From a1446fd2d762d2d8278943cb547d18e0286ba1c1 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 7 Jan 2020 13:58:16 +0100 Subject: [PATCH] 4.14-stable patches added patches: arm64-revert-support-for-execute-only-user-mappings.patch --- ...pport-for-execute-only-user-mappings.patch | 116 ++++++++++++++++++ queue-4.14/series | 1 + 2 files changed, 117 insertions(+) create mode 100644 queue-4.14/arm64-revert-support-for-execute-only-user-mappings.patch diff --git a/queue-4.14/arm64-revert-support-for-execute-only-user-mappings.patch b/queue-4.14/arm64-revert-support-for-execute-only-user-mappings.patch new file mode 100644 index 00000000000..b6e79ecff0a --- /dev/null +++ b/queue-4.14/arm64-revert-support-for-execute-only-user-mappings.patch @@ -0,0 +1,116 @@ +From 24cecc37746393432d994c0dbc251fb9ac7c5d72 Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Mon, 6 Jan 2020 14:35:39 +0000 +Subject: arm64: Revert support for execute-only user mappings + +From: Catalin Marinas + +commit 24cecc37746393432d994c0dbc251fb9ac7c5d72 upstream. + +The ARMv8 64-bit architecture supports execute-only user permissions by +clearing the PTE_USER and PTE_UXN bits, practically making it a mostly +privileged mapping but from which user running at EL0 can still execute. + +The downside, however, is that the kernel at EL1 inadvertently reading +such mapping would not trip over the PAN (privileged access never) +protection. + +Revert the relevant bits from commit cab15ce604e5 ("arm64: Introduce +execute-only page access permissions") so that PROT_EXEC implies +PROT_READ (and therefore PTE_USER) until the architecture gains proper +support for execute-only user mappings. + +Fixes: cab15ce604e5 ("arm64: Introduce execute-only page access permissions") +Cc: # 4.9.x- +Acked-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + + +--- + arch/arm64/include/asm/pgtable-prot.h | 5 ++--- + arch/arm64/include/asm/pgtable.h | 10 +++------- + arch/arm64/mm/fault.c | 2 +- + mm/mmap.c | 6 ------ + 4 files changed, 6 insertions(+), 17 deletions(-) + +--- a/arch/arm64/include/asm/pgtable-prot.h ++++ b/arch/arm64/include/asm/pgtable-prot.h +@@ -76,13 +76,12 @@ + #define PAGE_SHARED_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_WRITE) + #define PAGE_READONLY __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN | PTE_UXN) + #define PAGE_READONLY_EXEC __pgprot(_PAGE_DEFAULT | PTE_USER | PTE_RDONLY | PTE_NG | PTE_PXN) +-#define PAGE_EXECONLY __pgprot(_PAGE_DEFAULT | PTE_RDONLY | PTE_NG | PTE_PXN) + + #define __P000 PAGE_NONE + #define __P001 PAGE_READONLY + #define __P010 PAGE_READONLY + #define __P011 PAGE_READONLY +-#define __P100 PAGE_EXECONLY ++#define __P100 PAGE_READONLY_EXEC + #define __P101 PAGE_READONLY_EXEC + #define __P110 PAGE_READONLY_EXEC + #define __P111 PAGE_READONLY_EXEC +@@ -91,7 +90,7 @@ + #define __S001 PAGE_READONLY + #define __S010 PAGE_SHARED + #define __S011 PAGE_SHARED +-#define __S100 PAGE_EXECONLY ++#define __S100 PAGE_READONLY_EXEC + #define __S101 PAGE_READONLY_EXEC + #define __S110 PAGE_SHARED_EXEC + #define __S111 PAGE_SHARED_EXEC +--- a/arch/arm64/include/asm/pgtable.h ++++ b/arch/arm64/include/asm/pgtable.h +@@ -90,12 +90,8 @@ extern unsigned long empty_zero_page[PAG + #define pte_dirty(pte) (pte_sw_dirty(pte) || pte_hw_dirty(pte)) + + #define pte_valid(pte) (!!(pte_val(pte) & PTE_VALID)) +-/* +- * Execute-only user mappings do not have the PTE_USER bit set. All valid +- * kernel mappings have the PTE_UXN bit set. +- */ + #define pte_valid_not_user(pte) \ +- ((pte_val(pte) & (PTE_VALID | PTE_USER | PTE_UXN)) == (PTE_VALID | PTE_UXN)) ++ ((pte_val(pte) & (PTE_VALID | PTE_USER)) == PTE_VALID) + #define pte_valid_young(pte) \ + ((pte_val(pte) & (PTE_VALID | PTE_AF)) == (PTE_VALID | PTE_AF)) + #define pte_valid_user(pte) \ +@@ -111,8 +107,8 @@ extern unsigned long empty_zero_page[PAG + + /* + * p??_access_permitted() is true for valid user mappings (subject to the +- * write permission check) other than user execute-only which do not have the +- * PTE_USER bit set. PROT_NONE mappings do not have the PTE_VALID bit set. ++ * write permission check). PROT_NONE mappings do not have the PTE_VALID bit ++ * set. + */ + #define pte_access_permitted(pte, write) \ + (pte_valid_user(pte) && (!(write) || pte_write(pte))) +--- a/arch/arm64/mm/fault.c ++++ b/arch/arm64/mm/fault.c +@@ -400,7 +400,7 @@ static int __kprobes do_page_fault(unsig + struct task_struct *tsk; + struct mm_struct *mm; + int fault, sig, code, major = 0; +- unsigned long vm_flags = VM_READ | VM_WRITE; ++ unsigned long vm_flags = VM_READ | VM_WRITE | VM_EXEC; + unsigned int mm_flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE; + + if (notify_page_fault(regs, esr)) +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -89,12 +89,6 @@ static void unmap_region(struct mm_struc + * MAP_PRIVATE r: (no) no r: (yes) yes r: (no) yes r: (no) yes + * w: (no) no w: (no) no w: (copy) copy w: (no) no + * x: (no) no x: (no) yes x: (no) yes x: (yes) yes +- * +- * On arm64, PROT_EXEC has the following behaviour for both MAP_SHARED and +- * MAP_PRIVATE: +- * r: (no) no +- * w: (no) no +- * x: (yes) yes + */ + pgprot_t protection_map[16] __ro_after_init = { + __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111, diff --git a/queue-4.14/series b/queue-4.14/series index 1f0e26c14c3..be921c4d792 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -42,3 +42,4 @@ alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch alsa-firewire-motu-correct-a-typo-in-the-clock-proc-string.patch exit-panic-before-exit_mm-on-global-init-exit.patch ftrace-avoid-potential-division-by-zero-in-function-profiler.patch +arm64-revert-support-for-execute-only-user-mappings.patch -- 2.47.3