x86-64: Set siginfo and context on vsyscall emulation faults

To make this work, we teach the page fault handler how to send signals on failed uaccess. This only works for user addresses (kernel addresses will never hit the page fault handler in the first place), so we need to generate signals for those separately. This gets the tricky case right: if the user buffer spans multiple pages and only the second page is invalid, we set cr2 and si_addr correctly. UML relies on this behavior to "fault in" pages as needed. We steal a bit from thread_info.uaccess_err to enable this. Before this change, uaccess_err was a 32-bit boolean value. This fixes issues with UML when vsyscall=emulate. Reported-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Andy Lutomirski <luto@amacapital.net> Cc: richard -rw- weinberger <richard.weinberger@gmail.com> Cc: H. Peter Anvin <hpa@linux.intel.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Link: http://lkml.kernel.org/r/4c8f91de7ec5cd2ef0f59521a04e1015f11e42b4.1320712291.git.luto@amacapital.net Signed-off-by: Ingo Molnar <mingo@elte.hu>
author: Andy Lutomirski <luto@amacapital.net> 2011-11-07 19:33:40 -0500
committer: Ingo Molnar <mingo@elte.hu> 2011-12-05 06:17:27 -0500
commit: 4fc3490114bb159bd4fff1b3c96f4320fe6fb08f (patch)
tree: 71941c92c7352b1b78c169020946fecf1eae8f4a
parent: 01acc269083015e2f78407f59dc8d6378fce22ee (diff)
5 files changed, 87 insertions, 17 deletions
diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
index a1fe5c127b52..25ebd792725b 100644
--- a/arch/x86/include/asm/thread_info.h
+++ b/arch/x86/include/asm/thread_info.h
@@ -40,7 +40,8 @@ struct thread_info {
                                                */
        __u8                    supervisor_stack[0];
 #endif
-        int                     uaccess_err;
+        int                     sig_on_uaccess_error:1;
+        int                     uaccess_err:1;  /* uaccess failed */
 };
 #define INIT_THREAD_INFO(tsk)                   \
diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index 36361bf6fdd1..8be5f54d9360 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -462,7 +462,7 @@ struct __large_struct { unsigned long buf[100]; };
        barrier();
 #define uaccess_catch(err)                                              \
-        (err) |= current_thread_info()->uaccess_err;                    \
+        (err) |= (current_thread_info()->uaccess_err ? -EFAULT : 0);    \
        current_thread_info()->uaccess_err = prev_err;                  \
 } while (0)
diff --git a/arch/x86/kernel/vsyscall_64.c b/arch/x86/kernel/vsyscall_64.c
index e4d4a22e8b94..8084beccd64e 100644
--- a/arch/x86/kernel/vsyscall_64.c
+++ b/arch/x86/kernel/vsyscall_64.c
@@ -140,11 +140,40 @@ static int addr_to_vsyscall_nr(unsigned long addr)
        return nr;
 }
+static bool write_ok_or_segv(unsigned long ptr, size_t size)
+{
+        /*
+         * XXX: if access_ok, get_user, and put_user handled
+         * sig_on_uaccess_error, this could go away.
+         */
+        if (!access_ok(VERIFY_WRITE, (void __user *)ptr, size)) {
+                siginfo_t info;
+                struct thread_struct *thread = &current->thread;
+                thread->error_code      = 6;  /* user fault, no page, write */
+                thread->cr2             = ptr;
+                thread->trap_no         = 14;
+                memset(&info, 0, sizeof(info));
+                info.si_signo           = SIGSEGV;
+                info.si_errno           = 0;
+                info.si_code            = SEGV_MAPERR;
+                info.si_addr            = (void __user *)ptr;
+                force_sig_info(SIGSEGV, &info, current);
+                return false;
+        } else {
+                return true;
+        }
+}
 bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
 {
        struct task_struct *tsk;
        unsigned long caller;
        int vsyscall_nr;
+        int prev_sig_on_uaccess_error;
        long ret;
        /*
@@ -180,35 +209,65 @@ bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
        if (seccomp_mode(&tsk->seccomp))
                do_exit(SIGKILL);
+        /*
+         * With a real vsyscall, page faults cause SIGSEGV.  We want to
+         * preserve that behavior to make writing exploits harder.
+         */
+        prev_sig_on_uaccess_error = current_thread_info()->sig_on_uaccess_error;
+        current_thread_info()->sig_on_uaccess_error = 1;
+        /*
+         * 0 is a valid user pointer (in the access_ok sense) on 32-bit and
+         * 64-bit, so we don't need to special-case it here.  For all the
+         * vsyscalls, 0 means "don't write anything" not "write it at
+         * address 0".
+         */
+        ret = -EFAULT;
        switch (vsyscall_nr) {
        case 0:
+                if (!write_ok_or_segv(regs->di, sizeof(struct timeval)) ||
+                    !write_ok_or_segv(regs->si, sizeof(struct timezone)))
+                        break;
                ret = sys_gettimeofday(
                        (struct timeval __user *)regs->di,
                        (struct timezone __user *)regs->si);
                break;
        case 1:
+                if (!write_ok_or_segv(regs->di, sizeof(time_t)))
+                        break;
                ret = sys_time((time_t __user *)regs->di);
                break;
        case 2:
+                if (!write_ok_or_segv(regs->di, sizeof(unsigned)) ||
+                    !write_ok_or_segv(regs->si, sizeof(unsigned)))
+                        break;
                ret = sys_getcpu((unsigned __user *)regs->di,
                                 (unsigned __user *)regs->si,
                                 0);
                break;
        }
+        current_thread_info()->sig_on_uaccess_error = prev_sig_on_uaccess_error;
        if (ret == -EFAULT) {
-                /*
+                /* Bad news -- userspace fed a bad pointer to a vsyscall. */
-                 * Bad news -- userspace fed a bad pointer to a vsyscall.
-                 *
-                 * With a real vsyscall, that would have caused SIGSEGV.
-                 * To make writing reliable exploits using the emulated
-                 * vsyscalls harder, generate SIGSEGV here as well.
-                 */
                warn_bad_vsyscall(KERN_INFO, regs,
                                  "vsyscall fault (exploit attempt?)");
-                goto sigsegv;
+                /*
+                 * If we failed to generate a signal for any reason,
+                 * generate one here.  (This should be impossible.)
+                 */
+                if (WARN_ON_ONCE(!sigismember(&tsk->pending.signal, SIGBUS) &&
+                                 !sigismember(&tsk->pending.signal, SIGSEGV)))
+                        goto sigsegv;
+                return true;  /* Don't emulate the ret. */
        }
        regs->ax = ret;
diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c
index d0474ad2a6e5..1fb85dbe390a 100644
--- a/arch/x86/mm/extable.c
+++ b/arch/x86/mm/extable.c
@@ -25,7 +25,7 @@ int fixup_exception(struct pt_regs *regs)
        if (fixup) {
                /* If fixup is less than 16, it means uaccess error */
                if (fixup->fixup < 16) {
-                        current_thread_info()->uaccess_err = -EFAULT;
+                        current_thread_info()->uaccess_err = 1;
                        regs->ip += fixup->fixup;
                        return 1;
                }
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 5db0490deb07..9d74824a708d 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -626,7 +626,7 @@ pgtable_bad(struct pt_regs *regs, unsigned long error_code,
 static noinline void
 no_context(struct pt_regs *regs, unsigned long error_code,
-           unsigned long address)
+           unsigned long address, int signal, int si_code)
 {
        struct task_struct *tsk = current;
        unsigned long *stackend;
@@ -634,8 +634,17 @@ no_context(struct pt_regs *regs, unsigned long error_code,
        int sig;
        /* Are we prepared to handle this kernel fault? */
-        if (fixup_exception(regs))
+        if (fixup_exception(regs)) {
+                if (current_thread_info()->sig_on_uaccess_error && signal) {
+                        tsk->thread.trap_no = 14;
+                        tsk->thread.error_code = error_code | PF_USER;
+                        tsk->thread.cr2 = address;
+                        /* XXX: hwpoison faults will set the wrong code. */
+                        force_sig_info_fault(signal, si_code, address, tsk, 0);
+                }
                return;
+        }
        /*
         * 32-bit:
@@ -755,7 +764,7 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
        if (is_f00f_bug(regs, address))
                return;
-        no_context(regs, error_code, address);
+        no_context(regs, error_code, address, SIGSEGV, si_code);
 }
 static noinline void
@@ -819,7 +828,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
        /* Kernel mode? Handle exceptions or die: */
        if (!(error_code & PF_USER)) {
-                no_context(regs, error_code, address);
+                no_context(regs, error_code, address, SIGBUS, BUS_ADRERR);
                return;
        }
@@ -854,7 +863,7 @@ mm_fault_error(struct pt_regs *regs, unsigned long error_code,
                if (!(fault & VM_FAULT_RETRY))
                        up_read(&current->mm->mmap_sem);
                if (!(error_code & PF_USER))
-                        no_context(regs, error_code, address);
+                        no_context(regs, error_code, address, 0, 0);
                return 1;
        }
        if (!(fault & VM_FAULT_ERROR))
@@ -864,7 +873,8 @@ mm_fault_error(struct pt_regs *regs, unsigned long error_code,
                /* Kernel mode? Handle exceptions or die: */
                if (!(error_code & PF_USER)) {
                        up_read(&current->mm->mmap_sem);
-                        no_context(regs, error_code, address);
+                        no_context(regs, error_code, address,
+                                   SIGSEGV, SEGV_MAPERR);
                        return 1;
                }
author	Andy Lutomirski <luto@amacapital.net>	2011-11-07 19:33:40 -0500
committer	Ingo Molnar <mingo@elte.hu>	2011-12-05 06:17:27 -0500
commit	4fc3490114bb159bd4fff1b3c96f4320fe6fb08f (patch)
tree	71941c92c7352b1b78c169020946fecf1eae8f4a
parent	01acc269083015e2f78407f59dc8d6378fce22ee (diff)

diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h index a1fe5c127b52..25ebd792725b 100644 --- a/arch/x86/include/asm/thread_info.h +++ b/arch/x86/include/asm/thread_info.h
@@ -40,7 +40,8 @@ struct thread_info {
40	*/	40	*/
41	__u8 supervisor_stack[0];	41	__u8 supervisor_stack[0];
42	#endif	42	#endif
43	int uaccess_err;	43	int sig_on_uaccess_error:1;
		44	int uaccess_err:1; /* uaccess failed */
44	};	45	};
45		46
46	#define INIT_THREAD_INFO(tsk) \	47	#define INIT_THREAD_INFO(tsk) \


diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index 36361bf6fdd1..8be5f54d9360 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h
@@ -462,7 +462,7 @@ struct __large_struct { unsigned long buf[100]; };
462	barrier();	462	barrier();
463		463
464	#define uaccess_catch(err) \	464	#define uaccess_catch(err) \
465	(err) \|= current_thread_info()->uaccess_err; \	465	(err) \|= (current_thread_info()->uaccess_err ? -EFAULT : 0); \
466	current_thread_info()->uaccess_err = prev_err; \	466	current_thread_info()->uaccess_err = prev_err; \
467	} while (0)	467	} while (0)
468		468


diff --git a/arch/x86/kernel/vsyscall_64.c b/arch/x86/kernel/vsyscall_64.c index e4d4a22e8b94..8084beccd64e 100644 --- a/arch/x86/kernel/vsyscall_64.c +++ b/arch/x86/kernel/vsyscall_64.c
@@ -140,11 +140,40 @@ static int addr_to_vsyscall_nr(unsigned long addr)
140	return nr;	140	return nr;
141	}	141	}
142		142
		143	static bool write_ok_or_segv(unsigned long ptr, size_t size)
		144	{
		145	/*
		146	* XXX: if access_ok, get_user, and put_user handled
		147	* sig_on_uaccess_error, this could go away.
		148	*/
		149
		150	if (!access_ok(VERIFY_WRITE, (void __user *)ptr, size)) {
		151	siginfo_t info;
		152	struct thread_struct *thread = &current->thread;
		153
		154	thread->error_code = 6; /* user fault, no page, write */
		155	thread->cr2 = ptr;
		156	thread->trap_no = 14;
		157
		158	memset(&info, 0, sizeof(info));
		159	info.si_signo = SIGSEGV;
		160	info.si_errno = 0;
		161	info.si_code = SEGV_MAPERR;
		162	info.si_addr = (void __user *)ptr;
		163
		164	force_sig_info(SIGSEGV, &info, current);
		165	return false;
		166	} else {
		167	return true;
		168	}
		169	}
		170
143	bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)	171	bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
144	{	172	{
145	struct task_struct *tsk;	173	struct task_struct *tsk;
146	unsigned long caller;	174	unsigned long caller;
147	int vsyscall_nr;	175	int vsyscall_nr;
		176	int prev_sig_on_uaccess_error;
148	long ret;	177	long ret;
149		178
150	/*	179	/*
@@ -180,35 +209,65 @@ bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
180	if (seccomp_mode(&tsk->seccomp))	209	if (seccomp_mode(&tsk->seccomp))
181	do_exit(SIGKILL);	210	do_exit(SIGKILL);
182		211
		212	/*
		213	* With a real vsyscall, page faults cause SIGSEGV. We want to
		214	* preserve that behavior to make writing exploits harder.
		215	*/
		216	prev_sig_on_uaccess_error = current_thread_info()->sig_on_uaccess_error;
		217	current_thread_info()->sig_on_uaccess_error = 1;
		218
		219	/*
		220	* 0 is a valid user pointer (in the access_ok sense) on 32-bit and
		221	* 64-bit, so we don't need to special-case it here. For all the
		222	* vsyscalls, 0 means "don't write anything" not "write it at
		223	* address 0".
		224	*/
		225	ret = -EFAULT;
183	switch (vsyscall_nr) {	226	switch (vsyscall_nr) {
184	case 0:	227	case 0:
		228	if (!write_ok_or_segv(regs->di, sizeof(struct timeval)) \|\|
		229	!write_ok_or_segv(regs->si, sizeof(struct timezone)))
		230	break;
		231
185	ret = sys_gettimeofday(	232	ret = sys_gettimeofday(
186	(struct timeval __user *)regs->di,	233	(struct timeval __user *)regs->di,
187	(struct timezone __user *)regs->si);	234	(struct timezone __user *)regs->si);
188	break;	235	break;
189		236
190	case 1:	237	case 1:
		238	if (!write_ok_or_segv(regs->di, sizeof(time_t)))
		239	break;
		240
191	ret = sys_time((time_t __user *)regs->di);	241	ret = sys_time((time_t __user *)regs->di);
192	break;	242	break;
193		243
194	case 2:	244	case 2:
		245	if (!write_ok_or_segv(regs->di, sizeof(unsigned)) \|\|
		246	!write_ok_or_segv(regs->si, sizeof(unsigned)))
		247	break;
		248
195	ret = sys_getcpu((unsigned __user *)regs->di,	249	ret = sys_getcpu((unsigned __user *)regs->di,
196	(unsigned __user *)regs->si,	250	(unsigned __user *)regs->si,
197	0);	251	0);
198	break;	252	break;
199	}	253	}
200		254
		255	current_thread_info()->sig_on_uaccess_error = prev_sig_on_uaccess_error;
		256
201	if (ret == -EFAULT) {	257	if (ret == -EFAULT) {
202	/*	258	/* Bad news -- userspace fed a bad pointer to a vsyscall. */
203	* Bad news -- userspace fed a bad pointer to a vsyscall.
204	*
205	* With a real vsyscall, that would have caused SIGSEGV.
206	* To make writing reliable exploits using the emulated
207	* vsyscalls harder, generate SIGSEGV here as well.
208	*/
209	warn_bad_vsyscall(KERN_INFO, regs,	259	warn_bad_vsyscall(KERN_INFO, regs,
210	"vsyscall fault (exploit attempt?)");	260	"vsyscall fault (exploit attempt?)");
211	goto sigsegv;	261
		262	/*
		263	* If we failed to generate a signal for any reason,
		264	* generate one here. (This should be impossible.)
		265	*/
		266	if (WARN_ON_ONCE(!sigismember(&tsk->pending.signal, SIGBUS) &&
		267	!sigismember(&tsk->pending.signal, SIGSEGV)))
		268	goto sigsegv;
		269
		270	return true; /* Don't emulate the ret. */
212	}	271	}
213		272
214	regs->ax = ret;	273	regs->ax = ret;


diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c index d0474ad2a6e5..1fb85dbe390a 100644 --- a/arch/x86/mm/extable.c +++ b/arch/x86/mm/extable.c
@@ -25,7 +25,7 @@ int fixup_exception(struct pt_regs *regs)
25	if (fixup) {	25	if (fixup) {
26	/* If fixup is less than 16, it means uaccess error */	26	/* If fixup is less than 16, it means uaccess error */
27	if (fixup->fixup < 16) {	27	if (fixup->fixup < 16) {
28	current_thread_info()->uaccess_err = -EFAULT;	28	current_thread_info()->uaccess_err = 1;
29	regs->ip += fixup->fixup;	29	regs->ip += fixup->fixup;
30	return 1;	30	return 1;
31	}	31	}


diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c index 5db0490deb07..9d74824a708d 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c
@@ -626,7 +626,7 @@ pgtable_bad(struct pt_regs *regs, unsigned long error_code,
626		626
627	static noinline void	627	static noinline void
628	no_context(struct pt_regs *regs, unsigned long error_code,	628	no_context(struct pt_regs *regs, unsigned long error_code,
629	unsigned long address)	629	unsigned long address, int signal, int si_code)
630	{	630	{
631	struct task_struct *tsk = current;	631	struct task_struct *tsk = current;
632	unsigned long *stackend;	632	unsigned long *stackend;
@@ -634,8 +634,17 @@ no_context(struct pt_regs *regs, unsigned long error_code,
634	int sig;	634	int sig;
635		635
636	/* Are we prepared to handle this kernel fault? */	636	/* Are we prepared to handle this kernel fault? */
637	if (fixup_exception(regs))	637	if (fixup_exception(regs)) {
		638	if (current_thread_info()->sig_on_uaccess_error && signal) {
		639	tsk->thread.trap_no = 14;
		640	tsk->thread.error_code = error_code \| PF_USER;
		641	tsk->thread.cr2 = address;
		642
		643	/* XXX: hwpoison faults will set the wrong code. */
		644	force_sig_info_fault(signal, si_code, address, tsk, 0);
		645	}
638	return;	646	return;
		647	}
639		648
640	/*	649	/*
641	* 32-bit:	650	* 32-bit:
@@ -755,7 +764,7 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
755	if (is_f00f_bug(regs, address))	764	if (is_f00f_bug(regs, address))
756	return;	765	return;
757		766
758	no_context(regs, error_code, address);	767	no_context(regs, error_code, address, SIGSEGV, si_code);
759	}	768	}
760		769
761	static noinline void	770	static noinline void
@@ -819,7 +828,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
819		828
820	/* Kernel mode? Handle exceptions or die: */	829	/* Kernel mode? Handle exceptions or die: */
821	if (!(error_code & PF_USER)) {	830	if (!(error_code & PF_USER)) {
822	no_context(regs, error_code, address);	831	no_context(regs, error_code, address, SIGBUS, BUS_ADRERR);
823	return;	832	return;
824	}	833	}
825		834
@@ -854,7 +863,7 @@ mm_fault_error(struct pt_regs *regs, unsigned long error_code,
854	if (!(fault & VM_FAULT_RETRY))	863	if (!(fault & VM_FAULT_RETRY))
855	up_read(&current->mm->mmap_sem);	864	up_read(&current->mm->mmap_sem);
856	if (!(error_code & PF_USER))	865	if (!(error_code & PF_USER))
857	no_context(regs, error_code, address);	866	no_context(regs, error_code, address, 0, 0);
858	return 1;	867	return 1;
859	}	868	}
860	if (!(fault & VM_FAULT_ERROR))	869	if (!(fault & VM_FAULT_ERROR))
@@ -864,7 +873,8 @@ mm_fault_error(struct pt_regs *regs, unsigned long error_code,
864	/* Kernel mode? Handle exceptions or die: */	873	/* Kernel mode? Handle exceptions or die: */
865	if (!(error_code & PF_USER)) {	874	if (!(error_code & PF_USER)) {
866	up_read(&current->mm->mmap_sem);	875	up_read(&current->mm->mmap_sem);
867	no_context(regs, error_code, address);	876	no_context(regs, error_code, address,
		877	SIGSEGV, SEGV_MAPERR);
868	return 1;	878	return 1;
869	}	879	}
870		880