[PATCH 4/7] powerpc: Implement user_access_begin and friends

24 Nov 2020

From: Christophe Leroy christophe.leroy@c-s.fr
stable inclusion
from linux-4.19.159
commit 8145b3a014e8504f02e15a38f04051fec826f4f2
CVE: CVE-2020-4788
--------------------------------
commit 5cd623333e7cf4e3a334c70529268b65f2a6c2c7 upstream.
Today, when a function like strncpy_from_user() is called,
the userspace access protection is de-activated and re-activated
for every word read.
By implementing user_access_begin and friends, the protection
is de-activated at the beginning of the copy and re-activated at the
end.
Implement user_access_begin(), user_access_end() and
unsafe_get_user(), unsafe_put_user() and unsafe_copy_to_user()
For the time being, we keep user_access_save() and
user_access_restore() as nops.
Signed-off-by: Christophe Leroy christophe.leroy@c-s.fr
Signed-off-by: Michael Ellerman mpe@ellerman.id.au
Link: https://lore.kernel.org/r/36d4fbf9e56a75994aca4ee2214c77b26a5a8d35.157986675...
Signed-off-by: Daniel Axtens dja@axtens.net
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Signed-off-by: Yang Yingliang yangyingliang@huawei.com
Reviewed-by: Jason Yan yanaijie@huawei.com
Signed-off-by: Yang Yingliang yangyingliang@huawei.com
---
 arch/powerpc/include/asm/uaccess.h | 75 ++++++++++++++++++++++--------
 1 file changed, 56 insertions(+), 19 deletions(-)

diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
index 85fb4e3dfc07..a7441b7560c7 100644
--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
@@ -92,9 +92,14 @@ static inline int __access_ok(unsigned long addr, unsigned long size,
    __put_user_check((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
#define __get_user(x, ptr) \
-	__get_user_nocheck((x), (ptr), sizeof(*(ptr)))
+	__get_user_nocheck((x), (ptr), sizeof(*(ptr)), true)
 #define __put_user(x, ptr) \
-	__put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
+	__put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)), true)
+
+#define __get_user_allowed(x, ptr) \
+	__get_user_nocheck((x), (ptr), sizeof(*(ptr)), false)
+#define __put_user_allowed(x, ptr) \
+	__put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)), false)
#define __get_user_inatomic(x, ptr) \
    __get_user_nosleep((x), (ptr), sizeof(*(ptr)))
@@ -139,10 +144,9 @@ extern long __put_user_bad(void);
    	: "r" (x), "b" (addr), "i" (-EFAULT), "0" (err))
 #endif /* __powerpc64__ */
-#define __put_user_size(x, ptr, size, retval)			\
+#define __put_user_size_allowed(x, ptr, size, retval)		\
 do {								\
    retval = 0;						\
-	allow_write_to_user(ptr, size);				\
    switch (size) {						\
      case 1: __put_user_asm(x, ptr, retval, "stb"); break;	\
      case 2: __put_user_asm(x, ptr, retval, "sth"); break;	\
@@ -150,17 +154,26 @@ do {								\
      case 8: __put_user_asm2(x, ptr, retval); break;	\
      default: __put_user_bad();				\
    }							\
+} while (0)
+
+#define __put_user_size(x, ptr, size, retval)			\
+do {								\
+	allow_write_to_user(ptr, size);				\
+	__put_user_size_allowed(x, ptr, size, retval);		\
    prevent_write_to_user(ptr, size);			\
 } while (0)
-#define __put_user_nocheck(x, ptr, size)			\
+#define __put_user_nocheck(x, ptr, size, do_allow)			\
 ({								\
    long __pu_err;						\
    __typeof__(*(ptr)) __user *__pu_addr = (ptr);		\
    if (!is_kernel_addr((unsigned long)__pu_addr))		\
    	might_fault();					\
    __chk_user_ptr(ptr);					\
-	__put_user_size((x), __pu_addr, (size), __pu_err);	\
+	if (do_allow)								\
+		__put_user_size((x), __pu_addr, (size), __pu_err);		\
+	else									\
+		__put_user_size_allowed((x), __pu_addr, (size), __pu_err);	\
    __pu_err;						\
 })
@@ -237,13 +250,12 @@ extern long __get_user_bad(void);
    	: "b" (addr), "i" (-EFAULT), "0" (err))
 #endif /* __powerpc64__ */
-#define __get_user_size(x, ptr, size, retval)			\
+#define __get_user_size_allowed(x, ptr, size, retval)		\
 do {								\
    retval = 0;						\
    __chk_user_ptr(ptr);					\
    if (size > sizeof(x))					\
    	(x) = __get_user_bad();				\
-	allow_read_from_user(ptr, size);			\
    switch (size) {						\
    case 1: __get_user_asm(x, ptr, retval, "lbz"); break;	\
    case 2: __get_user_asm(x, ptr, retval, "lhz"); break;	\
@@ -251,6 +263,12 @@ do {								\
    case 8: __get_user_asm2(x, ptr, retval);  break;	\
    default: (x) = __get_user_bad();			\
    }							\
+} while (0)
+
+#define __get_user_size(x, ptr, size, retval)			\
+do {								\
+	allow_read_from_user(ptr, size);			\
+	__get_user_size_allowed(x, ptr, size, retval);		\
    prevent_read_from_user(ptr, size);			\
 } while (0)
@@ -261,7 +279,7 @@ do {								\
 #define __long_type(x) \
    __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
-#define __get_user_nocheck(x, ptr, size)			\
+#define __get_user_nocheck(x, ptr, size, do_allow)			\
 ({								\
    long __gu_err;						\
    __long_type(*(ptr)) __gu_val;				\
@@ -270,7 +288,10 @@ do {								\
    if (!is_kernel_addr((unsigned long)__gu_addr))		\
    	might_fault();					\
    barrier_nospec();					\
-	__get_user_size(__gu_val, __gu_addr, (size), __gu_err);	\
+	if (do_allow)								\
+		__get_user_size(__gu_val, __gu_addr, (size), __gu_err);		\
+	else									\
+		__get_user_size_allowed(__gu_val, __gu_addr, (size), __gu_err);	\
    (x) = (__typeof__(*(ptr)))__gu_val;			\
    __gu_err;						\
 })
@@ -357,33 +378,40 @@ static inline unsigned long raw_copy_from_user(void *to,
    return ret;
 }
-static inline unsigned long raw_copy_to_user(void __user *to,
-		const void *from, unsigned long n)
+static inline unsigned long
+raw_copy_to_user_allowed(void __user *to, const void *from, unsigned long n)
 {
-	unsigned long ret;
    if (__builtin_constant_p(n) && (n <= 8)) {
-		ret = 1;
+		unsigned long ret = 1;
switch (n) {
    	case 1:
-			__put_user_size(*(u8 *)from, (u8 __user *)to, 1, ret);
+			__put_user_size_allowed(*(u8 *)from, (u8 __user *)to, 1, ret);
    		break;
    	case 2:
-			__put_user_size(*(u16 *)from, (u16 __user *)to, 2, ret);
+			__put_user_size_allowed(*(u16 *)from, (u16 __user *)to, 2, ret);
    		break;
    	case 4:
-			__put_user_size(*(u32 *)from, (u32 __user *)to, 4, ret);
+			__put_user_size_allowed(*(u32 *)from, (u32 __user *)to, 4, ret);
    		break;
    	case 8:
-			__put_user_size(*(u64 *)from, (u64 __user *)to, 8, ret);
+			__put_user_size_allowed(*(u64 *)from, (u64 __user *)to, 8, ret);
    		break;
    	}
    	if (ret == 0)
    		return 0;
    }
+	return __copy_tofrom_user(to, (__force const void __user *)from, n);
+}
+
+static inline unsigned long
+raw_copy_to_user(void __user *to, const void *from, unsigned long n)
+{
+	unsigned long ret;
+
    allow_write_to_user(to, n);
-	ret = __copy_tofrom_user(to, (__force const void __user *)from, n);
+	ret = raw_copy_to_user_allowed(to, from, n);
    prevent_write_to_user(to, n);
    return ret;
 }
@@ -410,4 +438,13 @@ extern long __copy_from_user_flushcache(void *dst, const void __user *src,
 extern void memcpy_page_flushcache(char *to, struct page *page, size_t offset,
    		   size_t len);
+#define user_access_begin(type, ptr, len) access_ok(type, ptr, len)
+#define user_access_end()		  prevent_user_access(NULL, NULL, ~0ul)
+
+#define unsafe_op_wrap(op, err) do { if (unlikely(op)) goto err; } while (0)
+#define unsafe_get_user(x, p, e) unsafe_op_wrap(__get_user_allowed(x, p), e)
+#define unsafe_put_user(x, p, e) unsafe_op_wrap(__put_user_allowed(x, p), e)
+#define unsafe_copy_to_user(d, s, l, e) \
+	unsafe_op_wrap(raw_copy_to_user_allowed(d, s, l), e)
+
 #endif	/* _ARCH_POWERPC_UACCESS_H */
-- 
2.25.1

    

2024

2023

2022

2021

2020

2019

[PATCH 4/7] powerpc: Implement user_access_begin and friends