Backport https://git.kernel.org/pub/scm/linux/kernel/git/mips/linux.git/commit/?id=adcc81f148d733b7e8e641300c5590a2cdc13bf3
"Mapping the delay slot emulation page as both writeable & executable
presents a security risk, in that if an exploit can write to & jump into
the page then it can be used as an easy way to execute arbitrary code.
Prevent this by mapping the page read-only for userland, and using
access_process_vm() with the FOLL_FORCE flag to write to it from
mips_dsemul().
This will likely be less efficient due to copy_to_user_page() performing
cache maintenance on a whole page, rather than a single line as in the
previous use of flush_cache_sigtramp(). However this delay slot
emulation code ought not to be running in any performance critical paths
anyway so this isn't really a problem, and we can probably do better in
copy_to_user_page() anyway in future.
A major advantage of this approach is that the fix is small & simple to
backport to stable kernels.
Reported-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions")"
Without patch:
cat /proc/self/maps
00400000-0047a000 r-xp 00000000 1f:03 1823 /bin/busybox
00489000-0048a000 r-xp 00079000 1f:03 1823 /bin/busybox
0048a000-0048b000 rwxp 0007a000 1f:03 1823 /bin/busybox
77ec8000-77eed000 r-xp 00000000 1f:03 2296 /lib/libgcc_s.so.1
77eed000-77eee000 rwxp 00015000 1f:03 2296 /lib/libgcc_s.so.1
77eee000-77f81000 r-xp 00000000 1f:03 2470 /lib/libc.so
77f90000-77f92000 rwxp 00092000 1f:03 2470 /lib/libc.so
77f92000-77f94000 rwxp 00000000 00:00 0
7f946000-7f967000 rw-p 00000000 00:00 0 [stack]
7fefb000-7fefc000 rwxp 00000000 00:00 0
7ffac000-7ffad000 r--p 00000000 00:00 0 [vvar]
7ffad000-7ffae000 r-xp 00000000 00:00 0 [vdso]
Patch applied:
cat /proc/self/maps
00400000-0047a000 r-xp 00000000 1f:03 1825 /bin/busybox
00489000-0048a000 r-xp 00079000 1f:03 1825 /bin/busybox
0048a000-0048b000 rwxp 0007a000 1f:03 1825 /bin/busybox
77ed0000-77ef5000 r-xp 00000000 1f:03 2298 /lib/libgcc_s.so.1
77ef5000-77ef6000 rwxp 00015000 1f:03 2298 /lib/libgcc_s.so.1
77ef6000-77f89000 r-xp 00000000 1f:03 2474 /lib/libc.so
77f98000-77f9a000 rwxp 00092000 1f:03 2474 /lib/libc.so
77f9a000-77f9c000 rwxp 00000000 00:00 0
7fbed000-7fc0e000 rw-p 00000000 00:00 0 [stack]
7fefb000-7fefc000 r-xp 00000000 00:00 0
7fff6000-7fff7000 r--p 00000000 00:00 0 [vvar]
7fff7000-7fff8000 r-xp 00000000 00:00 0 [vdso]
Note lack of write permission to 7fefb000-7fefc000
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
8f4841462c