXEC | > ++ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC, > + 0); > + if (IS_ERR_VALUE(base)) { > + ret = base; > +--- a/arch/mips/math-emu/dsemul.c > ++++ b/arch/mips/math-emu/dsemul.c > +@@ -211,8 +211,9 @@ int mips_dsemul(struct pt_regs *regs, mi > + { > + int isa16 = get_isa16_mode(regs->cp0_epc); > + mips_instruction break_math; > +- struct emuframe __user *fr; > +- int err, fr_idx; > ++ unsigned long fr_uaddr; > ++ struct emuframe fr; > ++ int fr_idx, ret; > + > + /* NOP is easy */ > + if (ir == 0) > +@@ -247,27 +248,31 @@ int mips_dsemul(struct pt_regs *regs, mi > + fr_idx = alloc_emuframe(); > + if (fr_idx == BD_EMUFRAME_NONE) > + return SIGBUS; > +- fr = &dsemul_page()[fr_idx]; > + > + /* Retrieve the appropriately encoded break instruction */ > + break_math = BREAK_MATH(isa16); > + > + /* Write the instructions to the frame */ > + if (isa16) { > +- err = __put_user(ir >> 16, > +- (u16 __user *)(&fr->emul)); > +- err |= __put_user(ir & 0xffff, > +- (u16 __user *)((long)(&fr->emul) + 2)); > +- err |= __put_user(break_math >> 16, > +- (u16 __user *)(&fr->badinst)); > +- err |= __put_user(break_math & 0xffff, > +- (u16 __user *)((long)(&fr->badinst) + 2)); > ++ union mips_instruction _emul = { > ++ .halfword = { ir >> 16, ir } > ++ }; > ++ union mips_instruction _badinst = { > ++ .halfword = { break_math >> 16, break_math } > ++ }; > ++ > ++ fr.emul = _emul.word; > ++ fr.badinst = _badinst.word; > + } else { > +- err = __put_user(ir, &fr->emul); > +- err |= __put_user(break_math, &fr->badinst); > ++ fr.emul = ir; > ++ fr.badinst = break_math; > + } > + > +- if (unlikely(err)) { > ++ /* Write the frame to user memory */ > ++ fr_uaddr = (unsigned long)&dsemul_page()[fr_idx]; > ++ ret = access_process_vm(current, fr_uaddr, &fr, sizeof(fr), > ++ FOLL_FORCE | FOLL_WRITE); > ++ if (unlikely(ret != sizeof(fr))) { > + MIPS_FPU_EMU_INC_STATS(errors); > + free_emuframe(fr_idx, current->mm); > + return SIGBUS; > +@@ -279,10 +284,7 @@ int mips_dsemul(struct pt_regs *regs, mi > + atomic_set(¤t->thread.bd_emu_frame, fr_idx); > + > + /* Change user register context to execute the frame */ > +- regs->cp0_epc = (unsigned long)&fr->emul | isa16; > +- > +- /* Ensure the icache observes our newly written frame */ > +- flush_cache_sigtramp((unsigned long)&fr->emul); > ++ regs->cp0_epc = fr_uaddr | isa16; > + > + return 0; > + } > -- > 2.17.2 (Apple Git-113) > > > _______________________________________________ > openwrt-devel mailing list > [email protected] > https://lists.openwrt.org/mailman/listinfo/openwrt-devel _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
