Skip to content

Commit f6334f4

Browse files
danglin44hdeller
danglin44
authored and
hdeller
committed
parisc: Revise gateway LWS calls to probe user read access
We use load and stbys,e instructions to trigger memory reference interruptions without writing to memory. Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The kernel and gateway page execute at privilege level 0, so this code never triggers a read access interruption. Thus, it is currently possible for user code to execute a LWS compare and swap operation at an address that is read protected at privilege level 3 (PRIV_USER). Fix this by probing read access rights at privilege level 3 and branching to lws_fault if access isn't allowed. Signed-off-by: John David Anglin <[email protected]> Signed-off-by: Helge Deller <[email protected]> Cc: [email protected] # v5.12+
1 parent 4eab1c2 commit f6334f4

File tree

1 file changed

+21
-9
lines changed

1 file changed

+21
-9
lines changed

arch/parisc/kernel/syscall.S

Lines changed: 21 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -613,6 +613,9 @@ lws_compare_and_swap32:
613613
lws_compare_and_swap:
614614
/* Trigger memory reference interruptions without writing to memory */
615615
1: ldw 0(%r26), %r28
616+
proberi (%r26), PRIV_USER, %r28
617+
comb,=,n %r28, %r0, lws_fault /* backwards, likely not taken */
618+
nop
616619
2: stbys,e %r0, 0(%r26)
617620

618621
/* Calculate 8-bit hash index from virtual address */
@@ -767,6 +770,9 @@ cas2_lock_start:
767770
copy %r26, %r28
768771
depi_safe 0, 31, 2, %r28
769772
10: ldw 0(%r28), %r1
773+
proberi (%r28), PRIV_USER, %r1
774+
comb,=,n %r1, %r0, lws_fault /* backwards, likely not taken */
775+
nop
770776
11: stbys,e %r0, 0(%r28)
771777

772778
/* Calculate 8-bit hash index from virtual address */
@@ -951,41 +957,47 @@ atomic_xchg_begin:
951957

952958
/* 8-bit exchange */
953959
1: ldb 0(%r24), %r20
960+
proberi (%r24), PRIV_USER, %r20
961+
comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */
962+
nop
954963
copy %r23, %r20
955964
depi_safe 0, 31, 2, %r20
956965
b atomic_xchg_start
957966
2: stbys,e %r0, 0(%r20)
958-
nop
959-
nop
960-
nop
961967

962968
/* 16-bit exchange */
963969
3: ldh 0(%r24), %r20
970+
proberi (%r24), PRIV_USER, %r20
971+
comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */
972+
nop
964973
copy %r23, %r20
965974
depi_safe 0, 31, 2, %r20
966975
b atomic_xchg_start
967976
4: stbys,e %r0, 0(%r20)
968-
nop
969-
nop
970-
nop
971977

972978
/* 32-bit exchange */
973979
5: ldw 0(%r24), %r20
980+
proberi (%r24), PRIV_USER, %r20
981+
comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */
982+
nop
974983
b atomic_xchg_start
975984
6: stbys,e %r0, 0(%r23)
976985
nop
977986
nop
978-
nop
979-
nop
980-
nop
981987

982988
/* 64-bit exchange */
983989
#ifdef CONFIG_64BIT
984990
7: ldd 0(%r24), %r20
991+
proberi (%r24), PRIV_USER, %r20
992+
comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */
993+
nop
985994
8: stdby,e %r0, 0(%r23)
986995
#else
987996
7: ldw 0(%r24), %r20
988997
8: ldw 4(%r24), %r20
998+
proberi (%r24), PRIV_USER, %r20
999+
comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */
1000+
nop
9891001
copy %r23, %r20
9901002
depi_safe 0, 31, 2, %r20
9911003
9: stbys,e %r0, 0(%r20)

0 commit comments

Comments
 (0)