[PATCH 1/2] x86, mpx: do proper get_user() when running 32-bit binaries on 64-bit

From: Dave Hansen
Date: Wed Nov 11 2015 - 13:20:13 EST

Next message: Liviu.Dudau@xxxxxxx: "Re: PCIe host controller behind IOMMU on ARM"
Previous message: Dave Hansen: "[PATCH 2/2] x86, mpx: fix 32-bit address space calculation"
In reply to: tip-bot for Dave Hansen: "[tip:x86/urgent] x86/mpx: Fix 32-bit address space calculation"
Next in thread: tip-bot for Dave Hansen: "[tip:x86/urgent] x86/mpx: Do proper get_user() when running 32-bit binaries on 64-bit kernels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>

When you call get_user(foo, bar), you effectively do a

copy_from_user(&foo, bar, sizeof(*bar));

Note that the sizeof() is implicit.

When we reach out to userspace to try to zap an entire "bounds table"
we need to go read a "bounds directory entry" in order to locate the
table's address. The size of a "directory entry" depends on the
binary being run and is always the size of a pointer.

But, when we have a 64-bit kernel and a 32-bit application, the
directory entry is still only 32-bits long, but we fetch it with a
64-bit pointer which makes get_user() does a 64-bit fetch. Reading
4 extra bytes isn't harmful, unless we are at the end of and run off
the table. It might also cause the zero page to get faulted in
unnecessarily even if you are not at the end.

Fix it up by doing a special 32-bit get_user() via a cast when we
have 32-bit userspace.

Signed-off-by: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
---

b/arch/x86/mm/mpx.c | 25 ++++++++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)

diff -puN arch/x86/mm/mpx.c~get_bd_entry arch/x86/mm/mpx.c
--- a/arch/x86/mm/mpx.c~get_bd_entry 2015-11-11 10:18:49.615230106 -0800
+++ b/arch/x86/mm/mpx.c 2015-11-11 10:18:49.619230288 -0800
@@ -586,6 +586,29 @@ static unsigned long mpx_bd_entry_to_bt_
}

/*
+ * We only want to do a 4-byte get_user() on 32-bit. Otherwise,
+ * we might run off the end of the bounds table if we are on
+ * a 64-bit kernel and try to get 8 bytes.
+ */
+int get_user_bd_entry(struct mm_struct *mm, unsigned long *bd_entry_ret,
+ long __user *bd_entry_ptr)
+{
+ u32 bd_entry_32;
+ int ret;
+
+ if (is_64bit_mm(mm))
+ return get_user(*bd_entry_ret, bd_entry_ptr);
+
+ /*
+ * Note that get_user() uses the type of the *pointer* to
+ * establish the size of the get, not the destination.
+ */
+ ret = get_user(bd_entry_32, (u32 __user *)bd_entry_ptr);
+ *bd_entry_ret = bd_entry_32;
+ return ret;
+}
+
+/*
* Get the base of bounds tables pointed by specific bounds
* directory entry.
*/
@@ -605,7 +628,7 @@ static int get_bt_addr(struct mm_struct
int need_write = 0;

pagefault_disable();
- ret = get_user(bd_entry, bd_entry_ptr);
+ ret = get_user_bd_entry(mm, &bd_entry, bd_entry_ptr);
pagefault_enable();
if (!ret)
break;
_
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Liviu.Dudau@xxxxxxx: "Re: PCIe host controller behind IOMMU on ARM"
Previous message: Dave Hansen: "[PATCH 2/2] x86, mpx: fix 32-bit address space calculation"
In reply to: tip-bot for Dave Hansen: "[tip:x86/urgent] x86/mpx: Fix 32-bit address space calculation"
Next in thread: tip-bot for Dave Hansen: "[tip:x86/urgent] x86/mpx: Do proper get_user() when running 32-bit binaries on 64-bit kernels"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]