From patchwork Wed Nov  7 12:12:49 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
X-Patchwork-Id: 994216
Return-Path: 
 <linux-snps-arc-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (mailfrom)
	smtp.mailfrom=lists.infradead.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=linux-snps-arc-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=synopsys.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="ER7XrJCd";
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=infradead.org header.i=@infradead.org
	header.b="SDm4JIgq";
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=synopsys.com header.i=@synopsys.com
	header.b="eUjygNn9"; dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 42qlgQ4n6yz9sCX
	for <incoming@patchwork.ozlabs.org>;
	Wed,  7 Nov 2018 23:13:22 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
	List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date:
	Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Owner; bh=1XFFqS44EKPZGeC/iqy6tcsPbuItS8J0Wiy+KRW0QnI=;
	b=ER7
	XrJCdtfSbPO17/zX6eR/lrkSM/ApBv+6LzE2W2W/f1bN2cM3Eqv3FDL7IcBhEcu3wS9BpZmnppfeu
	0CXgHOFI3tp0WNW6iDF8cD+3iGFIK4+1QsovR5kZvt1aqzC/jt0lVl+MyzWkchA7Bc4u1gcTPj/m/
	PmkILWksEgCgty2p1MLVQyLAHM7ywPBVkGI4oZ88MQdiirudDZveXSfs+3DzHKwC75j5lTQ6Fa8RO
	1LMAgVdvN33YF4xpto9ti7M9H+KfJGz/gMsoSGZ+Xu/wuTJkhK3JbReS2Cr+OgGNXy5zpYU4g2skf
	+wFNCbAVp0Q45eqUH5KlHbsU9bG4V2g==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux))
	id 1gKMi0-0002Vv-0Q; Wed, 07 Nov 2018 12:13:20 +0000
Received: from casper.infradead.org ([2001:8b0:10b:1236::1])
	by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat
	Linux)) id 1gKMhy-0002Vp-5c
	for linux-snps-arc@bombadil.infradead.org;
	Wed, 07 Nov 2018 12:13:18 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=casper.20170209;
	h=Message-Id:Date:Subject:Cc:To:From:
	Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:
	Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
	Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
	List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=aB5qDRcyCc9OVs3+Q+fAkU1oZH440fKJw2E42sj/8bM=;
	b=SDm4JIgqc7jrdbMce2k/UaPhR
	rFBVETd+12zJRzJWXpjnjcXRpxcTfGxYs5zY5xJlmhnTDVk2o4zxeZuoejrQ8gn/HHLQNAkfiC51E
	ZuAzQsO/4KvacpF8GemSbrcT68oU2Hme1c41MYr5BhLPLdYaCXJrGLk28BICSBQBg/b+JX92PhZDg
	1LTPeiCuxR3XXpZ1b3NC0xbOpPUnr+hIQwUOqzPorQvtP2TODy73jobfkHH9qqOKzApO94vKoi6Ov
	O+OMrPiPE4HUD4uG7Qj2wTfLwLFUn0J1FjrtCIqVNPAl9D3jLsz1yeudDsBvxMdHAWnNi5sh4WsFq
	1yaUd4XEg==;
Received: from smtprelay.synopsys.com ([198.182.47.9])
	by casper.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux))
	id 1gKMht-0007Br-PH for linux-snps-arc@lists.infradead.org;
	Wed, 07 Nov 2018 12:13:15 +0000
Received: from mailhost.synopsys.com (mailhost3.synopsys.com [10.12.238.238])
	by smtprelay.synopsys.com (Postfix) with ESMTP id 6AD6624E08C0;
	Wed,  7 Nov 2018 04:12:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=synopsys.com; s=mail;
	t=1541592777; bh=yR843m6vL0pXhhayWnDu07VSpOEDMWpoF12HcchvL1k=;
	h=From:To:Cc:Subject:Date:From;
	b=eUjygNn9uBfN4I07ttFrd2Z+hpRhLSyfSygkcREKcfamFZeVoUMdiasE4IkYeHys7
	Ya/D9LNLzyQRG67ra+VC3rysO6E+wFE+UgfKDqNLgBDAX22JrHPEO91QMlSnIso2li
	L5Qg7b7k3Nz1nzpPd1cEDP4plP0p1spDP29CeEFTXSe5jMS7LcZvMwDwOfOCOG1Wvr
	qVQ9HMy6SDQjdyh3taqjKooEtP56AQI5IKnpdQk/hnnLWn1kZVWpDYu1DXFFjZm7eZ
	qGEKYRBPX4K6tFV9DMrBETHOehkzk4+Pe2Zq+Q0ejz5aIfYl7un8ON4q8ZAJbL+/iO
	4xuK+3ldB0MBw==
Received: from paltsev-e7480.internal.synopsys.com
	(paltsev-e7480.internal.synopsys.com [10.121.3.66])
	by mailhost.synopsys.com (Postfix) with ESMTP id A9E163AB5;
	Wed,  7 Nov 2018 04:12:53 -0800 (PST)
From: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
To: linux-snps-arc@lists.infradead.org,
	Vineet Gupta <vineet.gupta1@synopsys.com>
Subject: [PATCH] ARC: MM: fix UB and kernel resourse leak in do_page_fault
Date: Wed,  7 Nov 2018 15:12:49 +0300
Message-Id: <20181107121249.6657-1-Eugeniy.Paltsev@synopsys.com>
X-Mailer: git-send-email 2.14.5
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20181107_121314_288046_2B23040E 
X-CRM114-Status: GOOD (  11.40  )
X-Spam-Score: -0.1 (/)
X-Spam-Report: SpamAssassin version 3.4.1 on casper.infradead.org summary:
	Content analysis details:   (-0.1 points, 5.0 required)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/,
	no trust [198.182.47.9 listed in list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-BeenThere: linux-snps-arc@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: Linux on Synopsys ARC Processors
	<linux-snps-arc.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-snps-arc>,
	<mailto:linux-snps-arc-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-snps-arc/>
List-Post: <mailto:linux-snps-arc@lists.infradead.org>
List-Help: <mailto:linux-snps-arc-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-snps-arc>,
	<mailto:linux-snps-arc-request@lists.infradead.org?subject=subscribe>
Cc: linux-arch@vger.kernel.org, Alexey Brodkin <alexey.brodkin@synopsys.com>,
	Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>,
	linux-kernel@vger.kernel.org,
	"Eric W . Biederman" <ebiederm@xmission.com>
MIME-Version: 1.0
Sender: "linux-snps-arc" <linux-snps-arc-bounces@lists.infradead.org>
Errors-To: 
 linux-snps-arc-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Commit 15773ae938d8 ("signal/arc: Use force_sig_fault where
appropriate") adds undefined behaviour and kernel resource leak
to userspace in ARC do_page_fault() implementation.

This happens because we don't initialize si_code variable after we
switch to force_sig_fault using. si_code (as a part of siginfo_t
structure) was previously initialized by clear_siginfo(&info) call
which was removed.

Undefined behaviour path:
-------------------->8---------------------------
}}} a/arch/arc/mm/fault.c
!! -67,6 +67,7 @@ void do_page_fault(unsigned long address, struct pt_regs *regs)
        struct task_struct *tsk = current;
        struct mm_struct *mm = tsk->mm;
+       /// >>> si_code - uninitialized
        int si_code;
        int ret;
        vm_fault_t fault;
        int write = regs->ecr_cause & ECR_C_PROTV_STORE;  /* ST/EX */
!! -81,8 +82,10 @@ void do_page_fault(unsigned long address, struct pt_regs *regs)
         * only copy the information from the master page table,
         * nothing more.
         */
+       /// >>> take true branch
        if (address >= VMALLOC_START) {
                ret = handle_kernel_vaddr_fault(address);
+               /// >>> take true branch
                if (unlikely(ret))
+                       /// >>> jump to label "bad_area_nosemaphore"
                        goto bad_area_nosemaphore;
                else
!! -193,10 +196,13 @@ void do_page_fault(unsigned long address, struct pt_regs *regs)
 bad_area:
        up_read(&mm->mmap_sem);

+       /// >>> reach label "bad_area_nosemaphore"
 bad_area_nosemaphore:
        /* User mode accesses just cause a SIGSEGV */
+       /// >>> take true branch
        if (user_mode(regs)) {
                tsk->thread.fault_address = address;
+               /// >>> Ooops:
+               /// >>> use uninitialized value "si_code"
+               /// >>> when calling "force_sig_fault"
                force_sig_fault(SIGSEGV, si_code, (void __user *)address, tsk);
                return;
        }
-------------------->8---------------------------

Fixes: 15773ae938d8 ("signal/arc: Use force_sig_fault where appropriate")
Signed-off-by: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
---
 arch/arc/mm/fault.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arc/mm/fault.c b/arch/arc/mm/fault.c
index c9da6102eb4f..e2d9fc3fea01 100644
--- a/arch/arc/mm/fault.c
+++ b/arch/arc/mm/fault.c
@@ -66,7 +66,7 @@ void do_page_fault(unsigned long address, struct pt_regs *regs)
 	struct vm_area_struct *vma = NULL;
 	struct task_struct *tsk = current;
 	struct mm_struct *mm = tsk->mm;
-	int si_code;
+	int si_code = 0;
 	int ret;
 	vm_fault_t fault;
 	int write = regs->ecr_cause & ECR_C_PROTV_STORE;  /* ST/EX */