From patchwork Thu Nov 2 16:12:03 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 117829 Delivered-To: patch@linaro.org Received: by 10.80.245.45 with SMTP id t42csp2264899edm; Thu, 2 Nov 2017 09:12:17 -0700 (PDT) X-Google-Smtp-Source: ABhQp+TvN5gg2DUgbEhw5ZNHVcE6vNq+QN5RTlR3QFrsqhvcFxHp6yXsTxjZSooZgJlVoKh76Mzh X-Received: by 10.99.112.66 with SMTP id a2mr4030878pgn.157.1509639136907; Thu, 02 Nov 2017 09:12:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1509639136; cv=none; d=google.com; s=arc-20160816; b=A71MZT/kf0Vrw9TGI+gu+GverYvuFa1BH+mls3+CrzQ6VOPeX4M6p/6V/Pr/SykQjH l9G1g8LLa4u0nYC1sUm6ue9QQIsFbK+6JjQQenlpGTDo8uSI2CJdLvulyLmHLLftoh+z x0BlpeTuATt+RpOlRPT6gQv81AgYXBsLG+6rnUR5k0O5HozmatQnElR9Azgy5c6sMcCH 5fpN1CQnunWYrnsH/OMvQlspo9lqG7vY9S9BOSl5gWGutHWj7tj1qgbhT4kkZGboqP7e IVc3IhptnQSSOFE2D6ltvQAJqiMVtsD27w9uSTqcIcxHEnuCmBVCNaBqiElM0XMOcBLC eXuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=3ZxPRtBeLdMLO4yiViJXIriv9Gl4Sgsu18b731rIoU4=; b=ukrv5uzwhwBkYgeKBskCxqkoREkVeVaHIUqZf6dr3Re7Gl72G1AoiFiGKZ/OjxkJwS OTEgLuPSjDB7zkkdxYhbUGjUZhIiUghaBz20kh6nSkpuRtlOBPc5YK4UUpVoLP9TOScf izpPj+oaUPxevi/46woTvvmgMLkFZEivCGkcW5TuvsmwaEZJ+lzg8/uA0uNqmh/0rNee LRx/cuUW3XLH1WToUCDNbwyewtUqfmKvNUksUBGKP98SNw+zqGfw8K+Z2BjuFasISdjO x3ubeN1S0pHX2fs5scutNMuiEwgOPJ7VYzVp9BaWNrI2yXXPRQTW81VQ8GhQp3q4mC7V kmqg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 64si2664033ply.41.2017.11.02.09.12.16; Thu, 02 Nov 2017 09:12:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933989AbdKBQMP (ORCPT + 9 others); Thu, 2 Nov 2017 12:12:15 -0400 Received: from foss.arm.com ([217.140.101.70]:33856 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932833AbdKBQMP (ORCPT ); Thu, 2 Nov 2017 12:12:15 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 31E201435; Thu, 2 Nov 2017 09:12:15 -0700 (PDT) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 1935C3F3E1; Thu, 2 Nov 2017 09:12:13 -0700 (PDT) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: Mark Rutland , Catalin Marinas , Will Deacon , stable@vger.kernel.org Subject: [PATCH] arm64: ensure __dump_instr() checks addr_limit Date: Thu, 2 Nov 2017 16:12:03 +0000 Message-Id: <20171102161203.4704-1-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org It's possible for a user to deliberately trigger __dump_instr with a chosen kernel address. Let's avoid problems resulting from this by using get_user() rather than __get_user(), ensuring that we don't erroneously access kernel memory. Where we use __dump_instr() on kernel text, we already switch to KERNEL_DS, so this shouldn't adversely affect those cases. Signed-off-by: Mark Rutland Fixes: 60ffc30d5652810d ("arm64: Exception handling") Cc: Catalin Marinas Cc: Will Deacon Cc: stable@vger.kernel.org --- arch/arm64/kernel/traps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.11.0 Acked-by: Will Deacon diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c index 5ea4b85aee0e..8383af15a759 100644 --- a/arch/arm64/kernel/traps.c +++ b/arch/arm64/kernel/traps.c @@ -118,7 +118,7 @@ static void __dump_instr(const char *lvl, struct pt_regs *regs) for (i = -4; i < 1; i++) { unsigned int val, bad; - bad = __get_user(val, &((u32 *)addr)[i]); + bad = get_user(val, &((u32 *)addr)[i]); if (!bad) p += sprintf(p, i == 0 ? "(%08x) " : "%08x ", val);