From: Greg Kroah-Hartman Date: Wed, 15 Apr 2020 13:20:53 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.19.116~39 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=67fae86d0976a0e056a2c88ed34ea5c9ff5f55ec;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: powerpc-64-tm-don-t-let-userspace-set-regs-trap-via-sigreturn.patch --- diff --git a/queue-4.9/powerpc-64-tm-don-t-let-userspace-set-regs-trap-via-sigreturn.patch b/queue-4.9/powerpc-64-tm-don-t-let-userspace-set-regs-trap-via-sigreturn.patch new file mode 100644 index 00000000000..a79dafe4505 --- /dev/null +++ b/queue-4.9/powerpc-64-tm-don-t-let-userspace-set-regs-trap-via-sigreturn.patch @@ -0,0 +1,64 @@ +From c7def7fbdeaa25feaa19caf4a27c5d10bd8789e4 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Tue, 31 Mar 2020 22:47:19 +1100 +Subject: powerpc/64/tm: Don't let userspace set regs->trap via sigreturn + +From: Michael Ellerman + +commit c7def7fbdeaa25feaa19caf4a27c5d10bd8789e4 upstream. + +In restore_tm_sigcontexts() we take the trap value directly from the +user sigcontext with no checking: + + err |= __get_user(regs->trap, &sc->gp_regs[PT_TRAP]); + +This means we can be in the kernel with an arbitrary regs->trap value. + +Although that's not immediately problematic, there is a risk we could +trigger one of the uses of CHECK_FULL_REGS(): + + #define CHECK_FULL_REGS(regs) BUG_ON(regs->trap & 1) + +It can also cause us to unnecessarily save non-volatile GPRs again in +save_nvgprs(), which shouldn't be problematic but is still wrong. + +It's also possible it could trick the syscall restart machinery, which +relies on regs->trap not being == 0xc00 (see 9a81c16b5275 ("powerpc: +fix double syscall restarts")), though I haven't been able to make +that happen. + +Finally it doesn't match the behaviour of the non-TM case, in +restore_sigcontext() which zeroes regs->trap. + +So change restore_tm_sigcontexts() to zero regs->trap. + +This was discovered while testing Nick's upcoming rewrite of the +syscall entry path. In that series the call to save_nvgprs() prior to +signal handling (do_notify_resume()) is removed, which leaves the +low-bit of regs->trap uncleared which can then trigger the FULL_REGS() +WARNs in setup_tm_sigcontexts(). + +Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context") +Cc: stable@vger.kernel.org # v3.9+ +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200401023836.3286664-1-mpe@ellerman.id.au +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/signal_64.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/signal_64.c ++++ b/arch/powerpc/kernel/signal_64.c +@@ -469,8 +469,10 @@ static long restore_tm_sigcontexts(struc + err |= __get_user(tsk->thread.ckpt_regs.ccr, + &sc->gp_regs[PT_CCR]); + ++ /* Don't allow userspace to set the trap value */ ++ regs->trap = 0; ++ + /* These regs are not checkpointed; they can go in 'regs'. */ +- err |= __get_user(regs->trap, &sc->gp_regs[PT_TRAP]); + err |= __get_user(regs->dar, &sc->gp_regs[PT_DAR]); + err |= __get_user(regs->dsisr, &sc->gp_regs[PT_DSISR]); + err |= __get_user(regs->result, &sc->gp_regs[PT_RESULT]); diff --git a/queue-4.9/series b/queue-4.9/series index ff4794b9b2d..4f66f700d81 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -55,3 +55,4 @@ kmod-make-request_module-return-an-error-when-autoloading-is-disabled.patch cpufreq-powernv-fix-use-after-free.patch hfsplus-fix-crash-and-filesystem-corruption-when-deleting-files.patch libata-return-correct-status-in-sata_pmp_eh_recover_pm-when-ata_dflag_detach-is-set.patch +powerpc-64-tm-don-t-let-userspace-set-regs-trap-via-sigreturn.patch