• Dave Martin's avatar
    arm64: signal: Verify extra data is user-readable in sys_rt_sigreturn · abf73988
    Dave Martin authored
    Currently sys_rt_sigreturn() verifies that the base sigframe is
    readable, but no similar check is performed on the extra data to
    which an extra_context record points.
    
    This matters because the extra data will be read with the
    unprotected user accessors.  However, this is not a problem at
    present because the extra data base address is required to be
    exactly at the end of the base sigframe.  So, there would need to
    be a non-user-readable kernel address within about 59K
    (SIGFRAME_MAXSZ - sizeof(struct rt_sigframe)) of some address for
    which access_ok(VERIFY_READ) returns true, in order for sigreturn
    to be able to read kernel memory that should be inaccessible to the
    user task.  This is currently impossible due to the untranslatable
    address hole between the TTBR0 and TTBR1 address ranges.
    
    Disappearance of the hole between the TTBR0 and TTBR1 mapping
    ranges would require the VA size for TTBR0 and TTBR1 to grow to at
    least 55 bits, and either the disabling of tagged pointers for
    userspace or enabling of tagged pointers for kernel space; none of
    which is currently envisaged.
    
    Even so, it is wrong to use the unprotected user accessors without
    an accompanying access_ok() check.
    
    To avoid the potential for future surprises, this patch does an
    explicit access_ok() check on the extra data space when parsing an
    extra_context record.
    
    Fixes: 33f08261 ("arm64: signal: Allow expansion of the signal frame")
    Reviewed-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: default avatarDave Martin <Dave.Martin@arm.com>
    Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
    abf73988
signal.c 19.4 KB