powerpc/mm/hash: Hand user access of kernel address gracefully
Michael Ellerman
patch-notifications at ellerman.id.au
Sat Dec 22 20:54:30 AEDT 2018
On Mon, 2018-11-26 at 14:35:04 UTC, "Aneesh Kumar K.V" wrote:
> With commit 2865d08dd9ea ("powerpc/mm: Move the DSISR_PROTFAULT sanity check")
> we moved the protection fault access check before vma lookup. That means we
> hit that WARN_ON when user space access a kernel address. Before the commit
> this was handled by find_vma() not finding vma for the kernel address and
> considering that access as bad area access.
>
> Avoid the confusing WARN_ON and convert that to a ratelimited printk.
> With the patch we now get
>
> for load:
> [ 187.700294] a.out[5997]: User access of kernel address (c00000000000dea0) - exploit attempt? (uid: 1000)
> [ 187.700344] a.out[5997]: segfault (11) at c00000000000dea0 nip 1317c0798 lr 7fff80d6441c code 1 in a.out[1317c0000+10000]
> [ 187.700429] a.out[5997]: code: 60000000 60420000 3c4c0002 38427790 4bffff20 3c4c0002 38427784 fbe1fff8
> [ 187.700435] a.out[5997]: code: f821ffc1 7c3f0b78 60000000 e9228030 <89290000> 993f002f 60000000 383f0040
>
> for exec:
> [ 225.100903] a.out[6067]: User access of kernel address (c00000000000dea0) - exploit attempt? (uid: 1000)
> [ 225.100938] a.out[6067]: segfault (11) at c00000000000dea0 nip c00000000000dea0 lr 129d507b0 code 1
> [ 225.100943] a.out[6067]: Bad NIP, not dumping instructions.
>
> Fixes: 2865d08dd9ea ("powerpc/mm: Move the DSISR_PROTFAULT sanity check")
> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar at linux.ibm.com>
> Tested-by: Breno Leitao <leitao at debian.org>
Applied to powerpc next, thanks.
https://git.kernel.org/powerpc/c/374f3f5979f9b28bfb5b5799208d82
cheers
More information about the Linuxppc-dev
mailing list