diff options
| author | Mark Rutland <mark.rutland@arm.com> | 2016-03-01 09:18:50 -0500 |
|---|---|---|
| committer | Catalin Marinas <catalin.marinas@arm.com> | 2016-03-02 10:49:28 -0500 |
| commit | dbd4d7ca563fd0a8949718d35ce197e5642d5d9d (patch) | |
| tree | 35b33dd22bd899a75ad8be3f69e8165084a0d18f | |
| parent | 6d2aa549de1fc998581d216de3853aa131aa4446 (diff) | |
arm64: Rework valid_user_regs
We validate pstate using PSR_MODE32_BIT, which is part of the
user-provided pstate (and cannot be trusted). Also, we conflate
validation of AArch32 and AArch64 pstate values, making the code
difficult to reason about.
Instead, validate the pstate value based on the associated task. The
task may or may not be current (e.g. when using ptrace), so this must be
passed explicitly by callers. To avoid circular header dependencies via
sched.h, is_compat_task is pulled out of asm/ptrace.h.
To make the code possible to reason about, the AArch64 and AArch32
validation is split into separate functions. Software must respect the
RES0 policy for SPSR bits, and thus the kernel mirrors the hardware
policy (RAZ/WI) for bits as-yet unallocated. When these acquire an
architected meaning writes may be permitted (potentially with additional
validation).
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Dave Martin <dave.martin@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
| -rw-r--r-- | arch/arm64/include/asm/ptrace.h | 33 | ||||
| -rw-r--r-- | arch/arm64/kernel/ptrace.c | 80 | ||||
| -rw-r--r-- | arch/arm64/kernel/signal.c | 4 | ||||
| -rw-r--r-- | arch/arm64/kernel/signal32.c | 2 |
4 files changed, 85 insertions, 34 deletions
diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h index e9e5467e0bf4..a307eb6e7fa8 100644 --- a/arch/arm64/include/asm/ptrace.h +++ b/arch/arm64/include/asm/ptrace.h | |||
| @@ -58,6 +58,7 @@ | |||
| 58 | #define COMPAT_PSR_Z_BIT 0x40000000 | 58 | #define COMPAT_PSR_Z_BIT 0x40000000 |
| 59 | #define COMPAT_PSR_N_BIT 0x80000000 | 59 | #define COMPAT_PSR_N_BIT 0x80000000 |
| 60 | #define COMPAT_PSR_IT_MASK 0x0600fc00 /* If-Then execution state mask */ | 60 | #define COMPAT_PSR_IT_MASK 0x0600fc00 /* If-Then execution state mask */ |
| 61 | #define COMPAT_PSR_GE_MASK 0x000f0000 | ||
| 61 | 62 | ||
| 62 | #ifdef CONFIG_CPU_BIG_ENDIAN | 63 | #ifdef CONFIG_CPU_BIG_ENDIAN |
| 63 | #define COMPAT_PSR_ENDSTATE COMPAT_PSR_E_BIT | 64 | #define COMPAT_PSR_ENDSTATE COMPAT_PSR_E_BIT |
| @@ -151,35 +152,9 @@ static inline unsigned long regs_return_value(struct pt_regs *regs) | |||
| 151 | return regs->regs[0]; | 152 | return regs->regs[0]; |
| 152 | } | 153 | } |
| 153 | 154 | ||
| 154 | /* | 155 | /* We must avoid circular header include via sched.h */ |
| 155 | * Are the current registers suitable for user mode? (used to maintain | 156 | struct task_struct; |
| 156 | * security in signal handlers) | 157 | int valid_user_regs(struct user_pt_regs *regs, struct task_struct *task); |
| 157 | */ | ||
| 158 | static inline int valid_user_regs(struct user_pt_regs *regs) | ||
| 159 | { | ||
| 160 | if (user_mode(regs) && (regs->pstate & PSR_I_BIT) == 0) { | ||
| 161 | regs->pstate &= ~(PSR_F_BIT | PSR_A_BIT); | ||
| 162 | |||
| 163 | /* The T bit is reserved for AArch64 */ | ||
| 164 | if (!(regs->pstate & PSR_MODE32_BIT)) | ||
| 165 | regs->pstate &= ~COMPAT_PSR_T_BIT; | ||
| 166 | |||
| 167 | return 1; | ||
| 168 | } | ||
| 169 | |||
| 170 | /* | ||
| 171 | * Force PSR to something logical... | ||
| 172 | */ | ||
| 173 | regs->pstate &= PSR_f | PSR_s | (PSR_x & ~PSR_A_BIT) | \ | ||
| 174 | COMPAT_PSR_T_BIT | PSR_MODE32_BIT; | ||
| 175 | |||
| 176 | if (!(regs->pstate & PSR_MODE32_BIT)) { | ||
| 177 | regs->pstate &= ~COMPAT_PSR_T_BIT; | ||
| 178 | regs->pstate |= PSR_MODE_EL0t; | ||
| 179 | } | ||
| 180 | |||
| 181 | return 0; | ||
| 182 | } | ||
| 183 | 158 | ||
| 184 | #define instruction_pointer(regs) ((unsigned long)(regs)->pc) | 159 | #define instruction_pointer(regs) ((unsigned long)(regs)->pc) |
| 185 | 160 | ||
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index ff7f13239515..3f6cd5c5234f 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c | |||
| @@ -500,7 +500,7 @@ static int gpr_set(struct task_struct *target, const struct user_regset *regset, | |||
| 500 | if (ret) | 500 | if (ret) |
| 501 | return ret; | 501 | return ret; |
| 502 | 502 | ||
| 503 | if (!valid_user_regs(&newregs)) | 503 | if (!valid_user_regs(&newregs, target)) |
| 504 | return -EINVAL; | 504 | return -EINVAL; |
| 505 | 505 | ||
| 506 | task_pt_regs(target)->user_regs = newregs; | 506 | task_pt_regs(target)->user_regs = newregs; |
| @@ -770,7 +770,7 @@ static int compat_gpr_set(struct task_struct *target, | |||
| 770 | 770 | ||
| 771 | } | 771 | } |
| 772 | 772 | ||
| 773 | if (valid_user_regs(&newregs.user_regs)) | 773 | if (valid_user_regs(&newregs.user_regs, target)) |
| 774 | *task_pt_regs(target) = newregs; | 774 | *task_pt_regs(target) = newregs; |
| 775 | else | 775 | else |
| 776 | ret = -EINVAL; | 776 | ret = -EINVAL; |
| @@ -1272,3 +1272,79 @@ asmlinkage void syscall_trace_exit(struct pt_regs *regs) | |||
| 1272 | if (test_thread_flag(TIF_SYSCALL_TRACE)) | 1272 | if (test_thread_flag(TIF_SYSCALL_TRACE)) |
| 1273 | tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT); | 1273 | tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT); |
| 1274 | } | 1274 | } |
| 1275 | |||
| 1276 | /* | ||
| 1277 | * Bits which are always architecturally RES0 per ARM DDI 0487A.h | ||
| 1278 | * Userspace cannot use these until they have an architectural meaning. | ||
| 1279 | * We also reserve IL for the kernel; SS is handled dynamically. | ||
| 1280 | */ | ||
| 1281 | #define SPSR_EL1_AARCH64_RES0_BITS \ | ||
| 1282 | (GENMASK_ULL(63,32) | GENMASK_ULL(27, 22) | GENMASK_ULL(20, 10) | \ | ||
| 1283 | GENMASK_ULL(5, 5)) | ||
| 1284 | #define SPSR_EL1_AARCH32_RES0_BITS \ | ||
| 1285 | (GENMASK_ULL(63,32) | GENMASK_ULL(24, 22) | GENMASK_ULL(20,20)) | ||
| 1286 | |||
| 1287 | static int valid_compat_regs(struct user_pt_regs *regs) | ||
| 1288 | { | ||
| 1289 | regs->pstate &= ~SPSR_EL1_AARCH32_RES0_BITS; | ||
| 1290 | |||
| 1291 | if (!system_supports_mixed_endian_el0()) { | ||
| 1292 | if (IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)) | ||
| 1293 | regs->pstate |= COMPAT_PSR_E_BIT; | ||
| 1294 | else | ||
| 1295 | regs->pstate &= ~COMPAT_PSR_E_BIT; | ||
| 1296 | } | ||
| 1297 | |||
| 1298 | if (user_mode(regs) && (regs->pstate & PSR_MODE32_BIT) && | ||
| 1299 | (regs->pstate & COMPAT_PSR_A_BIT) == 0 && | ||
| 1300 | (regs->pstate & COMPAT_PSR_I_BIT) == 0 && | ||
| 1301 | (regs->pstate & COMPAT_PSR_F_BIT) == 0) { | ||
| 1302 | return 1; | ||
| 1303 | } | ||
| 1304 | |||
| 1305 | /* | ||
| 1306 | * Force PSR to a valid 32-bit EL0t, preserving the same bits as | ||
| 1307 | * arch/arm. | ||
| 1308 | */ | ||
| 1309 | regs->pstate &= COMPAT_PSR_N_BIT | COMPAT_PSR_Z_BIT | | ||
| 1310 | COMPAT_PSR_C_BIT | COMPAT_PSR_V_BIT | | ||
| 1311 | COMPAT_PSR_Q_BIT | COMPAT_PSR_IT_MASK | | ||
| 1312 | COMPAT_PSR_GE_MASK | COMPAT_PSR_E_BIT | | ||
| 1313 | COMPAT_PSR_T_BIT; | ||
| 1314 | regs->pstate |= PSR_MODE32_BIT; | ||
| 1315 | |||
| 1316 | return 0; | ||
| 1317 | } | ||
| 1318 | |||
| 1319 | static int valid_native_regs(struct user_pt_regs *regs) | ||
| 1320 | { | ||
| 1321 | regs->pstate &= ~SPSR_EL1_AARCH64_RES0_BITS; | ||
| 1322 | |||
| 1323 | if (user_mode(regs) && !(regs->pstate & PSR_MODE32_BIT) && | ||
| 1324 | (regs->pstate & PSR_D_BIT) == 0 && | ||
| 1325 | (regs->pstate & PSR_A_BIT) == 0 && | ||
| 1326 | (regs->pstate & PSR_I_BIT) == 0 && | ||
| 1327 | (regs->pstate & PSR_F_BIT) == 0) { | ||
| 1328 | return 1; | ||
| 1329 | } | ||
| 1330 | |||
| 1331 | /* Force PSR to a valid 64-bit EL0t */ | ||
| 1332 | regs->pstate &= PSR_N_BIT | PSR_Z_BIT | PSR_C_BIT | PSR_V_BIT; | ||
| 1333 | |||
| 1334 | return 0; | ||
| 1335 | } | ||
| 1336 | |||
| 1337 | /* | ||
| 1338 | * Are the current registers suitable for user mode? (used to maintain | ||
| 1339 | * security in signal handlers) | ||
| 1340 | */ | ||
| 1341 | int valid_user_regs(struct user_pt_regs *regs, struct task_struct *task) | ||
| 1342 | { | ||
| 1343 | if (!test_tsk_thread_flag(task, TIF_SINGLESTEP)) | ||
| 1344 | regs->pstate &= ~DBG_SPSR_SS; | ||
| 1345 | |||
| 1346 | if (is_compat_thread(task_thread_info(task))) | ||
| 1347 | return valid_compat_regs(regs); | ||
| 1348 | else | ||
| 1349 | return valid_native_regs(regs); | ||
| 1350 | } | ||
diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c index e18c48cb6db1..a8eafdbc7cb8 100644 --- a/arch/arm64/kernel/signal.c +++ b/arch/arm64/kernel/signal.c | |||
| @@ -115,7 +115,7 @@ static int restore_sigframe(struct pt_regs *regs, | |||
| 115 | */ | 115 | */ |
| 116 | regs->syscallno = ~0UL; | 116 | regs->syscallno = ~0UL; |
| 117 | 117 | ||
| 118 | err |= !valid_user_regs(®s->user_regs); | 118 | err |= !valid_user_regs(®s->user_regs, current); |
| 119 | 119 | ||
| 120 | if (err == 0) { | 120 | if (err == 0) { |
| 121 | struct fpsimd_context *fpsimd_ctx = | 121 | struct fpsimd_context *fpsimd_ctx = |
| @@ -307,7 +307,7 @@ static void handle_signal(struct ksignal *ksig, struct pt_regs *regs) | |||
| 307 | /* | 307 | /* |
| 308 | * Check that the resulting registers are actually sane. | 308 | * Check that the resulting registers are actually sane. |
| 309 | */ | 309 | */ |
| 310 | ret |= !valid_user_regs(®s->user_regs); | 310 | ret |= !valid_user_regs(®s->user_regs, current); |
| 311 | 311 | ||
| 312 | /* | 312 | /* |
| 313 | * Fast forward the stepping logic so we step into the signal | 313 | * Fast forward the stepping logic so we step into the signal |
diff --git a/arch/arm64/kernel/signal32.c b/arch/arm64/kernel/signal32.c index 71ef6dc89ae5..107335637390 100644 --- a/arch/arm64/kernel/signal32.c +++ b/arch/arm64/kernel/signal32.c | |||
| @@ -356,7 +356,7 @@ static int compat_restore_sigframe(struct pt_regs *regs, | |||
| 356 | */ | 356 | */ |
| 357 | regs->syscallno = ~0UL; | 357 | regs->syscallno = ~0UL; |
| 358 | 358 | ||
| 359 | err |= !valid_user_regs(®s->user_regs); | 359 | err |= !valid_user_regs(®s->user_regs, current); |
| 360 | 360 | ||
| 361 | aux = (struct compat_aux_sigframe __user *) sf->uc.uc_regspace; | 361 | aux = (struct compat_aux_sigframe __user *) sf->uc.uc_regspace; |
| 362 | if (err == 0) | 362 | if (err == 0) |