| Message ID | 1521632426-30770-2-git-send-email-maddy@linux.vnet.ibm.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | bb19af816025d495376bd76bf6fbcf4244f9a06d |
| Headers | show |
| Series | [v2] powerpc/perf: Fix kernel address leak to userspace via BHRB buffer | expand |
On Wed, 2018-03-21 at 11:40:25 UTC, Madhavan Srinivasan wrote: > The current Branch History Rolling Buffer (BHRB) code does > not check for any privilege levels before updating the data > from BHRB. This leaks kernel addresses to userspace even when > profiling only with userspace privileges. Add proper checks > to prevent it. > > Acked-by: Balbir Singh <bsingharora@gmail.com> > Signed-off-by: Madhavan Srinivasan <maddy@linux.vnet.ibm.com> Applied to powerpc next, thanks. https://git.kernel.org/powerpc/c/bb19af816025d495376bd76bf6fbcf cheers
diff --git a/arch/powerpc/perf/core-book3s.c b/arch/powerpc/perf/core-book3s.c index f89bbd54ecec..37d24c22557d 100644 --- a/arch/powerpc/perf/core-book3s.c +++ b/arch/powerpc/perf/core-book3s.c @@ -457,6 +457,16 @@ static void power_pmu_bhrb_read(struct cpu_hw_events *cpuhw) /* invalid entry */ continue; + /* + * BHRB rolling buffer could very much contain the kernel + * addresses at this point. Check the privileges before + * exporting it to userspace (avoid exposure of regions + * where we could have speculative execution) + */ + if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN) && + is_kernel_addr(addr)) + continue; + /* Branches are read most recent first (ie. mfbhrb 0 is * the most recent branch). * There are two types of valid entries: