# git rev-parse -q --verify ce63b04945771378f238ffd53ea665854aa27e20^{commit} ce63b04945771378f238ffd53ea665854aa27e20 already have revision, skipping fetch # git checkout -q -f -B kisskb ce63b04945771378f238ffd53ea665854aa27e20 # git clean -qxdf # < git log -1 # commit ce63b04945771378f238ffd53ea665854aa27e20 # Author: Michael Ellerman # Date: Wed Nov 22 12:15:42 2017 +1100 # # powerpc: Check address limit on user-mode return (TIF_FSCHECK) # # set_fs() sets the addr_limit, which is used in access_ok() to # determine if an address is a user or kernel address. # # Some code paths use set_fs() to temporarily elevate the addr_limit so # that kernel code can read/write kernel memory as if it were user # memory. That is fine as long as the code can't ever return to # userspace with the addr_limit still elevated. # # If that did happen, then userspace can read/write kernel memory as if # it were user memory, eg. just with write(2). In case it's not clear, # that is very bad. It has also happened in the past due to bugs. # # Commit 5ea0727b163c ("x86/syscalls: Check address limit on user-mode # return") added a mechanism to check the addr_limit value before # returning to userspace. Any call to set_fs() sets a thread flag, # TIF_FSCHECK, and if we see that on the return to userspace we go out # of line to check that the addr_limit value is not elevated. # # For further info see the above commit, as well as: # https://lwn.net/Articles/722267/ # https://bugs.chromium.org/p/project-zero/issues/detail?id=990 # # Verified to work on 64-bit Book3S using a POC that objdumps the system # call handler, and a modified lkdtm_CORRUPT_USER_DS() that doesn't kill # the caller. # # Before: # $ sudo ./test-tif-fscheck # ... # 0000000000000000 <.data>: # 0: e1 f7 8a 79 rldicl. r10,r12,30,63 # 4: 80 03 82 40 bne 0x384 # 8: 00 40 8a 71 andi. r10,r12,16384 # c: 78 0b 2a 7c mr r10,r1 # 10: 10 fd 21 38 addi r1,r1,-752 # 14: 08 00 c2 41 beq- 0x1c # 18: 58 09 2d e8 ld r1,2392(r13) # 1c: 00 00 41 f9 std r10,0(r1) # 20: 70 01 61 f9 std r11,368(r1) # 24: 78 01 81 f9 std r12,376(r1) # 28: 70 00 01 f8 std r0,112(r1) # 2c: 78 00 41 f9 std r10,120(r1) # 30: 20 00 82 41 beq 0x50 # 34: a6 42 4c 7d mftb r10 # # After: # # $ sudo ./test-tif-fscheck # Killed # # And in dmesg: # Invalid address limit on user-mode return # WARNING: CPU: 1 PID: 3689 at ../include/linux/syscalls.h:260 do_notify_resume+0x140/0x170 # ... # NIP [c00000000001ee50] do_notify_resume+0x140/0x170 # LR [c00000000001ee4c] do_notify_resume+0x13c/0x170 # Call Trace: # do_notify_resume+0x13c/0x170 (unreliable) # ret_from_except_lite+0x70/0x74 # # Performance overhead is essentially zero in the usual case, because # the bit is checked as part of the existing _TIF_USER_WORK_MASK check. # # Signed-off-by: Michael Ellerman # < /opt/cross/kisskb/gcc-4.6.3-nolibc/powerpc-linux/bin/powerpc-linux-gcc --version # < git log --format=%s --max-count=1 ce63b04945771378f238ffd53ea665854aa27e20 # < make -s -j 48 ARCH=powerpc O=/kisskb/build/powerpc-next_ppc6xx_defconfig_powerpc CROSS_COMPILE=/opt/cross/kisskb/gcc-4.6.3-nolibc/powerpc-linux/bin/powerpc-linux- ppc6xx_defconfig # make -s -j 48 ARCH=powerpc O=/kisskb/build/powerpc-next_ppc6xx_defconfig_powerpc CROSS_COMPILE=/opt/cross/kisskb/gcc-4.6.3-nolibc/powerpc-linux/bin/powerpc-linux- /kisskb/src/kernel/cgroup/cgroup-v1.c: In function 'cgroup1_mount': /kisskb/src/kernel/cgroup/cgroup-v1.c:1268:20: warning: 'root' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/kernel/printk/printk.c: In function 'devkmsg_sysctl_set_loglvl': /kisskb/src/kernel/printk/printk.c:183:16: warning: 'old' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/fs/proc/inode.c: In function 'proc_reg_open': /kisskb/src/include/linux/list.h:65:12: warning: 'pdeo' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/fs/proc/inode.c:340:21: note: 'pdeo' was declared here /kisskb/src/fs/nfsd/nfs4xdr.c: In function 'nfsd4_encode_components_esc': /kisskb/src/fs/nfsd/nfs4xdr.c:2041:9: warning: 'str' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/sound/ppc/awacs.c: In function 'snd_pmac_awacs_init': /kisskb/src/include/sound/control.h:223:2: warning: 'speaker_vol' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/sound/ppc/awacs.c:886:36: note: 'speaker_vol' was declared here /kisskb/src/drivers/base/regmap/regmap.c: In function 'regmap_raw_read': /kisskb/src/drivers/base/regmap/regmap.c:2497:6: warning: 'ret' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/drivers/base/regmap/regmap.c: In function '_regmap_raw_write': /kisskb/src/drivers/base/regmap/regmap.c:1819:6: warning: 'ret' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/net/bridge/br_netlink.c: In function 'br_afspec': /kisskb/src/net/bridge/br_netlink.c:635:7: warning: 'err' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/drivers/dma-buf/reservation.c: In function 'reservation_object_add_shared_fence': /kisskb/src/drivers/dma-buf/reservation.c:225:6: warning: 'k' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/net/mac80211/mlme.c: In function 'ieee80211_rx_mgmt_beacon': /kisskb/src/net/mac80211/mlme.c:1352:3: warning: 'pwr_level_cisco' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/net/mac80211/mlme.c:1309:6: note: 'pwr_level_cisco' was declared here /kisskb/src/drivers/tty/serial/8250/8250_core.c: In function 'univ8250_release_irq': /kisskb/src/drivers/tty/serial/8250/8250_core.c:251:18: warning: 'i' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/drivers/tty/serial/8250/8250_core.c:231:19: note: 'i' was declared here /kisskb/src/drivers/net/tun.c: In function 'tun_get_user': /kisskb/src/drivers/net/tun.c:1822:30: warning: 'copylen' may be used uninitialized in this function [-Wuninitialized] /kisskb/src/drivers/net/tun.c:1732:46: warning: 'linear' may be used uninitialized in this function [-Wuninitialized] arch/powerpc/boot/mpc8272ads.dtb: Warning (pci_bridge): /pci@f0010800: missing bus-range for PCI bridge arch/powerpc/boot/mpc8272ads.dtb: Warning (pci_device_bus_num): Failed prerequisite 'pci_bridge' arch/powerpc/boot/mpc832x_rdb.dtb: Warning (interrupts_property): /qe@e0100000/mdio@3120/ethernet-phy@0:#interrupt-cells: size is (4), expected multiple of 8 arch/powerpc/boot/mpc832x_rdb.dtb: Warning (interrupts_property): /qe@e0100000/mdio@3120/ethernet-phy@4:#interrupt-cells: size is (4), expected multiple of 8 arch/powerpc/boot/pq2fads.dtb: Warning (pci_bridge): /pci@f0010800: missing bus-range for PCI bridge arch/powerpc/boot/pq2fads.dtb: Warning (pci_device_bus_num): Failed prerequisite 'pci_bridge' INFO: Uncompressed kernel (size 0xa41534) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xb00000) INFO: Uncompressed kernel (size 0xa41534) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xb00000) INFO: Uncompressed kernel (size 0xa41534) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xb00000) INFO: Uncompressed kernel (size 0xa41534) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xb00000) INFO: Uncompressed kernel (size 0xa41534) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xb00000) INFO: Uncompressed kernel (size 0xa41534) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xb00000) INFO: Uncompressed kernel (size 0xa41534) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xb00000) INFO: Uncompressed kernel (size 0xa41534) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xb00000) INFO: Uncompressed kernel (size 0xa41534) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xb00000) Image Name: Linux-4.17.0-rc3+ Created: Fri May 11 18:29:20 2018 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 4873542 Bytes = 4759.32 kB = 4.65 MB Load Address: 00b00000 Entry Point: 00b007a0 INFO: Uncompressed kernel (size 0xa41534) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xb00000) INFO: Uncompressed kernel (size 0xa30e10) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xb00000) Image Name: Linux-4.17.0-rc3+ Created: Fri May 11 18:29:20 2018 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 4872363 Bytes = 4758.17 kB = 4.65 MB Load Address: 00b00000 Entry Point: 00b00230 INFO: Uncompressed kernel (size 0xa30e10) overlaps the address of the wrapper(0x400000) INFO: Fixing the link_address of wrapper to (0xb00000) Image Name: Linux-4.17.0-rc3+ Created: Fri May 11 18:29:20 2018 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 4872035 Bytes = 4757.85 kB = 4.65 MB Load Address: 00b00000 Entry Point: 00b00230 Image Name: Linux-4.17.0-rc3+ Created: Fri May 11 18:29:20 2018 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 4848605 Bytes = 4734.97 kB = 4.62 MB Load Address: 00000000 Entry Point: 00000000 Image Name: Linux-4.17.0-rc3+ Created: Fri May 11 18:29:21 2018 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 4872474 Bytes = 4758.28 kB = 4.65 MB Load Address: 00b00000 Entry Point: 00b00230 Image Name: Linux-4.17.0-rc3+ Created: Fri May 11 18:29:21 2018 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 4872154 Bytes = 4757.96 kB = 4.65 MB Load Address: 00b00000 Entry Point: 00b00230 Image Name: Linux-4.17.0-rc3+ Created: Fri May 11 18:29:21 2018 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 4872247 Bytes = 4758.05 kB = 4.65 MB Load Address: 00b00000 Entry Point: 00b00230 Image Name: Linux-4.17.0-rc3+ Created: Fri May 11 18:29:21 2018 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 4872282 Bytes = 4758.09 kB = 4.65 MB Load Address: 00b00000 Entry Point: 00b00230 Image Name: Linux-4.17.0-rc3+ Created: Fri May 11 18:29:22 2018 Image Type: PowerPC Linux Kernel Image (gzip compressed) Data Size: 4873411 Bytes = 4759.19 kB = 4.65 MB Load Address: 00b00000 Entry Point: 00b007a0 Completed OK # rm -rf /kisskb/build/powerpc-next_ppc6xx_defconfig_powerpc # Build took: 0:02:45.486987