[-next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit

Message ID	20220615014714.1650349-1-chenlifu@huawei.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org> From: Chen Lifu <chenlifu@huawei.com> To: <paul.walmsley@sifive.com>, <palmer@dabbelt.com>, <aou@eecs.berkeley.edu>, <akira.tsukamoto@gmail.com>, <jszhang@kernel.org>, <wangkefeng.wang@huawei.com>, <linux-riscv@lists.infradead.org>, <linux-kernel@vger.kernel.org>, <alankao@andestech.com> CC: <chenlifu@huawei.com> Subject: [PATCH -next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit Date: Wed, 15 Jun 2022 09:47:14 +0800 Message-ID: <20220615014714.1650349-1-chenlifu@huawei.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-riscv" <linux-riscv-bounces@lists.infradead.org> Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org
Series	[-next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit \| expand [-next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit

chenlifu June 15, 2022, 1:47 a.m. UTC

Since commit 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code"),
if __clear_user and __copy_user return from an fixup branch,
CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that
S-mode memory accesses to pages that are accessible by U-mode will success.
Disable S-mode access to U-mode memory should clear SR_SUM bit.

Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")

Signed-off-by: Chen Lifu <chenlifu@huawei.com>
---
 arch/riscv/lib/uaccess.S | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

chenlifu June 28, 2022, 12:58 p.m. UTC | #1

> Since commit 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code"),
> if __clear_user and __copy_user return from an fixup branch,
> CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that
> S-mode memory accesses to pages that are accessible by U-mode will success.
> Disable S-mode access to U-mode memory should clear SR_SUM bit.
> 
> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")
> 
> Signed-off-by: Chen Lifu <chenlifu@huawei.com>
> ---
>   arch/riscv/lib/uaccess.S | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
> index 8c475f4da308..ec486e5369d9 100644
> --- a/arch/riscv/lib/uaccess.S
> +++ b/arch/riscv/lib/uaccess.S
> @@ -173,11 +173,11 @@ ENTRY(__asm_copy_from_user)
>   	ret
>   
>   	/* Exception fixup code */
>   10:
>   	/* Disable access to user memory */
> -	csrs CSR_STATUS, t6
> +	csrc CSR_STATUS, t6
>   	mv a0, t5
>   	ret
>   ENDPROC(__asm_copy_to_user)
>   ENDPROC(__asm_copy_from_user)
>   EXPORT_SYMBOL(__asm_copy_to_user)
> @@ -225,10 +225,10 @@ ENTRY(__clear_user)
>   	j 3b
>   
>   	/* Exception fixup code */
>   11:
>   	/* Disable access to user memory */
> -	csrs CSR_STATUS, t6
> +	csrc CSR_STATUS, t6
>   	mv a0, a1
>   	ret
>   ENDPROC(__clear_user)
>   EXPORT_SYMBOL(__clear_user)
> 

friendly ping ...

chenlifu July 15, 2022, 3:47 a.m. UTC | #2

>> Since commit 5d8544e2d007 ("RISC-V: Generic library routines and 
>> assembly")
>> and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup 
>> code"),
>> if __clear_user and __copy_user return from an fixup branch,
>> CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that
>> S-mode memory accesses to pages that are accessible by U-mode will 
>> success.
>> Disable S-mode access to U-mode memory should clear SR_SUM bit.
>>
>> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
>> Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")
>>
>> Signed-off-by: Chen Lifu <chenlifu@huawei.com>
>> ---
>>   arch/riscv/lib/uaccess.S | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
>> index 8c475f4da308..ec486e5369d9 100644
>> --- a/arch/riscv/lib/uaccess.S
>> +++ b/arch/riscv/lib/uaccess.S
>> @@ -173,11 +173,11 @@ ENTRY(__asm_copy_from_user)
>>       ret
>>       /* Exception fixup code */
>>   10:
>>       /* Disable access to user memory */
>> -    csrs CSR_STATUS, t6
>> +    csrc CSR_STATUS, t6
>>       mv a0, t5
>>       ret
>>   ENDPROC(__asm_copy_to_user)
>>   ENDPROC(__asm_copy_from_user)
>>   EXPORT_SYMBOL(__asm_copy_to_user)
>> @@ -225,10 +225,10 @@ ENTRY(__clear_user)
>>       j 3b
>>       /* Exception fixup code */
>>   11:
>>       /* Disable access to user memory */
>> -    csrs CSR_STATUS, t6
>> +    csrc CSR_STATUS, t6
>>       mv a0, a1
>>       ret
>>   ENDPROC(__clear_user)
>>   EXPORT_SYMBOL(__clear_user)
>>
> 
> friendly ping ...
> 

friendly ping ...

> _______________________________________________
> linux-riscv mailing list
> linux-riscv@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv
> .

Ben Dooks July 18, 2022, 3:10 p.m. UTC | #3

On 15/06/2022 02:47, Chen Lifu wrote:
> Since commit 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code"),
> if __clear_user and __copy_user return from an fixup branch,
> CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that
> S-mode memory accesses to pages that are accessible by U-mode will success.
> Disable S-mode access to U-mode memory should clear SR_SUM bit.
> 
> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")
> 
> Signed-off-by: Chen Lifu <chenlifu@huawei.com>

I've not run tested this, but it does look correct

Reviewed-by: Ben Dooks <ben.dooks@codethink.co.uk>


> ---
>   arch/riscv/lib/uaccess.S | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
> index 8c475f4da308..ec486e5369d9 100644
> --- a/arch/riscv/lib/uaccess.S
> +++ b/arch/riscv/lib/uaccess.S
> @@ -173,11 +173,11 @@ ENTRY(__asm_copy_from_user)
>   	ret
>   
>   	/* Exception fixup code */
>   10:
>   	/* Disable access to user memory */
> -	csrs CSR_STATUS, t6
> +	csrc CSR_STATUS, t6
>   	mv a0, t5
>   	ret
>   ENDPROC(__asm_copy_to_user)
>   ENDPROC(__asm_copy_from_user)
>   EXPORT_SYMBOL(__asm_copy_to_user)
> @@ -225,10 +225,10 @@ ENTRY(__clear_user)
>   	j 3b
>   
>   	/* Exception fixup code */
>   11:
>   	/* Disable access to user memory */
> -	csrs CSR_STATUS, t6
> +	csrc CSR_STATUS, t6
>   	mv a0, a1
>   	ret
>   ENDPROC(__clear_user)
>   EXPORT_SYMBOL(__clear_user)

chenlifu Aug. 9, 2022, 11:01 a.m. UTC | #4

在 2022/7/15 11:47, chenlifu 写道:
>>> Since commit 5d8544e2d007 ("RISC-V: Generic library routines and 
>>> assembly")
>>> and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup 
>>> code"),
>>> if __clear_user and __copy_user return from an fixup branch,
>>> CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that
>>> S-mode memory accesses to pages that are accessible by U-mode will 
>>> success.
>>> Disable S-mode access to U-mode memory should clear SR_SUM bit.
>>>
>>> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
>>> Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")
>>>
>>> Signed-off-by: Chen Lifu <chenlifu@huawei.com>
>>> ---
>>>   arch/riscv/lib/uaccess.S | 4 ++--
>>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
>>> index 8c475f4da308..ec486e5369d9 100644
>>> --- a/arch/riscv/lib/uaccess.S
>>> +++ b/arch/riscv/lib/uaccess.S
>>> @@ -173,11 +173,11 @@ ENTRY(__asm_copy_from_user)
>>>       ret
>>>       /* Exception fixup code */
>>>   10:
>>>       /* Disable access to user memory */
>>> -    csrs CSR_STATUS, t6
>>> +    csrc CSR_STATUS, t6
>>>       mv a0, t5
>>>       ret
>>>   ENDPROC(__asm_copy_to_user)
>>>   ENDPROC(__asm_copy_from_user)
>>>   EXPORT_SYMBOL(__asm_copy_to_user)
>>> @@ -225,10 +225,10 @@ ENTRY(__clear_user)
>>>       j 3b
>>>       /* Exception fixup code */
>>>   11:
>>>       /* Disable access to user memory */
>>> -    csrs CSR_STATUS, t6
>>> +    csrc CSR_STATUS, t6
>>>       mv a0, a1
>>>       ret
>>>   ENDPROC(__clear_user)
>>>   EXPORT_SYMBOL(__clear_user)
>>>
>>
>> friendly ping ...
>>
> 
> friendly ping ...
> 
>> _______________________________________________
>> linux-riscv mailing list
>> linux-riscv@lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/linux-riscv
>> .
> .

friendly ping ...

Palmer Dabbelt Aug. 10, 2022, 10:01 p.m. UTC | #5

On Tue, 14 Jun 2022 18:47:14 PDT (-0700), chenlifu@huawei.com wrote:
> Since commit 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> and commit ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code"),
> if __clear_user and __copy_user return from an fixup branch,
> CSR_STATUS SR_SUM bit will be set, it is a vulnerability, so that
> S-mode memory accesses to pages that are accessible by U-mode will success.
> Disable S-mode access to U-mode memory should clear SR_SUM bit.
>
> Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
> Fixes: ebcbd75e3962 ("riscv: Fix the bug in memory access fixup code")
>
> Signed-off-by: Chen Lifu <chenlifu@huawei.com>
> ---
>  arch/riscv/lib/uaccess.S | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/riscv/lib/uaccess.S b/arch/riscv/lib/uaccess.S
> index 8c475f4da308..ec486e5369d9 100644
> --- a/arch/riscv/lib/uaccess.S
> +++ b/arch/riscv/lib/uaccess.S
> @@ -173,11 +173,11 @@ ENTRY(__asm_copy_from_user)
>  	ret
>
>  	/* Exception fixup code */
>  10:
>  	/* Disable access to user memory */
> -	csrs CSR_STATUS, t6
> +	csrc CSR_STATUS, t6
>  	mv a0, t5
>  	ret
>  ENDPROC(__asm_copy_to_user)
>  ENDPROC(__asm_copy_from_user)
>  EXPORT_SYMBOL(__asm_copy_to_user)
> @@ -225,10 +225,10 @@ ENTRY(__clear_user)
>  	j 3b
>
>  	/* Exception fixup code */
>  11:
>  	/* Disable access to user memory */
> -	csrs CSR_STATUS, t6
> +	csrc CSR_STATUS, t6
>  	mv a0, a1
>  	ret
>  ENDPROC(__clear_user)
>  EXPORT_SYMBOL(__clear_user)

Thanks, this is on for-next (still for 5.20).

[-next] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit

Commit Message

Comments

Patch