5 files changed, 87 insertions, 17 deletions
diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
index a1fe5c127b52..25ebd792725b 100644
--- a/arch/x86/include/asm/thread_info.h
+++ b/arch/x86/include/asm/thread_info.h
@@ -40,7 +40,8 @@ struct thread_info {
                                                */
        __u8                    supervisor_stack[0];
 #endif
-        int                     uaccess_err;
+        int                     sig_on_uaccess_error:1;
+        int                     uaccess_err:1;  /* uaccess failed */
 };
 #define INIT_THREAD_INFO(tsk)                   \
diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index 36361bf6fdd1..8be5f54d9360 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -462,7 +462,7 @@ struct __large_struct { unsigned long buf[100]; };
        barrier();
 #define uaccess_catch(err)                                              \
-        (err) |= current_thread_info()->uaccess_err;                    \
+        (err) |= (current_thread_info()->uaccess_err ? -EFAULT : 0);    \
        current_thread_info()->uaccess_err = prev_err;                  \
 } while (0)
diff --git a/arch/x86/kernel/vsyscall_64.c b/arch/x86/kernel/vsyscall_64.c
index e4d4a22e8b94..8084beccd64e 100644
--- a/arch/x86/kernel/vsyscall_64.c
+++ b/arch/x86/kernel/vsyscall_64.c
@@ -140,11 +140,40 @@ static int addr_to_vsyscall_nr(unsigned long addr)
        return nr;
 }
+static bool write_ok_or_segv(unsigned long ptr, size_t size)
+{
+        /*
+         * XXX: if access_ok, get_user, and put_user handled
+         * sig_on_uaccess_error, this could go away.
+         */
+        if (!access_ok(VERIFY_WRITE, (void __user *)ptr, size)) {
+                siginfo_t info;
+                struct thread_struct *thread = &current->thread;
+                thread->error_code      = 6;  /* user fault, no page, write */
+                thread->cr2             = ptr;
+                thread->trap_no         = 14;
+                memset(&info, 0, sizeof(info));
+                info.si_signo           = SIGSEGV;
+                info.si_errno           = 0;
+                info.si_code            = SEGV_MAPERR;
+                info.si_addr            = (void __user *)ptr;
+                force_sig_info(SIGSEGV, &info, current);
+                return false;
+        } else {
+                return true;
+        }
+}
 bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
 {
        struct task_struct *tsk;
        unsigned long caller;
        int vsyscall_nr;
+        int prev_sig_on_uaccess_error;
        long ret;
        /*
@@ -180,35 +209,65 @@ bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
        if (seccomp_mode(&tsk->seccomp))
                do_exit(SIGKILL);
+        /*
+         * With a real vsyscall, page faults cause SIGSEGV.  We want to
+         * preserve that behavior to make writing exploits harder.
+         */
+        prev_sig_on_uaccess_error = current_thread_info()->sig_on_uaccess_error;
+        current_thread_info()->sig_on_uaccess_error = 1;
+        /*
+         * 0 is a valid user pointer (in the access_ok sense) on 32-bit and
+         * 64-bit, so we don't need to special-case it here.  For all the
+         * vsyscalls, 0 means "don't write anything" not "write it at
+         * address 0".
+         */
+        ret = -EFAULT;
        switch (vsyscall_nr) {
        case 0:
+                if (!write_ok_or_segv(regs->di, sizeof(struct timeval)) ||
+                    !write_ok_or_segv(regs->si, sizeof(struct timezone)))
+                        break;
                ret = sys_gettimeofday(
                        (struct timeval __user *)regs->di,
                        (struct timezone __user *)regs->si);
                break;
        case 1:
+                if (!write_ok_or_segv(regs->di, sizeof(time_t)))
+                        break;
                ret = sys_time((time_t __user *)regs->di);
                break;
        case 2:
+                if (!write_ok_or_segv(regs->di, sizeof(unsigned)) ||
+                    !write_ok_or_segv(regs->si, sizeof(unsigned)))
+                        break;
                ret = sys_getcpu((unsigned __user *)regs->di,
                                 (unsigned __user *)regs->si,
                                 0);
                break;
        }
+        current_thread_info()->sig_on_uaccess_error = prev_sig_on_uaccess_error;
        if (ret == -EFAULT) {
-                /*
+                /* Bad news -- userspace fed a bad pointer to a vsyscall. */
-                 * Bad news -- userspace fed a bad pointer to a vsyscall.
-                 *
-                 * With a real vsyscall, that would have caused SIGSEGV.
-                 * To make writing reliable exploits using the emulated
-                 * vsyscalls harder, generate SIGSEGV here as well.
-                 */
                warn_bad_vsyscall(KERN_INFO, regs,
                                  "vsyscall fault (exploit attempt?)");
-                goto sigsegv;
+                /*
+                 * If we failed to generate a signal for any reason,
+                 * generate one here.  (This should be impossible.)
+                 */
+                if (WARN_ON_ONCE(!sigismember(&tsk->pending.signal, SIGBUS) &&
+                                 !sigismember(&tsk->pending.signal, SIGSEGV)))
+                        goto sigsegv;
+                return true;  /* Don't emulate the ret. */
        }
        regs->ax = ret;
diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c
index d0474ad2a6e5..1fb85dbe390a 100644
--- a/arch/x86/mm/extable.c
+++ b/arch/x86/mm/extable.c
@@ -25,7 +25,7 @@ int fixup_exception(struct pt_regs *regs)
        if (fixup) {
                /* If fixup is less than 16, it means uaccess error */
                if (fixup->fixup < 16) {
-                        current_thread_info()->uaccess_err = -EFAULT;
+                        current_thread_info()->uaccess_err = 1;
                        regs->ip += fixup->fixup;
                        return 1;
                }
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 5db0490deb07..9d74824a708d 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -626,7 +626,7 @@ pgtable_bad(struct pt_regs *regs, unsigned long error_code,
 static noinline void
 no_context(struct pt_regs *regs, unsigned long error_code,
-           unsigned long address)
+           unsigned long address, int signal, int si_code)
 {
        struct task_struct *tsk = current;
        unsigned long *stackend;
@@ -634,8 +634,17 @@ no_context(struct pt_regs *regs, unsigned long error_code,
        int sig;
        /* Are we prepared to handle this kernel fault? */
-        if (fixup_exception(regs))
+        if (fixup_exception(regs)) {
+                if (current_thread_info()->sig_on_uaccess_error && signal) {
+                        tsk->thread.trap_no = 14;
+                        tsk->thread.error_code = error_code | PF_USER;
+                        tsk->thread.cr2 = address;
+                        /* XXX: hwpoison faults will set the wrong code. */
+                        force_sig_info_fault(signal, si_code, address, tsk, 0);
+                }
                return;
+        }
        /*
         * 32-bit:
@@ -755,7 +764,7 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
        if (is_f00f_bug(regs, address))
                return;
-        no_context(regs, error_code, address);
+        no_context(regs, error_code, address, SIGSEGV, si_code);
 }
 static noinline void
@@ -819,7 +828,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
        /* Kernel mode? Handle exceptions or die: */
        if (!(error_code & PF_USER)) {
-                no_context(regs, error_code, address);
+                no_context(regs, error_code, address, SIGBUS, BUS_ADRERR);
                return;
        }
@@ -854,7 +863,7 @@ mm_fault_error(struct pt_regs *regs, unsigned long error_code,
                if (!(fault & VM_FAULT_RETRY))
                        up_read(&current->mm->mmap_sem);
                if (!(error_code & PF_USER))
-                        no_context(regs, error_code, address);
+                        no_context(regs, error_code, address, 0, 0);
                return 1;
        }
        if (!(fault & VM_FAULT_ERROR))
@@ -864,7 +873,8 @@ mm_fault_error(struct pt_regs *regs, unsigned long error_code,
                /* Kernel mode? Handle exceptions or die: */
                if (!(error_code & PF_USER)) {
                        up_read(&current->mm->mmap_sem);
-                        no_context(regs, error_code, address);
+                        no_context(regs, error_code, address,
+                                   SIGSEGV, SEGV_MAPERR);
                        return 1;
                }

diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h index a1fe5c127b52..25ebd792725b 100644 --- a/arch/x86/include/asm/thread_info.h +++ b/arch/x86/include/asm/thread_info.h
@@ -40,7 +40,8 @@ struct thread_info {
40	*/	40	*/
41	__u8 supervisor_stack[0];	41	__u8 supervisor_stack[0];
42	#endif	42	#endif
43	int uaccess_err;	43	int sig_on_uaccess_error:1;
		44	int uaccess_err:1; /* uaccess failed */
44	};	45	};
45		46
46	#define INIT_THREAD_INFO(tsk) \	47	#define INIT_THREAD_INFO(tsk) \


diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index 36361bf6fdd1..8be5f54d9360 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h
@@ -462,7 +462,7 @@ struct __large_struct { unsigned long buf[100]; };
462	barrier();	462	barrier();
463		463
464	#define uaccess_catch(err) \	464	#define uaccess_catch(err) \
465	(err) \|= current_thread_info()->uaccess_err; \	465	(err) \|= (current_thread_info()->uaccess_err ? -EFAULT : 0); \
466	current_thread_info()->uaccess_err = prev_err; \	466	current_thread_info()->uaccess_err = prev_err; \
467	} while (0)	467	} while (0)
468		468


diff --git a/arch/x86/kernel/vsyscall_64.c b/arch/x86/kernel/vsyscall_64.c index e4d4a22e8b94..8084beccd64e 100644 --- a/arch/x86/kernel/vsyscall_64.c +++ b/arch/x86/kernel/vsyscall_64.c
@@ -140,11 +140,40 @@ static int addr_to_vsyscall_nr(unsigned long addr)
140	return nr;	140	return nr;
141	}	141	}
142		142
		143	static bool write_ok_or_segv(unsigned long ptr, size_t size)
		144	{
		145	/*
		146	* XXX: if access_ok, get_user, and put_user handled
		147	* sig_on_uaccess_error, this could go away.
		148	*/
		149
		150	if (!access_ok(VERIFY_WRITE, (void __user *)ptr, size)) {
		151	siginfo_t info;
		152	struct thread_struct *thread = &current->thread;
		153
		154	thread->error_code = 6; /* user fault, no page, write */
		155	thread->cr2 = ptr;
		156	thread->trap_no = 14;
		157
		158	memset(&info, 0, sizeof(info));
		159	info.si_signo = SIGSEGV;
		160	info.si_errno = 0;
		161	info.si_code = SEGV_MAPERR;
		162	info.si_addr = (void __user *)ptr;
		163
		164	force_sig_info(SIGSEGV, &info, current);
		165	return false;
		166	} else {
		167	return true;
		168	}
		169	}
		170
143	bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)	171	bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
144	{	172	{
145	struct task_struct *tsk;	173	struct task_struct *tsk;
146	unsigned long caller;	174	unsigned long caller;
147	int vsyscall_nr;	175	int vsyscall_nr;
		176	int prev_sig_on_uaccess_error;
148	long ret;	177	long ret;
149		178
150	/*	179	/*
@@ -180,35 +209,65 @@ bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
180	if (seccomp_mode(&tsk->seccomp))	209	if (seccomp_mode(&tsk->seccomp))
181	do_exit(SIGKILL);	210	do_exit(SIGKILL);
182		211
		212	/*
		213	* With a real vsyscall, page faults cause SIGSEGV. We want to
		214	* preserve that behavior to make writing exploits harder.
		215	*/
		216	prev_sig_on_uaccess_error = current_thread_info()->sig_on_uaccess_error;
		217	current_thread_info()->sig_on_uaccess_error = 1;
		218
		219	/*
		220	* 0 is a valid user pointer (in the access_ok sense) on 32-bit and
		221	* 64-bit, so we don't need to special-case it here. For all the
		222	* vsyscalls, 0 means "don't write anything" not "write it at
		223	* address 0".
		224	*/
		225	ret = -EFAULT;
183	switch (vsyscall_nr) {	226	switch (vsyscall_nr) {
184	case 0:	227	case 0:
		228	if (!write_ok_or_segv(regs->di, sizeof(struct timeval)) \|\|
		229	!write_ok_or_segv(regs->si, sizeof(struct timezone)))
		230	break;
		231
185	ret = sys_gettimeofday(	232	ret = sys_gettimeofday(
186	(struct timeval __user *)regs->di,	233	(struct timeval __user *)regs->di,
187	(struct timezone __user *)regs->si);	234	(struct timezone __user *)regs->si);
188	break;	235	break;
189		236
190	case 1:	237	case 1:
		238	if (!write_ok_or_segv(regs->di, sizeof(time_t)))
		239	break;
		240
191	ret = sys_time((time_t __user *)regs->di);	241	ret = sys_time((time_t __user *)regs->di);
192	break;	242	break;
193		243
194	case 2:	244	case 2:
		245	if (!write_ok_or_segv(regs->di, sizeof(unsigned)) \|\|
		246	!write_ok_or_segv(regs->si, sizeof(unsigned)))
		247	break;
		248
195	ret = sys_getcpu((unsigned __user *)regs->di,	249	ret = sys_getcpu((unsigned __user *)regs->di,
196	(unsigned __user *)regs->si,	250	(unsigned __user *)regs->si,
197	0);	251	0);
198	break;	252	break;
199	}	253	}
200		254
		255	current_thread_info()->sig_on_uaccess_error = prev_sig_on_uaccess_error;
		256
201	if (ret == -EFAULT) {	257	if (ret == -EFAULT) {
202	/*	258	/* Bad news -- userspace fed a bad pointer to a vsyscall. */
203	* Bad news -- userspace fed a bad pointer to a vsyscall.
204	*
205	* With a real vsyscall, that would have caused SIGSEGV.
206	* To make writing reliable exploits using the emulated
207	* vsyscalls harder, generate SIGSEGV here as well.
208	*/
209	warn_bad_vsyscall(KERN_INFO, regs,	259	warn_bad_vsyscall(KERN_INFO, regs,
210	"vsyscall fault (exploit attempt?)");	260	"vsyscall fault (exploit attempt?)");
211	goto sigsegv;	261
		262	/*
		263	* If we failed to generate a signal for any reason,
		264	* generate one here. (This should be impossible.)
		265	*/
		266	if (WARN_ON_ONCE(!sigismember(&tsk->pending.signal, SIGBUS) &&
		267	!sigismember(&tsk->pending.signal, SIGSEGV)))
		268	goto sigsegv;
		269
		270	return true; /* Don't emulate the ret. */
212	}	271	}
213		272
214	regs->ax = ret;	273	regs->ax = ret;


diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c index d0474ad2a6e5..1fb85dbe390a 100644 --- a/arch/x86/mm/extable.c +++ b/arch/x86/mm/extable.c
@@ -25,7 +25,7 @@ int fixup_exception(struct pt_regs *regs)
25	if (fixup) {	25	if (fixup) {
26	/* If fixup is less than 16, it means uaccess error */	26	/* If fixup is less than 16, it means uaccess error */
27	if (fixup->fixup < 16) {	27	if (fixup->fixup < 16) {
28	current_thread_info()->uaccess_err = -EFAULT;	28	current_thread_info()->uaccess_err = 1;
29	regs->ip += fixup->fixup;	29	regs->ip += fixup->fixup;
30	return 1;	30	return 1;
31	}	31	}


diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c index 5db0490deb07..9d74824a708d 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c
@@ -626,7 +626,7 @@ pgtable_bad(struct pt_regs *regs, unsigned long error_code,
626		626
627	static noinline void	627	static noinline void
628	no_context(struct pt_regs *regs, unsigned long error_code,	628	no_context(struct pt_regs *regs, unsigned long error_code,
629	unsigned long address)	629	unsigned long address, int signal, int si_code)
630	{	630	{
631	struct task_struct *tsk = current;	631	struct task_struct *tsk = current;
632	unsigned long *stackend;	632	unsigned long *stackend;
@@ -634,8 +634,17 @@ no_context(struct pt_regs *regs, unsigned long error_code,
634	int sig;	634	int sig;
635		635
636	/* Are we prepared to handle this kernel fault? */	636	/* Are we prepared to handle this kernel fault? */
637	if (fixup_exception(regs))	637	if (fixup_exception(regs)) {
		638	if (current_thread_info()->sig_on_uaccess_error && signal) {
		639	tsk->thread.trap_no = 14;
		640	tsk->thread.error_code = error_code \| PF_USER;
		641	tsk->thread.cr2 = address;
		642
		643	/* XXX: hwpoison faults will set the wrong code. */
		644	force_sig_info_fault(signal, si_code, address, tsk, 0);
		645	}
638	return;	646	return;
		647	}
639		648
640	/*	649	/*
641	* 32-bit:	650	* 32-bit:
@@ -755,7 +764,7 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
755	if (is_f00f_bug(regs, address))	764	if (is_f00f_bug(regs, address))
756	return;	765	return;
757		766
758	no_context(regs, error_code, address);	767	no_context(regs, error_code, address, SIGSEGV, si_code);
759	}	768	}
760		769
761	static noinline void	770	static noinline void
@@ -819,7 +828,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
819		828
820	/* Kernel mode? Handle exceptions or die: */	829	/* Kernel mode? Handle exceptions or die: */
821	if (!(error_code & PF_USER)) {	830	if (!(error_code & PF_USER)) {
822	no_context(regs, error_code, address);	831	no_context(regs, error_code, address, SIGBUS, BUS_ADRERR);
823	return;	832	return;
824	}	833	}
825		834
@@ -854,7 +863,7 @@ mm_fault_error(struct pt_regs *regs, unsigned long error_code,
854	if (!(fault & VM_FAULT_RETRY))	863	if (!(fault & VM_FAULT_RETRY))
855	up_read(&current->mm->mmap_sem);	864	up_read(&current->mm->mmap_sem);
856	if (!(error_code & PF_USER))	865	if (!(error_code & PF_USER))
857	no_context(regs, error_code, address);	866	no_context(regs, error_code, address, 0, 0);
858	return 1;	867	return 1;
859	}	868	}
860	if (!(fault & VM_FAULT_ERROR))	869	if (!(fault & VM_FAULT_ERROR))
@@ -864,7 +873,8 @@ mm_fault_error(struct pt_regs *regs, unsigned long error_code,
864	/* Kernel mode? Handle exceptions or die: */	873	/* Kernel mode? Handle exceptions or die: */
865	if (!(error_code & PF_USER)) {	874	if (!(error_code & PF_USER)) {
866	up_read(&current->mm->mmap_sem);	875	up_read(&current->mm->mmap_sem);
867	no_context(regs, error_code, address);	876	no_context(regs, error_code, address,
		877	SIGSEGV, SEGV_MAPERR);
868	return 1;	878	return 1;
869	}	879	}
870		880