From: will.deacon@arm•com (Will Deacon)
To: linux-arm-kernel@lists•infradead.org
Subject: [PATCH v2 10/10] ARM: software-based priviledged-no-access support
Date: Fri, 9 Oct 2015 11:53:09 +0100 [thread overview]
Message-ID: <20151009105309.GM26278@arm.com> (raw)
In-Reply-To: <CACRpkdZhJfsH0wU0VBotT=yomDqBkKWrz3MNFOin=CCz62v_nw@mail.gmail.com>
On Fri, Oct 09, 2015 at 10:28:14AM +0200, Linus Walleij wrote:
> On Tue, Aug 25, 2015 at 5:42 PM, Russell King
> <rmk+kernel@arm•linux.org.uk> wrote:
>
> > Provide a software-based implementation of the priviledged no access
> > support found in ARMv8.1.
> >
> > Userspace pages are mapped using a different domain number from the
> > kernel and IO mappings. If we switch the user domain to "no access"
> > when we enter the kernel, we can prevent the kernel from touching
> > userspace.
> >
> > However, the kernel needs to be able to access userspace via the
> > various user accessor functions. With the wrapping in the previous
> > patch, we can temporarily enable access when the kernel needs user
> > access, and re-disable it afterwards.
> >
> > This allows us to trap non-intended accesses to userspace, eg, caused
> > by an inadvertent dereference of the LIST_POISON* values, which, with
> > appropriate user mappings setup, can be made to succeed. This in turn
> > can allow use-after-free bugs to be further exploited than would
> > otherwise be possible.
> >
> > Signed-off-by: Russell King <rmk+kernel@arm•linux.org.uk>
>
> For some reason this patch explodes on my ARM PB11MPCore, it
> is a weird beast and corner case machine so I guess that is why
> it wasn't noticed. This happens a bit into the boot when freeing
> unused pages:
>
> Freeing unused kernel memory: 2672K (c0448000 - c06e4000)
> Unable to handle kernel paging request at virtual address b6f069f4
> pgd = c6e58000
> [b6f069f4] *pgd=76e09831, *pte=77ff759f, *ppte=77ff7e6e
> Internal error: Oops: 17 [#1] SMP ARM
> Modules linked in:
> CPU: 2 PID: 1 Comm: init Not tainted 4.3.0-rc4-00015-gf6702681a0af #48
> Hardware name: ARM-RealView PB11MPCore
> task: c7827bc0 ti: c782c000 task.ti: c782c000
> PC is at v6wbi_flush_user_tlb_range+0x28/0x48
> LR is at on_each_cpu_mask+0x58/0x60
> pc : [<c001abf0>] lr : [<c007c18c>] psr: 20000093
> sp : c782deb8 ip : 00000000 fp : 00000000
> r10: c6e5adc8 r9 : 00000001 r8 : b6f02000
> r7 : c7a17180 r6 : c782ded4 r5 : c0015118 r4 : 20000013
> r3 : 00000002 r2 : 00100075 r1 : b6f02000 r0 : b6f01002
> Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none
> Control: 00c5787d Table: 76e5800a DAC: 00000051
It looks like we're faulting on the TLBI instruction, because it's
targetting a userspace address (r0 == 0xb6f01002) and the DAC prohibits
access to userspace. It's weird that this only seems to happen on 11MPCore
though; if this core was one of the guys getting cross-called, then I
could understand the bug, but the lr suggests that CPU 2 is initiating
the flush, so I'd expect the same problem to appear on any ARMv6 part.
Russell, have you tried the s/w PAN stuff on any v6 CPUs?
Will
next prev parent reply other threads:[~2015-10-09 10:53 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-25 15:40 [PATCH v2 00/10] Prevent list poison values from being mapped by userspace processes Russell King - ARM Linux
2015-08-25 15:41 ` [PATCH v2 01/10] ARM: domains: switch to keeping domain value in register Russell King
2015-08-25 15:41 ` [PATCH v2 02/10] ARM: domains: provide domain_mask() Russell King
2015-08-25 15:41 ` [PATCH v2 03/10] ARM: domains: move initial domain setting value to asm/domains.h Russell King
2015-08-25 15:41 ` [PATCH v2 04/10] ARM: domains: get rid of manager mode for user domain Russell King
2015-08-25 15:41 ` [PATCH v2 05/10] ARM: domains: keep vectors in separate domain Russell King
2015-08-25 15:41 ` [PATCH v2 06/10] ARM: domains: remove DOMAIN_TABLE Russell King
2015-08-25 15:41 ` [PATCH v2 07/10] ARM: mm: improve do_ldrd_abort macro Russell King
2015-08-25 15:41 ` [PATCH v2 08/10] ARM: uaccess: provide uaccess_save_and_enable() and uaccess_restore() Russell King
2015-08-25 15:42 ` [PATCH v2 09/10] ARM: entry: provide uaccess assembly macro hooks Russell King
2015-08-25 15:42 ` [PATCH v2 10/10] ARM: software-based priviledged-no-access support Russell King
2015-08-25 16:53 ` Will Deacon
2015-08-25 17:07 ` Nicolas Schichan
2015-08-25 17:48 ` Russell King - ARM Linux
2015-08-26 13:36 ` Nicolas Schichan
2015-10-09 8:28 ` Linus Walleij
2015-10-09 10:53 ` Will Deacon [this message]
2015-10-09 11:24 ` Russell King - ARM Linux
2015-10-09 12:32 ` Will Deacon
2015-10-12 7:51 ` Linus Walleij
2015-10-23 8:05 ` Linus Walleij
2015-10-23 8:46 ` Russell King - ARM Linux
2015-10-27 17:11 ` Will Deacon
2015-08-25 16:37 ` [PATCH v2 11/10] ARM: fix swp-emulate Russell King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151009105309.GM26278@arm.com \
--to=will.deacon@arm$(echo .)com \
--cc=linux-arm-kernel@lists$(echo .)infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox