[PATCH] powerpc/futex: Fix incorrect user access blocking

Daniel Axtens dja at axtens.net
Fri Feb 7 23:30:37 AEDT 2020 

Michael Ellerman <mpe at ellerman.id.au> writes:

> The early versions of our kernel user access prevention (KUAP) were
> written by Russell and Christophe, and didn't have separate
> read/write access.
>
> At some point I picked up the series and added the read/write access,
> but I failed to update the usages in futex.h to correctly allow read
> and write.
>
> However we didn't notice because of another bug which was causing the
> low-level code to always enable read and write. That bug was fixed
> recently in commit 1d8f739b07bd ("powerpc/kuap: Fix set direction in
> allow/prevent_user_access()").
>
> futex_atomic_cmpxchg_inatomic() is passed the user address as %3 and
> does:
>
>   1:     lwarx   %1,  0, %3
>          cmpw    0,  %1, %4
>          bne-    3f
>   2:     stwcx.  %5,  0, %3
>
> Which clearly loads and stores from/to %3. The logic in
> arch_futex_atomic_op_inuser() is similar, so fix both of them to use
> allow_read_write_user().
>
> Without this fix, and with PPC_KUAP_DEBUG=y, we see eg:
>
>   Bug: Read fault blocked by AMR!
>   WARNING: CPU: 94 PID: 149215 at arch/powerpc/include/asm/book3s/64/kup-radix.h:126 __do_page_fault+0x600/0xf30
>   CPU: 94 PID: 149215 Comm: futex_requeue_p Tainted: G        W         5.5.0-rc7-gcc9x-g4c25df5640ae #1
>   ...
>   NIP [c000000000070680] __do_page_fault+0x600/0xf30
>   LR [c00000000007067c] __do_page_fault+0x5fc/0xf30
>   Call Trace:
>   [c00020138e5637e0] [c00000000007067c] __do_page_fault+0x5fc/0xf30 (unreliable)
>   [c00020138e5638c0] [c00000000000ada8] handle_page_fault+0x10/0x30
>   --- interrupt: 301 at cmpxchg_futex_value_locked+0x68/0xd0
>       LR = futex_lock_pi_atomic+0xe0/0x1f0
>   [c00020138e563bc0] [c000000000217b50] futex_lock_pi_atomic+0x80/0x1f0 (unreliable)
>   [c00020138e563c30] [c00000000021b668] futex_requeue+0x438/0xb60
>   [c00020138e563d60] [c00000000021c6cc] do_futex+0x1ec/0x2b0
>   [c00020138e563d90] [c00000000021c8b8] sys_futex+0x128/0x200
>   [c00020138e563e20] [c00000000000b7ac] system_call+0x5c/0x68
>
> Fixes: de78a9c42a79 ("powerpc: Add a framework for Kernel Userspace Access Protection")
Reported-by: syzbot+e808452bad7c375cbee6 at syzkaller-ppc64.appspotmail.com
> Cc: stable at vger.kernel.org # v5.2+
> Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>

More information about the Linuxppc-dev mailing list