Our FPU emulator currently uses __get_user() & __put_user() to perform emulated loads & stores. This is problematic because __get_user() & __put_user() are only suitable for naturally aligned memory accesses, and the address we're accessing is entirely under the control of userland.
This allows userland to cause a kernel panic by simply performing an unaligned floating point load or store - the kernel will handle the address error exception by attempting to emulate the instruction, and in the process it may generate another address error exception itself. This time the exception is taken with EPC pointing at the kernels FPU emulation code, and we hit a die_if_kernel() in emulate_load_store_insn().
Fix this up by using __copy_from_user() instead of __get_user() and __copy_to_user() instead of __put_user(). These replacements will handle arbitrary alignment without problems.
Signed-off-by: Paul Burton paulburton@kernel.org Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org # v2.6.12+ --- arch/mips/math-emu/cp1emu.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/arch/mips/math-emu/cp1emu.c b/arch/mips/math-emu/cp1emu.c index 710e1f804a54..d2009b4b5209 100644 --- a/arch/mips/math-emu/cp1emu.c +++ b/arch/mips/math-emu/cp1emu.c @@ -1056,7 +1056,7 @@ static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx, *fault_addr = dva; return SIGBUS; } - if (__get_user(dval, dva)) { + if (__copy_from_user(&dval, dva, sizeof(u64))) { MIPS_FPU_EMU_INC_STATS(errors); *fault_addr = dva; return SIGSEGV; @@ -1074,7 +1074,7 @@ static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx, *fault_addr = dva; return SIGBUS; } - if (__put_user(dval, dva)) { + if (__copy_to_user(dva, &dval, sizeof(u64))) { MIPS_FPU_EMU_INC_STATS(errors); *fault_addr = dva; return SIGSEGV; @@ -1090,7 +1090,7 @@ static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx, *fault_addr = wva; return SIGBUS; } - if (__get_user(wval, wva)) { + if (__copy_from_user(&wval, wva, sizeof(u32))) { MIPS_FPU_EMU_INC_STATS(errors); *fault_addr = wva; return SIGSEGV; @@ -1108,7 +1108,7 @@ static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx, *fault_addr = wva; return SIGBUS; } - if (__put_user(wval, wva)) { + if (__copy_to_user(wva, &wval, sizeof(u32))) { MIPS_FPU_EMU_INC_STATS(errors); *fault_addr = wva; return SIGSEGV; @@ -1486,7 +1486,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, *fault_addr = va; return SIGBUS; } - if (__get_user(val, va)) { + if (__copy_from_user(&val, va, sizeof(u32))) { MIPS_FPU_EMU_INC_STATS(errors); *fault_addr = va; return SIGSEGV; @@ -1506,7 +1506,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, *fault_addr = va; return SIGBUS; } - if (put_user(val, va)) { + if (__copy_to_user(va, &val, sizeof(u32))) { MIPS_FPU_EMU_INC_STATS(errors); *fault_addr = va; return SIGSEGV; @@ -1583,7 +1583,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, *fault_addr = va; return SIGBUS; } - if (__get_user(val, va)) { + if (__copy_from_user(&val, va, sizeof(u64))) { MIPS_FPU_EMU_INC_STATS(errors); *fault_addr = va; return SIGSEGV; @@ -1602,7 +1602,7 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx, *fault_addr = va; return SIGBUS; } - if (__put_user(val, va)) { + if (__copy_to_user(va, &val, sizeof(u64))) { MIPS_FPU_EMU_INC_STATS(errors); *fault_addr = va; return SIGSEGV;