Re: [PATCH] ARM: fault: Implement copy_from_kernel_nofault_allowed()
From: Ard Biesheuvel
Date: Tue Jan 23 2024 - 08:45:40 EST
On Tue, 23 Jan 2024 at 02:12, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>
> Under PAN emulation when dumping backtraces from things like the
> LKDTM EXEC_USERSPACE test[1], a double fault (which would hang a CPU)
> would happen because of dump_instr() attempting to read a userspace
> address. Make sure copy_from_kernel_nofault() does not attempt this
> any more.
>
> Reported-by: Mark Brown <broonie@xxxxxxxxxx>
> Link: https://lore.kernel.org/all/202401181125.D48DCB4C@keescook/ [1]
> Suggested-by: "Russell King (Oracle)" <linux@xxxxxxxxxxxxxxx>
> Cc: Russell King <linux@xxxxxxxxxxxxxxx>
> Cc: Ard Biesheuvel <ardb@xxxxxxxxxx>
> Cc: Wang Kefeng <wangkefeng.wang@xxxxxxxxxx>
> Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
> Cc: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
> Cc: linux-arm-kernel@xxxxxxxxxxxxxxxxxxx
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
Reviewed-by: Ard Biesheuvel <ardb@xxxxxxxxxx>
> ---
> arch/arm/mm/fault.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
> index e804432e905e..bc5b959b6f90 100644
> --- a/arch/arm/mm/fault.c
> +++ b/arch/arm/mm/fault.c
> @@ -25,6 +25,13 @@
>
> #include "fault.h"
>
> +bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size)
> +{
> + unsigned long addr = (unsigned long)unsafe_src;
> +
> + return addr >= TASK_SIZE && ULONG_MAX - addr >= size;
> +}
> +
> #ifdef CONFIG_MMU
>
> /*
> --
> 2.34.1
>