1 files changed, 68 insertions, 9 deletions
diff --git a/arch/x86/kernel/vsyscall_64.c b/arch/x86/kernel/vsyscall_64.c
index e4d4a22e8b94..b07ba9393564 100644
--- a/arch/x86/kernel/vsyscall_64.c
+++ b/arch/x86/kernel/vsyscall_64.c
@@ -57,7 +57,7 @@ DEFINE_VVAR(struct vsyscall_gtod_data, vsyscall_gtod_data) =
        .lock = __SEQLOCK_UNLOCKED(__vsyscall_gtod_data.lock),
 };
-static enum { EMULATE, NATIVE, NONE } vsyscall_mode = NATIVE;
+static enum { EMULATE, NATIVE, NONE } vsyscall_mode = EMULATE;
 static int __init vsyscall_setup(char *str)
 {
@@ -140,11 +140,40 @@ static int addr_to_vsyscall_nr(unsigned long addr)
        return nr;
 }
+static bool write_ok_or_segv(unsigned long ptr, size_t size)
+{
+        /*
+         * XXX: if access_ok, get_user, and put_user handled
+         * sig_on_uaccess_error, this could go away.
+         */
+        if (!access_ok(VERIFY_WRITE, (void __user *)ptr, size)) {
+                siginfo_t info;
+                struct thread_struct *thread = &current->thread;
+                thread->error_code      = 6;  /* user fault, no page, write */
+                thread->cr2             = ptr;
+                thread->trap_no         = 14;
+                memset(&info, 0, sizeof(info));
+                info.si_signo           = SIGSEGV;
+                info.si_errno           = 0;
+                info.si_code            = SEGV_MAPERR;
+                info.si_addr            = (void __user *)ptr;
+                force_sig_info(SIGSEGV, &info, current);
+                return false;
+        } else {
+                return true;
+        }
+}
 bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
 {
        struct task_struct *tsk;
        unsigned long caller;
        int vsyscall_nr;
+        int prev_sig_on_uaccess_error;
        long ret;
        /*
@@ -180,35 +209,65 @@ bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
        if (seccomp_mode(&tsk->seccomp))
                do_exit(SIGKILL);
+        /*
+         * With a real vsyscall, page faults cause SIGSEGV.  We want to
+         * preserve that behavior to make writing exploits harder.
+         */
+        prev_sig_on_uaccess_error = current_thread_info()->sig_on_uaccess_error;
+        current_thread_info()->sig_on_uaccess_error = 1;
+        /*
+         * 0 is a valid user pointer (in the access_ok sense) on 32-bit and
+         * 64-bit, so we don't need to special-case it here.  For all the
+         * vsyscalls, 0 means "don't write anything" not "write it at
+         * address 0".
+         */
+        ret = -EFAULT;
        switch (vsyscall_nr) {
        case 0:
+                if (!write_ok_or_segv(regs->di, sizeof(struct timeval)) ||
+                    !write_ok_or_segv(regs->si, sizeof(struct timezone)))
+                        break;
                ret = sys_gettimeofday(
                        (struct timeval __user *)regs->di,
                        (struct timezone __user *)regs->si);
                break;
        case 1:
+                if (!write_ok_or_segv(regs->di, sizeof(time_t)))
+                        break;
                ret = sys_time((time_t __user *)regs->di);
                break;
        case 2:
+                if (!write_ok_or_segv(regs->di, sizeof(unsigned)) ||
+                    !write_ok_or_segv(regs->si, sizeof(unsigned)))
+                        break;
                ret = sys_getcpu((unsigned __user *)regs->di,
                                 (unsigned __user *)regs->si,
                                 0);
                break;
        }
+        current_thread_info()->sig_on_uaccess_error = prev_sig_on_uaccess_error;
        if (ret == -EFAULT) {
-                /*
+                /* Bad news -- userspace fed a bad pointer to a vsyscall. */
-                 * Bad news -- userspace fed a bad pointer to a vsyscall.
-                 *
-                 * With a real vsyscall, that would have caused SIGSEGV.
-                 * To make writing reliable exploits using the emulated
-                 * vsyscalls harder, generate SIGSEGV here as well.
-                 */
                warn_bad_vsyscall(KERN_INFO, regs,
                                  "vsyscall fault (exploit attempt?)");
-                goto sigsegv;
+                /*
+                 * If we failed to generate a signal for any reason,
+                 * generate one here.  (This should be impossible.)
+                 */
+                if (WARN_ON_ONCE(!sigismember(&tsk->pending.signal, SIGBUS) &&
+                                 !sigismember(&tsk->pending.signal, SIGSEGV)))
+                        goto sigsegv;
+                return true;  /* Don't emulate the ret. */
        }
        regs->ax = ret;

diff --git a/arch/x86/kernel/vsyscall_64.c b/arch/x86/kernel/vsyscall_64.c index e4d4a22e8b94..b07ba9393564 100644 --- a/arch/x86/kernel/vsyscall_64.c +++ b/arch/x86/kernel/vsyscall_64.c
@@ -57,7 +57,7 @@ DEFINE_VVAR(struct vsyscall_gtod_data, vsyscall_gtod_data) =
57	.lock = __SEQLOCK_UNLOCKED(__vsyscall_gtod_data.lock),	57	.lock = __SEQLOCK_UNLOCKED(__vsyscall_gtod_data.lock),
58	};	58	};
59		59
60	static enum { EMULATE, NATIVE, NONE } vsyscall_mode = NATIVE;	60	static enum { EMULATE, NATIVE, NONE } vsyscall_mode = EMULATE;
61		61
62	static int __init vsyscall_setup(char *str)	62	static int __init vsyscall_setup(char *str)
63	{	63	{
@@ -140,11 +140,40 @@ static int addr_to_vsyscall_nr(unsigned long addr)
140	return nr;	140	return nr;
141	}	141	}
142		142
		143	static bool write_ok_or_segv(unsigned long ptr, size_t size)
		144	{
		145	/*
		146	* XXX: if access_ok, get_user, and put_user handled
		147	* sig_on_uaccess_error, this could go away.
		148	*/
		149
		150	if (!access_ok(VERIFY_WRITE, (void __user *)ptr, size)) {
		151	siginfo_t info;
		152	struct thread_struct *thread = &current->thread;
		153
		154	thread->error_code = 6; /* user fault, no page, write */
		155	thread->cr2 = ptr;
		156	thread->trap_no = 14;
		157
		158	memset(&info, 0, sizeof(info));
		159	info.si_signo = SIGSEGV;
		160	info.si_errno = 0;
		161	info.si_code = SEGV_MAPERR;
		162	info.si_addr = (void __user *)ptr;
		163
		164	force_sig_info(SIGSEGV, &info, current);
		165	return false;
		166	} else {
		167	return true;
		168	}
		169	}
		170
143	bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)	171	bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
144	{	172	{
145	struct task_struct *tsk;	173	struct task_struct *tsk;
146	unsigned long caller;	174	unsigned long caller;
147	int vsyscall_nr;	175	int vsyscall_nr;
		176	int prev_sig_on_uaccess_error;
148	long ret;	177	long ret;
149		178
150	/*	179	/*
@@ -180,35 +209,65 @@ bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
180	if (seccomp_mode(&tsk->seccomp))	209	if (seccomp_mode(&tsk->seccomp))
181	do_exit(SIGKILL);	210	do_exit(SIGKILL);
182		211
		212	/*
		213	* With a real vsyscall, page faults cause SIGSEGV. We want to
		214	* preserve that behavior to make writing exploits harder.
		215	*/
		216	prev_sig_on_uaccess_error = current_thread_info()->sig_on_uaccess_error;
		217	current_thread_info()->sig_on_uaccess_error = 1;
		218
		219	/*
		220	* 0 is a valid user pointer (in the access_ok sense) on 32-bit and
		221	* 64-bit, so we don't need to special-case it here. For all the
		222	* vsyscalls, 0 means "don't write anything" not "write it at
		223	* address 0".
		224	*/
		225	ret = -EFAULT;
183	switch (vsyscall_nr) {	226	switch (vsyscall_nr) {
184	case 0:	227	case 0:
		228	if (!write_ok_or_segv(regs->di, sizeof(struct timeval)) \|\|
		229	!write_ok_or_segv(regs->si, sizeof(struct timezone)))
		230	break;
		231
185	ret = sys_gettimeofday(	232	ret = sys_gettimeofday(
186	(struct timeval __user *)regs->di,	233	(struct timeval __user *)regs->di,
187	(struct timezone __user *)regs->si);	234	(struct timezone __user *)regs->si);
188	break;	235	break;
189		236
190	case 1:	237	case 1:
		238	if (!write_ok_or_segv(regs->di, sizeof(time_t)))
		239	break;
		240
191	ret = sys_time((time_t __user *)regs->di);	241	ret = sys_time((time_t __user *)regs->di);
192	break;	242	break;
193		243
194	case 2:	244	case 2:
		245	if (!write_ok_or_segv(regs->di, sizeof(unsigned)) \|\|
		246	!write_ok_or_segv(regs->si, sizeof(unsigned)))
		247	break;
		248
195	ret = sys_getcpu((unsigned __user *)regs->di,	249	ret = sys_getcpu((unsigned __user *)regs->di,
196	(unsigned __user *)regs->si,	250	(unsigned __user *)regs->si,
197	0);	251	0);
198	break;	252	break;
199	}	253	}
200		254
		255	current_thread_info()->sig_on_uaccess_error = prev_sig_on_uaccess_error;
		256
201	if (ret == -EFAULT) {	257	if (ret == -EFAULT) {
202	/*	258	/* Bad news -- userspace fed a bad pointer to a vsyscall. */
203	* Bad news -- userspace fed a bad pointer to a vsyscall.
204	*
205	* With a real vsyscall, that would have caused SIGSEGV.
206	* To make writing reliable exploits using the emulated
207	* vsyscalls harder, generate SIGSEGV here as well.
208	*/
209	warn_bad_vsyscall(KERN_INFO, regs,	259	warn_bad_vsyscall(KERN_INFO, regs,
210	"vsyscall fault (exploit attempt?)");	260	"vsyscall fault (exploit attempt?)");
211	goto sigsegv;	261
		262	/*
		263	* If we failed to generate a signal for any reason,
		264	* generate one here. (This should be impossible.)
		265	*/
		266	if (WARN_ON_ONCE(!sigismember(&tsk->pending.signal, SIGBUS) &&
		267	!sigismember(&tsk->pending.signal, SIGSEGV)))
		268	goto sigsegv;
		269
		270	return true; /* Don't emulate the ret. */
212	}	271	}
213		272
214	regs->ax = ret;	273	regs->ax = ret;