Re: [PATCH ARM64 v4.4 V3 44/44] arm64: futex: Mask __user pointers prior to dereference
From: Mark Rutland <mark.rutland@arm.com>
Date: 2019-08-30 09:42:54
Also in:
stable
On Thu, Aug 29, 2019 at 05:04:29PM +0530, Viresh Kumar wrote:
From: Will Deacon <redacted> commit 91b2d3442f6a44dce875670d702af22737ad5eff upstream. The arm64 futex code has some explicit dereferencing of user pointers where performing atomic operations in response to a futex command. This patch uses masking to limit any speculative futex operations to within the user address space. Signed-off-by: Will Deacon <redacted> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
This would have made more sense immediately following patch 11, as in mainline and the v4.9 backport. Having things applied in the same order makes it much easier to compare and verify. Regardless: Reviewed-by: Mark Rutland <mark.rutland@arm.com> [v4.4 backport] Mark.
quoted hunk ↗ jump to hunk
--- arch/arm64/include/asm/futex.h | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)diff --git a/arch/arm64/include/asm/futex.h b/arch/arm64/include/asm/futex.h index 34d4d2e2f561..8ab6e83cb629 100644 --- a/arch/arm64/include/asm/futex.h +++ b/arch/arm64/include/asm/futex.h@@ -53,9 +53,10 @@ : "memory") static inline int -arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr) +arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *_uaddr) { int oldval = 0, ret, tmp; + u32 __user *uaddr = __uaccess_mask_ptr(_uaddr); pagefault_disable();@@ -93,15 +94,17 @@ arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *uaddr) } static inline int -futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr, +futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *_uaddr, u32 oldval, u32 newval) { int ret = 0; u32 val, tmp; + u32 __user *uaddr; - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) + if (!access_ok(VERIFY_WRITE, _uaddr, sizeof(u32))) return -EFAULT; + uaddr = __uaccess_mask_ptr(_uaddr); asm volatile("// futex_atomic_cmpxchg_inatomic\n" ALTERNATIVE("nop", SET_PSTATE_PAN(0), ARM64_HAS_PAN, CONFIG_ARM64_PAN) " prfm pstl1strm, %2\n"-- 2.21.0.rc0.269.g1a574e7a288b
_______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel