openwrt/target/linux/generic/backport-4.14
Kevin Darbyshire-Bryant 8f4841462c kernel: MIPS: math-emu Write-protect delay slot emulation pages
Backport https://git.kernel.org/pub/scm/linux/kernel/git/mips/linux.git/commit/?id=adcc81f148d733b7e8e641300c5590a2cdc13bf3

"Mapping the delay slot emulation page as both writeable & executable
presents a security risk, in that if an exploit can write to & jump into
the page then it can be used as an easy way to execute arbitrary code.

Prevent this by mapping the page read-only for userland, and using
access_process_vm() with the FOLL_FORCE flag to write to it from
mips_dsemul().

This will likely be less efficient due to copy_to_user_page() performing
cache maintenance on a whole page, rather than a single line as in the
previous use of flush_cache_sigtramp(). However this delay slot
emulation code ought not to be running in any performance critical paths
anyway so this isn't really a problem, and we can probably do better in
copy_to_user_page() anyway in future.

A major advantage of this approach is that the fix is small & simple to
backport to stable kernels.

Reported-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions")"

Without patch:

cat /proc/self/maps
00400000-0047a000 r-xp 00000000 1f:03 1823       /bin/busybox
00489000-0048a000 r-xp 00079000 1f:03 1823       /bin/busybox
0048a000-0048b000 rwxp 0007a000 1f:03 1823       /bin/busybox
77ec8000-77eed000 r-xp 00000000 1f:03 2296       /lib/libgcc_s.so.1
77eed000-77eee000 rwxp 00015000 1f:03 2296       /lib/libgcc_s.so.1
77eee000-77f81000 r-xp 00000000 1f:03 2470       /lib/libc.so
77f90000-77f92000 rwxp 00092000 1f:03 2470       /lib/libc.so
77f92000-77f94000 rwxp 00000000 00:00 0
7f946000-7f967000 rw-p 00000000 00:00 0          [stack]
7fefb000-7fefc000 rwxp 00000000 00:00 0
7ffac000-7ffad000 r--p 00000000 00:00 0          [vvar]
7ffad000-7ffae000 r-xp 00000000 00:00 0          [vdso]

Patch applied:

cat /proc/self/maps
00400000-0047a000 r-xp 00000000 1f:03 1825       /bin/busybox
00489000-0048a000 r-xp 00079000 1f:03 1825       /bin/busybox
0048a000-0048b000 rwxp 0007a000 1f:03 1825       /bin/busybox
77ed0000-77ef5000 r-xp 00000000 1f:03 2298       /lib/libgcc_s.so.1
77ef5000-77ef6000 rwxp 00015000 1f:03 2298       /lib/libgcc_s.so.1
77ef6000-77f89000 r-xp 00000000 1f:03 2474       /lib/libc.so
77f98000-77f9a000 rwxp 00092000 1f:03 2474       /lib/libc.so
77f9a000-77f9c000 rwxp 00000000 00:00 0
7fbed000-7fc0e000 rw-p 00000000 00:00 0          [stack]
7fefb000-7fefc000 r-xp 00000000 00:00 0
7fff6000-7fff7000 r--p 00000000 00:00 0          [vvar]
7fff7000-7fff8000 r-xp 00000000 00:00 0          [vdso]

Note lack of write permission to 7fefb000-7fefc000

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-24 21:52:08 +00:00
..
010-Kbuild-don-t-hardcode-path-to-awk-in-scripts-ld-vers.patch
011-kbuild-export-SUBARCH.patch kernel: bump 4.14 to 4.14.48 2018-06-05 22:54:00 +03:00
012-kbuild-add-macro-for-controlling-warnings-to-linux-c.patch kernel: bump 4.14 to 4.14.79 2018-11-05 16:00:00 +01:00
013-disable-Wattribute-alias-warning-for-SYSCALL_DEFINEx.patch kernel: backport fixes for GCC 8 errors in syscall definitions 2018-07-22 17:16:30 +02:00
020-backport_netfilter_rtcache.patch
025-tcp-allow-drivers-to-tweak-TSQ-logic.patch kernel: bump 4.14 to 4.14.89 2018-12-18 14:24:57 +01:00
030-USB-serial-option-fix-dwm-158-3g-modem-interface.patch kernel: bump 4.14 to 4.14.80 2018-11-13 00:44:01 +02:00
030-v4.17-0001-usb-dwc2-add-support-for-host-mode-external-vbus-sup.patch kernel: bump 4.14 to 4.14.67 2018-08-28 23:05:39 +02:00
030-v4.17-0002-usb-dwc2-dwc2_vbus_supply_init-fix-error-check.patch kernel: bump 4.14 to 4.14.67 2018-08-28 23:05:39 +02:00
040-v4.17-0001-mtd-move-code-adding-master-MTD-out-of-mtd_add_devic.patch
040-v4.17-0002-mtd-get-rid-of-the-mtd_add_device_partitions.patch
041-v4.17-0001-mtd-partitions-add-of_match_table-parser-matching-fo.patch
041-v4.17-0002-mtd-rename-ofpart-parser-to-fixed-partitions-as-it-f.patch
041-v4.17-0003-mtd-ofpart-add-of_match_table-with-fixed-partitions.patch
042-v4.18-0001-mtd-move-code-adding-registering-partitions-to-the-p.patch
043-v4.18-mtd-bcm47xxpart-improve-handling-TRX-partition-size.patch
044-v4.18-mtd-bcm47xxpart-add-of_match_table-with-a-new-DT-bin.patch kernel: backport mtd patches with Broadcom of_match_table-s 2018-07-27 15:55:01 +02:00
045-v4.19-mtd-parsers-trx-add-of_match_table-with-the-new-DT-b.patch kernel: backport mtd patches with Broadcom of_match_table-s 2018-07-27 15:55:01 +02:00
046-v4.19-mtd-partitions-use-DT-info-for-parsing-partitions-wi.patch kernel: backport mtd support for subpartitions in DT 2018-07-27 22:16:24 +02:00
047-v4.21-mtd-keep-original-flags-for-every-struct-mtd_info.patch kernel: backport 2 mtd partitioning fixes 2018-12-03 10:34:12 +01:00
048-v4.21-mtd-improve-calculating-partition-boundaries-when-ch.patch kernel: backport 2 mtd partitioning fixes 2018-12-03 10:34:12 +01:00
071-v4.15-0001-net-bgmac-enable-master-mode-for-BCM54210E-and-B5021.patch
076-v4.15-0001-net-phy-broadcom-support-new-device-flag-for-setting.patch
085-v4.16-0001-i2c-gpio-Enable-working-over-slow-can_sleep-GPIOs.patch kernel: backport i2c-gpio working over slow can_sleep GPIOs 2018-09-10 09:28:55 +02:00
090-net-bridge-add-support-for-port-isolation.patch kernel: replace bridge port isolate hack with upstream patch backport on 4.14 2018-07-11 20:59:05 +02:00
095-Allow-class-e-address-assignment-via-ifconfig-ioctl.patch kernel: backport ifconfig ioctl support for class e addresses 2018-12-17 10:40:20 +00:00
096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch kernel: MIPS: math-emu Write-protect delay slot emulation pages 2018-12-24 21:52:08 +00:00
100-arm-cns3xxx-fix-writing-to-wrong-PCI-registers-after.patch kernel: bump 4.14 to 4.14.90 2018-12-24 15:06:33 +00:00
272-uapi-if_ether.h-prevent-redefinition-of-struct-ethhd.patch kernel: bump 4.14 to 4.14.48 2018-06-05 22:54:00 +03:00
289-v4.16-netfilter-add-defines-for-arp-decnet-max-hooks.patch kernel: fix build of nftables 2018-09-22 23:59:10 +02:00
290-v4.16-netfilter-core-make-nf_unregister_net_hooks-simple-w.patch kernel: generic: Fix nftables inet table breakage 2018-09-22 21:20:55 +02:00
291-v4.16-netfilter-core-remove-synchronize_net-call-if-nfqueu.patch kernel: generic: Fix nftables inet table breakage 2018-09-22 21:20:55 +02:00
292-v4.16-netfilter-core-free-hooks-with-call_rcu.patch kernel: generic: Fix nftables inet table breakage 2018-09-22 21:20:55 +02:00
293-v4.16-netfilter-reduce-size-of-hook-entry-point-locations.patch kernel: bump 4.14 to 4.14.79 2018-11-05 16:00:00 +01:00
294-v4.16-netfilter-reduce-hook-array-sizes-to-what-is-needed.patch kernel: generic: Fix nftables inet table breakage 2018-09-22 21:20:55 +02:00
295-v4.16-netfilter-don-t-allocate-space-for-decnet-hooks-unle.patch kernel: generic: Fix nftables inet table breakage 2018-09-22 21:20:55 +02:00
296-v4.16-netfilter-don-t-allocate-space-for-arp-bridge-hooks-.patch kernel: generic: Fix nftables inet table breakage 2018-09-22 21:20:55 +02:00
297-v4.16-netfilter-core-pass-hook-number-family-and-device-to.patch kernel: generic: Fix nftables inet table breakage 2018-09-22 21:20:55 +02:00
298-v4.16-netfilter-core-add-nf_remove_net_hook.patch kernel: generic: Fix nftables inet table breakage 2018-09-22 21:20:55 +02:00
298-v4.16-netfilter-core-pass-family-as-parameter-to-nf_remove.patch kernel: generic: Fix nftables inet table breakage 2018-09-22 21:20:55 +02:00
299-v4.16-netfilter-core-support-for-NFPROTO_INET-hook-registr.patch kernel: generic: Fix nftables inet table breakage 2018-09-22 21:20:55 +02:00
300-v4.16-netfilter-nf_tables-explicit-nft_set_pktinfo-call-fr.patch
301-v4.16-netfilter-core-only-allow-one-nat-hook-per-hook-poin.patch kernel: generic: Fix nftables inet table breakage 2018-09-22 21:20:55 +02:00
302-v4.16-netfilter-nf_tables_inet-don-t-use-multihook-infrast.patch
303-v4.16-netfilter-nf_tables-remove-multihook-chains-and-fami.patch kernel: bump 4.14 to 4.14.89 2018-12-18 14:24:57 +01:00
304-v4.16-netfilter-move-checksum-indirection-to-struct-nf_ipv.patch kernel: preserve oif of IPv6 link scope packets 2018-12-17 21:42:23 +01:00
305-v4.16-netfilter-move-checksum_partial-indirection-to-struc.patch kernel: preserve oif of IPv6 link scope packets 2018-12-17 21:42:23 +01:00
306-v4.16-netfilter-remove-saveroute-indirection-in-struct-nf_.patch kernel: preserve oif of IPv6 link scope packets 2018-12-17 21:42:23 +01:00
307-v4.16-netfilter-move-route-indirection-to-struct-nf_ipv6_o.patch kernel: preserve oif of IPv6 link scope packets 2018-12-17 21:42:23 +01:00
308-v4.16-netfilter-move-reroute-indirection-to-struct-nf_ipv6.patch kernel: preserve oif of IPv6 link scope packets 2018-12-17 21:42:23 +01:00
309-v4.16-netfilter-remove-route_key_size-field-in-struct-nf_a.patch kernel: preserve oif of IPv6 link scope packets 2018-12-17 21:42:23 +01:00
310-v4.16-netfilter-remove-struct-nf_afinfo-and-its-helper-fun.patch kernel: preserve oif of IPv6 link scope packets 2018-12-17 21:42:23 +01:00
311-v4.16-netfilter-nf_tables_arp-don-t-set-forward-chain.patch
312-v4.16-netfilter-nf_tables-remove-hooks-from-family-definit.patch kernel: bump 4.14 to 4.14.54 2018-07-11 16:02:24 +02:00
313-v4.16-netfilter-remove-defensive-check-on-malformed-packet.patch
314-v4.16-netfilter-meta-secpath-support.patch kernel: bump 4.14 to 4.14.54 2018-07-11 16:02:24 +02:00
315-v4.15-netfilter-conntrack-move-nf_ct_netns_-get-put-to-cor.patch
320-v4.16-netfilter-nf_conntrack-add-IPS_OFFLOAD-status-bit.patch kernel: bump 4.14 to 4.14.82 2018-11-22 10:49:01 +01:00
321-v4.16-netfilter-nf_tables-add-flow-table-netlink-frontend.patch kernel: bump 4.14 to 4.14.89 2018-12-18 14:24:57 +01:00
322-v4.16-netfilter-add-generic-flow-table-infrastructure.patch kernel: generic: Fix nftables inet table breakage 2018-09-22 21:20:55 +02:00
323-v4.16-netfilter-flow-table-support-for-IPv4.patch kernel: generic: Fix nftables inet table breakage 2018-09-22 21:20:55 +02:00
324-v4.16-netfilter-flow-table-support-for-IPv6.patch kernel: bump 4.14 to 4.14.73 2018-10-02 13:44:36 +02:00
325-v4.16-netfilter-flow-table-support-for-the-mixed-IPv4-IPv6.patch kernel: generic: Fix nftables inet table breakage 2018-09-22 21:20:55 +02:00
326-v4.16-netfilter-nf_tables-flow-offload-expression.patch kernel: generic: Fix nftables inet table breakage 2018-09-22 21:20:55 +02:00
327-v4.16-netfilter-nf_tables-remove-nhooks-field-from-struct-.patch kernel: bump 4.14 to 4.14.89 2018-12-18 14:24:57 +01:00
328-v4.16-netfilter-nf_tables-fix-a-typo-in-nf_tables_getflowt.patch kernel: bump 4.14 to 4.14.89 2018-12-18 14:24:57 +01:00
329-v4.16-netfilter-improve-flow-table-Kconfig-dependencies.patch kernel: generic: Fix nftables inet table breakage 2018-09-22 21:20:55 +02:00
330-v4.16-netfilter-nf_tables-remove-flag-field-from-struct-nf.patch kernel: bump 4.14 to 4.14.54 2018-07-11 16:02:24 +02:00
331-v4.16-netfilter-nf_tables-no-need-for-struct-nft_af_info-t.patch kernel: bump 4.14 to 4.14.89 2018-12-18 14:24:57 +01:00
332-v4.16-netfilter-nf_tables-remove-struct-nft_af_info-parame.patch kernel: bump 4.14 to 4.14.54 2018-07-11 16:02:24 +02:00
334-v4.15-netfilter-nf_tables-fix-potential-NULL-ptr-deref-in-.patch kernel: bump 4.14 to 4.14.89 2018-12-18 14:24:57 +01:00
335-v4.16-netfilter-nf_tables-add-single-table-list-for-all-fa.patch kernel: bump 4.14 to 4.14.89 2018-12-18 14:24:57 +01:00
336-v4.15-netfilter-exit_net-cleanup-check-added.patch kernel: bump 4.14 to 4.14.89 2018-12-18 14:24:57 +01:00
337-v4.16-netfilter-nf_tables-get-rid-of-pernet-families.patch kernel: bump 4.14 to 4.14.89 2018-12-18 14:24:57 +01:00
338-v4.16-netfilter-nf_tables-get-rid-of-struct-nft_af_info-ab.patch kernel: bump 4.14 to 4.14.89 2018-12-18 14:24:57 +01:00
339-v4.16-netfilter-nft_flow_offload-wait-for-garbage-collecto.patch kernel: bump 4.14 to 4.14.89 2018-12-18 14:24:57 +01:00
340-v4.16-netfilter-nft_flow_offload-no-need-to-flush-entries-.patch
341-v4.16-netfilter-nft_flow_offload-move-flowtable-cleanup-ro.patch
342-v4.16-netfilter-nf_tables-fix-flowtable-free.patch kernel: bump 4.14 to 4.14.89 2018-12-18 14:24:57 +01:00
343-netfilter-nft_flow_offload-handle-netdevice-events-f.patch
344-v4.16-netfilter-nf_tables-allocate-handle-and-delete-objec.patch kernel: bump 4.14 to 4.14.89 2018-12-18 14:24:57 +01:00
345-v4.16-netfilter-nf_flow_offload-fix-use-after-free-and-a-r.patch
346-v4.16-netfilter-flowtable-infrastructure-depends-on-NETFIL.patch kernel: generic: Fix nftables inet table breakage 2018-09-22 21:20:55 +02:00
347-v4.16-netfilter-remove-duplicated-include.patch
348-v4.18-netfilter-nf_flow_table-use-IP_CT_DIR_-values-for-FL.patch
349-v4.18-netfilter-nf_flow_table-clean-up-flow_offload_alloc.patch
350-v4.18-ipv6-make-ip6_dst_mtu_forward-inline.patch kernel: bump 4.14 to 4.14.73 2018-10-02 13:44:36 +02:00
351-v4.18-netfilter-nf_flow_table-cache-mtu-in-struct-flow_off.patch
352-v4.18-netfilter-nf_flow_table-rename-nf_flow_table.c-to-nf.patch
353-v4.18-netfilter-nf_flow_table-move-ipv4-offload-hook-code-.patch
354-v4.18-netfilter-nf_flow_table-move-ip-header-check-out-of-.patch
355-v4.18-netfilter-nf_flow_table-move-ipv6-offload-hook-code-.patch
356-v4.18-netfilter-nf_flow_table-relax-mixed-ipv4-ipv6-flowta.patch kernel: generic: Fix nftables inet table breakage 2018-09-22 21:20:55 +02:00
357-v4.18-netfilter-nf_flow_table-move-init-code-to-nf_flow_ta.patch kernel: bump 4.14 to 4.14.89 2018-12-18 14:24:57 +01:00
358-v4.18-netfilter-nf_flow_table-fix-priv-pointer-for-netdev-.patch kernel: bump 4.14 to 4.14.89 2018-12-18 14:24:57 +01:00
359-v4.18-netfilter-nf_flow_table-track-flow-tables-in-nf_flow.patch kernel: bump 4.14 to 4.14.89 2018-12-18 14:24:57 +01:00
360-v4.18-netfilter-nf_flow_table-make-flow_offload_dead-inlin.patch
361-v4.18-netfilter-nf_flow_table-add-a-new-flow-state-for-tea.patch
362-v4.18-netfilter-nf_flow_table-in-flow_offload_lookup-skip-.patch
363-v4.18-netfilter-nf_flow_table-add-support-for-sending-flow.patch
364-v4.18-netfilter-nf_flow_table-tear-down-TCP-flows-if-RST-o.patch
365-v4.16-netfilter-nf_flow_table-fix-checksum-when-handling-D.patch
366-netfilter-nf_flow_table-clean-up-and-fix-dst-handlin.patch
367-v4.18-netfilter-nf_flow_table-add-missing-condition-for-TC.patch
368-v4.18-netfilter-nf_flow_table-fix-offloading-connections-w.patch
369-v4.18-netfilter-nf_flow_table-attach-dst-to-skbs.patch kernel: backport patch to fix dst handling for offloaded connections 2018-06-05 10:18:58 +02:00
370-netfilter-nf_flow_table-fix-offloaded-connection-tim.patch kernel: bump 4.14 to 4.14.82 2018-11-22 10:49:01 +01:00
371-netfilter-nf_flow_table-fix-up-ct-state-of-flows-aft.patch kernel: fix conntrack fixup of offloaded flows on timeout 2018-06-14 11:25:24 +02:00
400-v4.16-leds-trigger-Introduce-a-NETDEV-trigger.patch kernel: Replace ledtrig-netdev with upstream backport 2018-12-15 12:50:06 +01:00
500-ubifs-Handle-re-linking-of-inodes-correctly-while-re.patch kernel: fix ubifs loosing O_TMPFILE data after power cut 2018-11-15 12:32:20 +01:00