From patchwork Fri Feb 19 23:20:11 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Miller X-Patchwork-Id: 45895 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id B81B8B7C98 for ; Sat, 20 Feb 2010 10:19:56 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755580Ab0BSXTz (ORCPT ); Fri, 19 Feb 2010 18:19:55 -0500 Received: from 74-93-104-97-Washington.hfc.comcastbusiness.net ([74.93.104.97]:55494 "EHLO sunset.davemloft.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755563Ab0BSXTy (ORCPT ); Fri, 19 Feb 2010 18:19:54 -0500 Received: from localhost (localhost [127.0.0.1]) by sunset.davemloft.net (Postfix) with ESMTP id 802CB24C0E2; Fri, 19 Feb 2010 15:20:11 -0800 (PST) Date: Fri, 19 Feb 2010 15:20:11 -0800 (PST) Message-Id: <20100219.152011.32519652.davem@davemloft.net> To: spender@grsecurity.net Cc: sparclinux@vger.kernel.org, pageexec@freemail.hu Subject: Re: Execution possible in non-executable mappings in recent 2.6 kernels From: David Miller In-Reply-To: <20100219225724.GA29861@grsecurity.net> References: <20100219225724.GA29861@grsecurity.net> X-Mailer: Mew version 6.3 on Emacs 23.1 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Sender: sparclinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: sparclinux@vger.kernel.org Here's the fix, thanks again for the report: sparc64: Fix sun4u execute bit check in TSB I-TLB load. Thanks to testcase and report from Brad Spengler: -------------------- #include typedef int (* _wee)(void); int main(void) { char buf[8] = { '\x81', '\xc7', '\xe0', '\x08', '\x81', '\xe8', '\x00', '\x00' }; _wee wee; printf("%p\n", &buf); wee = (_wee)&buf; wee(); return 0; } -------------------- TSB I-tlb load code tries to use andcc to check the _PAGE_EXEC_4U bit, but that's bit 12 so it gets sign extended all the way up to bit 63 and the test nearly always passes as a result. Use sethi to fix the bug. Signed-off-by: David S. Miller Tested-by: Brad Spengler --- arch/sparc/kernel/tsb.S | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/sparc/kernel/tsb.S b/arch/sparc/kernel/tsb.S index 8c91d9b..db15d12 100644 --- a/arch/sparc/kernel/tsb.S +++ b/arch/sparc/kernel/tsb.S @@ -191,10 +191,12 @@ tsb_dtlb_load: tsb_itlb_load: /* Executable bit must be set. */ -661: andcc %g5, _PAGE_EXEC_4U, %g0 - .section .sun4v_1insn_patch, "ax" +661: sethi %hi(_PAGE_EXEC_4U), %g4 + andcc %g5, %g4, %g0 + .section .sun4v_2insn_patch, "ax" .word 661b andcc %g5, _PAGE_EXEC_4V, %g0 + nop .previous be,pn %xcc, tsb_do_fault