From patchwork Thu Nov 2 16:34:52 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 117830 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp2383029qgn; Thu, 2 Nov 2017 09:35:20 -0700 (PDT) X-Google-Smtp-Source: ABhQp+RBlTRJ36TsjzKSgQf2K013nHFV2yWMgGt3ZmIr1sAQkN0OtWTG3Jxyaru56ngk8sjK6Z16 X-Received: by 10.159.252.65 with SMTP id t1mr3799087plz.31.1509640520201; Thu, 02 Nov 2017 09:35:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1509640520; cv=none; d=google.com; s=arc-20160816; b=VEgyVBm1212/XHJ4GoGYoZk4LiEc22yxFnWk96S90l4j7bkv9MX4v052//qbbWhKrt gkU3yO5vSanTqC0mS/2SvIIk2VCgdTWC0D1UCcn5oSH0aIv4hwJ8R17Pyux705OP5JgL 1BlDQ+V/jQmnuU0O9xPqboV74B7D8GFoxfRXsBLO4/WjS9MH9iaTznroerKgqUAZ/U9T KoAG2LLs11sFZ8HyKBd9z1DUhhAVCQZn++Q/s0A9/3p+HGzqCAago+z4h7BuCg3rxuOr DzXVh/MlXz9D9W3uX0oI3A2WZdOyuJY5ZsuAY68aTQ/35gUS46skdhjftp+Ea8GQY7kz fVUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=36rYjAe45q8elOZ+wV+yBVw0gH4NSVVZ5J0ElJyJn5M=; b=vplRkyLt+9Vj81Vrci5fFJIqC1GB7t3XH5kD23KEg1lDCasyQinsHzjoHD3VOKG6Nm d2BWBTGOG3lIZpo/7/wuWLy5YwwHGYxSHyekX+RvXGvTUw5pD0GfEqRyV+6Uu7buWTOg rtDQjJUKlf/Qj65xsBneOaPQYT4wdsFDrS8e9gp2Kh6S6z9l1+hw5YQssqpDYqOTfk1F j2PAPvLfEmbkFWAk30/WSyzxrAxyTukoVKQDz1gHqnbsWC0qHrttf09vyWuxfOLBvPK1 H/nbhKSdgmUrJJ4w5IcMeKN9FJAl/t8ePgiWTy4uULOllG+9a8wr3ack8DKX25DNEOP0 dqeA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t85si4360159pfi.42.2017.11.02.09.35.19; Thu, 02 Nov 2017 09:35:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755835AbdKBQfR (ORCPT + 9 others); Thu, 2 Nov 2017 12:35:17 -0400 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:34154 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755836AbdKBQfB (ORCPT ); Thu, 2 Nov 2017 12:35:01 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id A74941435; Thu, 2 Nov 2017 09:35:01 -0700 (PDT) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id BAEBF3F3E1; Thu, 2 Nov 2017 09:35:00 -0700 (PDT) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: Mark Rutland , Russell King , stable@vger.kernel.org Subject: [PATCH] arm: ensure dump_instr() checks addr_limit Date: Thu, 2 Nov 2017 16:34:52 +0000 Message-Id: <20171102163452.7652-1-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org Signed-off-by: Mark Rutland When CONFIG_DEBUG_USER is enabled, it's possible for a user to deliberately trigger dump_instr() with a chosen kernel address. Let's avoid problems resulting from this by using get_user() rather than __get_user(), ensuring that we don't erroneously access kernel memory. So that we can use the same code to dump user instructions and kernel instructions, the common dumping code is factored out to __dump_instr(), with the fs manipulated appropriately in dump_instr() around calls to this. Signed-off-by: Mark Rutland Cc: Russell King Cc: stable@vger.kernel.org --- arch/arm/kernel/traps.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) -- 2.11.0 diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c index 948c648fea00..0fcd82f01388 100644 --- a/arch/arm/kernel/traps.c +++ b/arch/arm/kernel/traps.c @@ -154,30 +154,26 @@ static void dump_mem(const char *lvl, const char *str, unsigned long bottom, set_fs(fs); } -static void dump_instr(const char *lvl, struct pt_regs *regs) +static void __dump_instr(const char *lvl, struct pt_regs *regs) { unsigned long addr = instruction_pointer(regs); const int thumb = thumb_mode(regs); const int width = thumb ? 4 : 8; - mm_segment_t fs; char str[sizeof("00000000 ") * 5 + 2 + 1], *p = str; int i; /* - * We need to switch to kernel mode so that we can use __get_user - * to safely read from kernel space. Note that we now dump the - * code first, just in case the backtrace kills us. + * Note that we now dump the code first, just in case the backtrace + * kills us. */ - fs = get_fs(); - set_fs(KERNEL_DS); for (i = -4; i < 1 + !!thumb; i++) { unsigned int val, bad; if (thumb) - bad = __get_user(val, &((u16 *)addr)[i]); + bad = get_user(val, &((u16 *)addr)[i]); else - bad = __get_user(val, &((u32 *)addr)[i]); + bad = get_user(val, &((u32 *)addr)[i]); if (!bad) p += sprintf(p, i == 0 ? "(%0*x) " : "%0*x ", @@ -188,8 +184,20 @@ static void dump_instr(const char *lvl, struct pt_regs *regs) } } printk("%sCode: %s\n", lvl, str); +} - set_fs(fs); +static void dump_instr(const char *lvl, struct pt_regs *regs) +{ + mm_segment_t fs; + + if (!user_mode(regs)) { + fs = get_fs(); + set_fs(KERNEL_DS); + __dump_instr(lvl, regs); + set_fs(fs); + } else { + __dump_instr(lvl, regs); + } } #ifdef CONFIG_ARM_UNWIND