| From b9dd05c7002ee0ca8b676428b2268c26399b5e31 Mon Sep 17 00:00:00 2001 |
| From: Mark Rutland <mark.rutland@arm.com> |
| Date: Thu, 2 Nov 2017 18:44:28 +0100 |
| Subject: ARM: 8720/1: ensure dump_instr() checks addr_limit |
| |
| From: Mark Rutland <mark.rutland@arm.com> |
| |
| commit b9dd05c7002ee0ca8b676428b2268c26399b5e31 upstream. |
| |
| When CONFIG_DEBUG_USER is enabled, it's possible for a user to |
| deliberately trigger dump_instr() with a chosen kernel address. |
| |
| Let's avoid problems resulting from this by using get_user() rather than |
| __get_user(), ensuring that we don't erroneously access kernel memory. |
| |
| So that we can use the same code to dump user instructions and kernel |
| instructions, the common dumping code is factored out to __dump_instr(), |
| with the fs manipulated appropriately in dump_instr() around calls to |
| this. |
| |
| Signed-off-by: Mark Rutland <mark.rutland@arm.com> |
| Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| arch/arm/kernel/traps.c | 28 ++++++++++++++++++---------- |
| 1 file changed, 18 insertions(+), 10 deletions(-) |
| |
| --- a/arch/arm/kernel/traps.c |
| +++ b/arch/arm/kernel/traps.c |
| @@ -152,30 +152,26 @@ static void dump_mem(const char *lvl, co |
| set_fs(fs); |
| } |
| |
| -static void dump_instr(const char *lvl, struct pt_regs *regs) |
| +static void __dump_instr(const char *lvl, struct pt_regs *regs) |
| { |
| unsigned long addr = instruction_pointer(regs); |
| const int thumb = thumb_mode(regs); |
| const int width = thumb ? 4 : 8; |
| - mm_segment_t fs; |
| char str[sizeof("00000000 ") * 5 + 2 + 1], *p = str; |
| int i; |
| |
| /* |
| - * We need to switch to kernel mode so that we can use __get_user |
| - * to safely read from kernel space. Note that we now dump the |
| - * code first, just in case the backtrace kills us. |
| + * Note that we now dump the code first, just in case the backtrace |
| + * kills us. |
| */ |
| - fs = get_fs(); |
| - set_fs(KERNEL_DS); |
| |
| for (i = -4; i < 1 + !!thumb; i++) { |
| unsigned int val, bad; |
| |
| if (thumb) |
| - bad = __get_user(val, &((u16 *)addr)[i]); |
| + bad = get_user(val, &((u16 *)addr)[i]); |
| else |
| - bad = __get_user(val, &((u32 *)addr)[i]); |
| + bad = get_user(val, &((u32 *)addr)[i]); |
| |
| if (!bad) |
| p += sprintf(p, i == 0 ? "(%0*x) " : "%0*x ", |
| @@ -186,8 +182,20 @@ static void dump_instr(const char *lvl, |
| } |
| } |
| printk("%sCode: %s\n", lvl, str); |
| +} |
| |
| - set_fs(fs); |
| +static void dump_instr(const char *lvl, struct pt_regs *regs) |
| +{ |
| + mm_segment_t fs; |
| + |
| + if (!user_mode(regs)) { |
| + fs = get_fs(); |
| + set_fs(KERNEL_DS); |
| + __dump_instr(lvl, regs); |
| + set_fs(fs); |
| + } else { |
| + __dump_instr(lvl, regs); |
| + } |
| } |
| |
| #ifdef CONFIG_ARM_UNWIND |