--- /dev/null
+From 342db04ae71273322f0011384a9ed414df8bdae4 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 28 Aug 2018 17:49:01 +0200
+Subject: x86/dumpstack: Don't dump kernel memory based on usermode RIP
+
+From: Jann Horn <jannh@google.com>
+
+commit 342db04ae71273322f0011384a9ed414df8bdae4 upstream.
+
+show_opcodes() is used both for dumping kernel instructions and for dumping
+user instructions. If userspace causes #PF by jumping to a kernel address,
+show_opcodes() can be reached with regs->ip controlled by the user,
+pointing to kernel code. Make sure that userspace can't trick us into
+dumping kernel memory into dmesg.
+
+Fixes: 7cccf0725cf7 ("x86/dumpstack: Add a show_ip() function")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Borislav Petkov <bp@suse.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: security@kernel.org
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20180828154901.112726-1-jannh@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ arch/x86/include/asm/stacktrace.h | 2 +-
+ arch/x86/kernel/dumpstack.c | 21 +++++++++++++++------
+ arch/x86/mm/fault.c | 2 +-
+ 3 files changed, 17 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/include/asm/stacktrace.h
++++ b/arch/x86/include/asm/stacktrace.h
+@@ -111,6 +111,6 @@ static inline unsigned long caller_frame
+ return (unsigned long)frame;
+ }
+
+-void show_opcodes(u8 *rip, const char *loglvl);
++void show_opcodes(struct pt_regs *regs, const char *loglvl);
+ void show_ip(struct pt_regs *regs, const char *loglvl);
+ #endif /* _ASM_X86_STACKTRACE_H */
+--- a/arch/x86/kernel/dumpstack.c
++++ b/arch/x86/kernel/dumpstack.c
+@@ -92,23 +92,32 @@ static void printk_stack_address(unsigne
+ * Thus, the 2/3rds prologue and 64 byte OPCODE_BUFSIZE is just a random
+ * guesstimate in attempt to achieve all of the above.
+ */
+-void show_opcodes(u8 *rip, const char *loglvl)
++void show_opcodes(struct pt_regs *regs, const char *loglvl)
+ {
+ unsigned int code_prologue = OPCODE_BUFSIZE * 2 / 3;
+ u8 opcodes[OPCODE_BUFSIZE];
+- u8 *ip;
++ unsigned long ip;
+ int i;
++ bool bad_ip;
+
+ printk("%sCode: ", loglvl);
+
+- ip = (u8 *)rip - code_prologue;
+- if (probe_kernel_read(opcodes, ip, OPCODE_BUFSIZE)) {
++ ip = regs->ip - code_prologue;
++
++ /*
++ * Make sure userspace isn't trying to trick us into dumping kernel
++ * memory by pointing the userspace instruction pointer at it.
++ */
++ bad_ip = user_mode(regs) &&
++ __chk_range_not_ok(ip, OPCODE_BUFSIZE, TASK_SIZE_MAX);
++
++ if (bad_ip || probe_kernel_read(opcodes, (u8 *)ip, OPCODE_BUFSIZE)) {
+ pr_cont("Bad RIP value.\n");
+ return;
+ }
+
+ for (i = 0; i < OPCODE_BUFSIZE; i++, ip++) {
+- if (ip == rip)
++ if (ip == regs->ip)
+ pr_cont("<%02x> ", opcodes[i]);
+ else
+ pr_cont("%02x ", opcodes[i]);
+@@ -123,7 +132,7 @@ void show_ip(struct pt_regs *regs, const
+ #else
+ printk("%sRIP: %04x:%pS\n", loglvl, (int)regs->cs, (void *)regs->ip);
+ #endif
+- show_opcodes((u8 *)regs->ip, loglvl);
++ show_opcodes(regs, loglvl);
+ }
+
+ void show_iret_regs(struct pt_regs *regs)
+--- a/arch/x86/mm/fault.c
++++ b/arch/x86/mm/fault.c
+@@ -838,7 +838,7 @@ show_signal_msg(struct pt_regs *regs, un
+
+ printk(KERN_CONT "\n");
+
+- show_opcodes((u8 *)regs->ip, loglvl);
++ show_opcodes(regs, loglvl);
+ }
+
+ static void
projects / thirdparty / kernel / stable-queue.git / commitdiff
