62452b3511
commit adcc81f148d733b7e8e641300c5590a2cdc13bf3 upstream.
Mapping the delay slot emulation page as both writeable & executable
presents a security risk, in that if an exploit can write to & jump into
the page then it can be used as an easy way to execute arbitrary code.
Prevent this by mapping the page read-only for userland, and using
access_process_vm() with the FOLL_FORCE flag to write to it from
mips_dsemul().
This will likely be less efficient due to copy_to_user_page() performing
cache maintenance on a whole page, rather than a single line as in the
previous use of flush_cache_sigtramp(). However this delay slot
emulation code ought not to be running in any performance critical paths
anyway so this isn't really a problem, and we can probably do better in
copy_to_user_page() anyway in future.
A major advantage of this approach is that the fix is small & simple to
backport to stable kernels.
Reported-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Fixes:
|
||
|---|---|---|
| .. | ||
| cp1emu.c | ||
| dp_2008class.c | ||
| dp_add.c | ||
| dp_cmp.c | ||
| dp_div.c | ||
| dp_fint.c | ||
| dp_flong.c | ||
| dp_fmax.c | ||
| dp_fmin.c | ||
| dp_fsp.c | ||
| dp_maddf.c | ||
| dp_mul.c | ||
| dp_rint.c | ||
| dp_simple.c | ||
| dp_sqrt.c | ||
| dp_sub.c | ||
| dp_tint.c | ||
| dp_tlong.c | ||
| dsemul.c | ||
| ieee754.c | ||
| ieee754.h | ||
| ieee754d.c | ||
| ieee754dp.c | ||
| ieee754dp.h | ||
| ieee754int.h | ||
| ieee754sp.c | ||
| ieee754sp.h | ||
| Makefile | ||
| me-debugfs.c | ||
| sp_2008class.c | ||
| sp_add.c | ||
| sp_cmp.c | ||
| sp_div.c | ||
| sp_fdp.c | ||
| sp_fint.c | ||
| sp_flong.c | ||
| sp_fmax.c | ||
| sp_fmin.c | ||
| sp_maddf.c | ||
| sp_mul.c | ||
| sp_rint.c | ||
| sp_simple.c | ||
| sp_sqrt.c | ||
| sp_sub.c | ||
| sp_tint.c | ||
| sp_tlong.c | ||