On Fri, Dec 21, 2018 at 8:05 PM Yousong Zhou <[email protected]> wrote: > > On Sat, 22 Dec 2018 at 01:21, Kevin 'ldir' Darbyshire-Bryant > <[email protected]> wrote: > > > > Backport > > https://git.kernel.org/pub/scm/linux/kernel/git/mips/linux.git/commit/?id=adcc81f148d733b7e8e641300c5590a2cdc13bf3 > > > > "Mapping the delay slot emulation page as both writeable & executable > > presents a security risk, in that if an exploit can write to & jump into > > the page then it can be used as an easy way to execute arbitrary code. > > > > Prevent this by mapping the page read-only for userland, and using > > access_process_vm() with the FOLL_FORCE flag to write to it from > > mips_dsemul(). > > > > This will likely be less efficient due to copy_to_user_page() performing > > cache maintenance on a whole page, rather than a single line as in the > > previous use of flush_cache_sigtramp(). However this delay slot > > emulation code ought not to be running in any performance critical paths > > anyway so this isn't really a problem, and we can probably do better in > > copy_to_user_page() anyway in future. > > > > A major advantage of this approach is that the fix is small & simple to > > backport to stable kernels. > > > > Reported-by: Andy Lutomirski <[email protected]> > > Signed-off-by: Paul Burton <[email protected]> > > Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot > > instructions")" > > > > Without patch: > > > > cat /proc/self/maps > > 00400000-0047a000 r-xp 00000000 1f:03 1823 /bin/busybox > > 00489000-0048a000 r-xp 00079000 1f:03 1823 /bin/busybox > > 0048a000-0048b000 rwxp 0007a000 1f:03 1823 /bin/busybox > > 77ec8000-77eed000 r-xp 00000000 1f:03 2296 /lib/libgcc_s.so.1 > > 77eed000-77eee000 rwxp 00015000 1f:03 2296 /lib/libgcc_s.so.1 > > 77eee000-77f81000 r-xp 00000000 1f:03 2470 /lib/libc.so > > 77f90000-77f92000 rwxp 00092000 1f:03 2470 /lib/libc.so > > 77f92000-77f94000 rwxp 00000000 00:00 0 > > 7f946000-7f967000 rw-p 00000000 00:00 0 [stack] > > 7fefb000-7fefc000 rwxp 00000000 00:00 0 > > 7ffac000-7ffad000 r--p 00000000 00:00 0 [vvar] > > 7ffad000-7ffae000 r-xp 00000000 00:00 0 [vdso] > > Hi, > > I must miss something. After reading another thread on mips security, > I was thinking that all segments with w and x permission set were > problematic: the same attacker can write and execute shellcode there, > right? Sorry, if the answer is too apparent ;( Right. This is a fix for one of those sections. Not all of them.
It will take quite a bit of work to fix all of them. > > Regards, > yousong > > _______________________________________________ > openwrt-devel mailing list > [email protected] > https://lists.openwrt.org/mailman/listinfo/openwrt-devel _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
