| From foo@baz Sun May 27 17:33:38 CEST 2018 |
| From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com> |
| Date: Wed, 21 Mar 2018 17:10:25 +0530 |
| Subject: powerpc/perf: Prevent kernel address leak to userspace via BHRB buffer |
| |
| From: Madhavan Srinivasan <maddy@linux.vnet.ibm.com> |
| |
| [ Upstream commit bb19af816025d495376bd76bf6fbcf4244f9a06d ] |
| |
| The current Branch History Rolling Buffer (BHRB) code does not check |
| for any privilege levels before updating the data from BHRB. This |
| could leak kernel addresses to userspace even when profiling only with |
| userspace privileges. Add proper checks to prevent it. |
| |
| Acked-by: Balbir Singh <bsingharora@gmail.com> |
| Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com> |
| Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> |
| Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| arch/powerpc/perf/core-book3s.c | 10 ++++++++++ |
| 1 file changed, 10 insertions(+) |
| |
| --- a/arch/powerpc/perf/core-book3s.c |
| +++ b/arch/powerpc/perf/core-book3s.c |
| @@ -448,6 +448,16 @@ static void power_pmu_bhrb_read(struct c |
| /* invalid entry */ |
| continue; |
| |
| + /* |
| + * BHRB rolling buffer could very much contain the kernel |
| + * addresses at this point. Check the privileges before |
| + * exporting it to userspace (avoid exposure of regions |
| + * where we could have speculative execution) |
| + */ |
| + if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN) && |
| + is_kernel_addr(addr)) |
| + continue; |
| + |
| /* Branches are read most recent first (ie. mfbhrb 0 is |
| * the most recent branch). |
| * There are two types of valid entries: |