linux/arch/powerpc/mm
Paul Mackerras f077aaf075 powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET
In commit c60ac5693c ("powerpc: Update kernel VSID range", 2013-03-13)
we lost a check on the region number (the top four bits of the effective
address) for addresses below PAGE_OFFSET.  That commit replaced a check
that the top 18 bits were all zero with a check that bits 46 - 59 were
zero (performed for all addresses, not just user addresses).

This means that userspace can access an address like 0x1000_0xxx_xxxx_xxxx
and we will insert a valid SLB entry for it.  The VSID used will be the
same as if the top 4 bits were 0, but the page size will be some random
value obtained by indexing beyond the end of the mm_ctx_high_slices_psize
array in the paca.  If that page size is the same as would be used for
region 0, then userspace just has an alias of the region 0 space.  If the
page size is different, then no HPTE will be found for the access, and
the process will get a SIGSEGV (since hash_page_mm() will refuse to create
a HPTE for the bogus address).

The access beyond the end of the mm_ctx_high_slices_psize can be at most
5.5MB past the array, and so will be in RAM somewhere.  Since the access
is a load performed in real mode, it won't fault or crash the kernel.
At most this bug could perhaps leak a little bit of information about
blocks of 32 bytes of memory located at offsets of i * 512kB past the
paca->mm_ctx_high_slices_psize array, for 1 <= i <= 11.

Fixes: c60ac5693c ("powerpc: Update kernel VSID range")
Cc: stable@vger.kernel.org # v3.9+
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2016-09-08 13:15:33 +10:00
..
8xx_mmu.c powerpc/8xx: add CONFIG_PIN_TLB_IMMR 2016-07-09 02:02:48 -05:00
40x_mmu.c powerpc/mm: Don't use pmd_val, pud_val and pgd_val as lvalue 2015-12-14 15:19:07 +11:00
44x_mmu.c powerpc: Delete __cpuinit usage from all users 2013-07-01 11:10:36 +10:00
Makefile powerpc/mm/thp: Abstraction for THP functions 2016-05-11 21:53:57 +10:00
copro_fault.c mm: do not pass mm_struct into handle_mm_fault 2016-07-26 16:19:19 -07:00
dma-noncoherent.c powerpc: Simplify test in __dma_sync() 2016-03-11 17:20:12 -06:00
fault.c powerpc: migrate exception table users off module.h and onto extable.h 2016-08-22 11:09:33 +10:00
fsl_booke_mmu.c powerpc/mm: Convert pte_user() to static inline 2016-05-01 18:32:24 +10:00
hash64_4k.c powerpc/mm: Move hash table ops to a separate structure 2016-07-21 18:59:09 +10:00
hash64_64k.c powerpc/mm: Move hash table ops to a separate structure 2016-07-21 18:59:09 +10:00
hash_low_32.S powerpc: Use CURRENT_THREAD_INFO instead of open coded assembly 2012-07-11 14:18:22 +10:00
hash_native_64.c powerpc/mm: Move register_process_table() out of ppc_md 2016-08-04 20:22:34 +10:00
hash_utils_64.c powerpc/mm: Convert early cpu/mmu feature check to use the new helpers 2016-08-01 11:15:01 +10:00
highmem.c sched/preempt, mm/kmap: Explicitly disable/enable preemption in kmap_atomic_* 2015-05-19 08:39:14 +02:00
hugepage-hash64.c powerpc/mm: Move hash table ops to a separate structure 2016-07-21 18:59:09 +10:00
hugetlbpage-book3e.c powerpc/fsl-book3e: Avoid lbarx on e5500 2016-03-03 23:43:05 -06:00
hugetlbpage-hash64.c powerpc/mm: Move hash table ops to a separate structure 2016-07-21 18:59:09 +10:00
hugetlbpage-radix.c powerpc/mm/hugetlb: Add flush_hugetlb_tlb_range 2016-08-01 11:15:13 +10:00
hugetlbpage.c powerpc updates for 4.8 # 1 2016-07-30 21:01:36 -07:00
icswx.c powerpc: Fix typo "CONFIG_ICSWX_PID" 2013-04-18 13:03:54 +10:00
icswx.h powerpc/icswx: Fix race condition with IPI setting ACOP 2012-03-07 17:06:09 +11:00
icswx_pid.c powerpc: Split ICSWX ACOP and PID processing 2011-11-25 14:11:27 +11:00
init_32.c powerpc/32: Remove RELOCATABLE_PPC32 2016-07-19 20:17:07 +10:00
init_64.c powerpc/mm: Convert early cpu/mmu feature check to use the new helpers 2016-08-01 11:15:01 +10:00
mem.c powerpc: Fix build with CONFIG_MEMORY_HOTPLUG on some configs 2016-07-07 16:33:27 +10:00
mmap.c powerpc/mm/radix: Pick the address layout for radix config 2016-05-11 21:53:47 +10:00
mmu_context_book3s64.c powerpc/mm/radix: Update PID switch sequence 2016-07-17 16:42:53 +10:00
mmu_context_hash32.c powerpc: Remove power3 from comments 2014-07-28 14:10:26 +10:00
mmu_context_iommu.c powerpc/mmu: Add userspace-to-physical addresses translation cache 2015-06-11 15:16:54 +10:00
mmu_context_nohash.c powerpc/mm/slice: Remove slice_mm_new_context() 2016-05-11 21:54:00 +10:00
mmu_decl.h powerpc/8xx: Map IMMR area with 512k page at a fixed address 2016-07-09 02:02:48 -05:00
numa.c powerpc updates for 4.8 # 1 2016-07-30 21:01:36 -07:00
pgtable-book3e.c powerpc/mm: Make page table size a variable 2016-05-01 18:32:48 +10:00
pgtable-book3s64.c powerpc/mm: Move register_process_table() out of ppc_md 2016-08-04 20:22:34 +10:00
pgtable-hash64.c powerpc/mm/thp: Abstraction for THP functions 2016-05-11 21:53:57 +10:00
pgtable-radix.c powerpc/mm: Move register_process_table() out of ppc_md 2016-08-04 20:22:34 +10:00
pgtable.c powerpc/mm: remove flush_tlb_page_nohash 2016-08-01 11:15:13 +10:00
pgtable_32.c treewide: replace obsolete _refok by __ref 2016-08-02 17:31:41 -04:00
pgtable_64.c tree wide: get rid of __GFP_REPEAT for order-0 allocations part I 2016-06-24 17:23:52 -07:00
ppc_mmu_32.c powerpc32: refactor x_mapped_by_bats() and x_mapped_by_tlbcam() together 2016-03-11 17:18:02 -06:00
slb.c powerpc/mm: Remove long disabled SLB code 2016-04-11 20:30:40 +10:00
slb_low.S powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET 2016-09-08 13:15:33 +10:00
slice.c powerpc/mm/radix: Add checks in slice code to catch radix usage 2016-05-11 21:53:46 +10:00
subpage-prot.c thp: rename split_huge_page_pmd() to split_huge_pmd() 2016-01-15 17:56:32 -08:00
tlb-radix.c powerpc/mm/radix/hugetlb: Add helper for finding page size from hstate 2016-08-01 11:15:12 +10:00
tlb_hash32.c powerpc/mm: remove flush_tlb_page_nohash 2016-08-01 11:15:13 +10:00
tlb_hash64.c powerpc/mm: Hash abstraction for tlbflush routines 2016-05-01 18:33:08 +10:00
tlb_low_64e.S powerpc: Fix misspellings in comments. 2016-03-01 19:27:20 +11:00
tlb_nohash.c powerpc/mm: Drop multiple definition of mm_is_core_local 2016-08-01 11:15:10 +10:00
tlb_nohash_low.S powerpc: Fix misspellings in comments. 2016-03-01 19:27:20 +11:00
vphn.c powerpc/vphn: parsing code rewrite 2015-03-18 10:48:59 +11:00
vphn.h powerpc/vphn: parsing code rewrite 2015-03-18 10:48:59 +11:00