• Paul Burton's avatar
    MIPS: math-emu: Write-protect delay slot emulation pages · adcc81f1
    Paul Burton authored
    Mapping the delay slot emulation page as both writeable & executable
    presents a security risk, in that if an exploit can write to & jump into
    the page then it can be used as an easy way to execute arbitrary code.
    
    Prevent this by mapping the page read-only for userland, and using
    access_process_vm() with the FOLL_FORCE flag to write to it from
    mips_dsemul().
    
    This will likely be less efficient due to copy_to_user_page() performing
    cache maintenance on a whole page, rather than a single line as in the
    previous use of flush_cache_sigtramp(). However this delay slot
    emulation code ought not to be running in any performance critical paths
    anyway so this isn't really a problem, and we can probably do better in
    copy_to_user_page() anyway in future.
    
    A major advantage of this approach is that the fix is small & simple to
    backport to stable kernels.
    Reported-by: default avatarAndy Lutomirski <luto@kernel.org>
    Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
    Fixes: 432c6bac ("MIPS: Use per-mm page to execute branch delay slot instructions")
    Cc: stable@vger.kernel.org # v4.8+
    Cc: linux-mips@vger.kernel.org
    Cc: linux-kernel@vger.kernel.org
    Cc: Rich Felker <dalias@libc.org>
    Cc: David Daney <david.daney@cavium.com>
    adcc81f1
vdso.c 5.55 KB