diff options
| author | Nicholas Piggin <npiggin@gmail.com> | 2020-04-07 14:12:45 +1000 |
|---|---|---|
| committer | Michael Ellerman <mpe@ellerman.id.au> | 2020-04-30 20:21:44 +1000 |
| commit | d02f6b7dab8228487268298ea1f21081c0b4b3eb (patch) | |
| tree | b5442b7075d809bf030795350e967a6c67ae1f86 /arch/powerpc/kernel | |
| parent | 8f3d9f354286745c751374f5f1fcafee6b3f3136 (diff) | |
| download | linux-stable-d02f6b7dab8228487268298ea1f21081c0b4b3eb.tar.gz linux-stable-d02f6b7dab8228487268298ea1f21081c0b4b3eb.tar.bz2 linux-stable-d02f6b7dab8228487268298ea1f21081c0b4b3eb.zip | |
powerpc/uaccess: Evaluate macro arguments once, before user access is allowed
get/put_user() can be called with nontrivial arguments. fs/proc/page.c
has a good example:
if (put_user(stable_page_flags(ppage), out)) {
stable_page_flags() is quite a lot of code, including spin locks in
the page allocator.
Ensure these arguments are evaluated before user access is allowed.
This improves security by reducing code with access to userspace, but
it also fixes a PREEMPT bug with KUAP on powerpc/64s:
stable_page_flags() is currently called with AMR set to allow writes,
it ends up calling spin_unlock(), which can call preempt_schedule. But
the task switch code can not be called with AMR set (it relies on
interrupts saving the register), so this blows up.
It's fine if the code inside allow_user_access() is preemptible,
because a timer or IPI will save the AMR, but it's not okay to
explicitly cause a reschedule.
Fixes: de78a9c42a79 ("powerpc: Add a framework for Kernel Userspace Access Protection")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200407041245.600651-1-npiggin@gmail.com
Diffstat (limited to 'arch/powerpc/kernel')
0 files changed, 0 insertions, 0 deletions