Hi,
This is a patch series to CVE-2021-21781. The patch 9c698bff66ab ("RM: ensure the signal page contains defined contents") depepds on memset32. However, this function is not provided in 4.4 and 4.9. Therefore, we need the patch 3b3c4babd898 ("lib/string.c: add multibyte memset functions") to apply this feature. Another option is to implement only the memset32 function in arch/arm/kernel/signal.c only or using loop memset, but for simplicity we have taken the way of applying the original patch 3b3c4babd898 ("lib/string.c: add multibyte memset functions") that provides memset32 in mainline kernel.
Best regards, Nobuhiro
Matthew Wilcox (1): lib/string.c: add multibyte memset functions
Russell King (1): ARM: ensure the signal page contains defined contents
arch/arm/kernel/signal.c | 14 +++++---- include/linux/string.h | 30 ++++++++++++++++++ lib/string.c | 66 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 104 insertions(+), 6 deletions(-)
From: Matthew Wilcox mawilcox@microsoft.com
commit 3b3c4babd898715926d24ae10aa64778ace33aae upstream.
Patch series "Multibyte memset variations", v4.
A relatively common idiom we're missing is a function to fill an area of memory with a pattern which is larger than a single byte. I first noticed this with a zram patch which wanted to fill a page with an 'unsigned long' value. There turn out to be quite a few places in the kernel which can benefit from using an optimised function rather than a loop; sometimes text size, sometimes speed, and sometimes both. The optimised PowerPC version (not included here) improves performance by about 30% on POWER8 on just the raw memset_l().
Most of the extra lines of code come from the three testcases I added.
This patch (of 8):
memset16(), memset32() and memset64() are like memset(), but allow the caller to fill the destination with a value larger than a single byte. memset_l() and memset_p() allow the caller to use unsigned long and pointer values respectively.
Link: http://lkml.kernel.org/r/20170720184539.31609-2-willy@infradead.org Signed-off-by: Matthew Wilcox mawilcox@microsoft.com Cc: "H. Peter Anvin" hpa@zytor.com Cc: "James E.J. Bottomley" jejb@linux.vnet.ibm.com Cc: "Martin K. Petersen" martin.petersen@oracle.com Cc: David Miller davem@davemloft.net Cc: Ingo Molnar mingo@elte.hu Cc: Ivan Kokshaysky ink@jurassic.park.msu.ru Cc: Matt Turner mattst88@gmail.com Cc: Michael Ellerman mpe@ellerman.id.au Cc: Minchan Kim minchan@kernel.org Cc: Ralf Baechle ralf@linux-mips.org Cc: Richard Henderson rth@twiddle.net Cc: Russell King rmk+kernel@armlinux.org.uk Cc: Sam Ravnborg sam@ravnborg.org Cc: Sergey Senozhatsky sergey.senozhatsky@gmail.com Cc: Thomas Gleixner tglx@linutronix.de Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Nobuhiro Iwamatsu (CIP) nobuhiro1.iwamatsu@toshiba.co.jp --- include/linux/string.h | 30 +++++++++++++++++++ lib/string.c | 66 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+)
diff --git a/include/linux/string.h b/include/linux/string.h index 66a91f5a344990..dd810d4739ee92 100644 --- a/include/linux/string.h +++ b/include/linux/string.h @@ -103,6 +103,36 @@ extern __kernel_size_t strcspn(const char *,const char *); #ifndef __HAVE_ARCH_MEMSET extern void * memset(void *,int,__kernel_size_t); #endif + +#ifndef __HAVE_ARCH_MEMSET16 +extern void *memset16(uint16_t *, uint16_t, __kernel_size_t); +#endif + +#ifndef __HAVE_ARCH_MEMSET32 +extern void *memset32(uint32_t *, uint32_t, __kernel_size_t); +#endif + +#ifndef __HAVE_ARCH_MEMSET64 +extern void *memset64(uint64_t *, uint64_t, __kernel_size_t); +#endif + +static inline void *memset_l(unsigned long *p, unsigned long v, + __kernel_size_t n) +{ + if (BITS_PER_LONG == 32) + return memset32((uint32_t *)p, v, n); + else + return memset64((uint64_t *)p, v, n); +} + +static inline void *memset_p(void **p, void *v, __kernel_size_t n) +{ + if (BITS_PER_LONG == 32) + return memset32((uint32_t *)p, (uintptr_t)v, n); + else + return memset64((uint64_t *)p, (uintptr_t)v, n); +} + #ifndef __HAVE_ARCH_MEMCPY extern void * memcpy(void *,const void *,__kernel_size_t); #endif diff --git a/lib/string.c b/lib/string.c index 8fe13371aed7ad..ec1ba61b358f21 100644 --- a/lib/string.c +++ b/lib/string.c @@ -754,6 +754,72 @@ void memzero_explicit(void *s, size_t count) } EXPORT_SYMBOL(memzero_explicit);
+#ifndef __HAVE_ARCH_MEMSET16 +/** + * memset16() - Fill a memory area with a uint16_t + * @s: Pointer to the start of the area. + * @v: The value to fill the area with + * @count: The number of values to store + * + * Differs from memset() in that it fills with a uint16_t instead + * of a byte. Remember that @count is the number of uint16_ts to + * store, not the number of bytes. + */ +void *memset16(uint16_t *s, uint16_t v, size_t count) +{ + uint16_t *xs = s; + + while (count--) + *xs++ = v; + return s; +} +EXPORT_SYMBOL(memset16); +#endif + +#ifndef __HAVE_ARCH_MEMSET32 +/** + * memset32() - Fill a memory area with a uint32_t + * @s: Pointer to the start of the area. + * @v: The value to fill the area with + * @count: The number of values to store + * + * Differs from memset() in that it fills with a uint32_t instead + * of a byte. Remember that @count is the number of uint32_ts to + * store, not the number of bytes. + */ +void *memset32(uint32_t *s, uint32_t v, size_t count) +{ + uint32_t *xs = s; + + while (count--) + *xs++ = v; + return s; +} +EXPORT_SYMBOL(memset32); +#endif + +#ifndef __HAVE_ARCH_MEMSET64 +/** + * memset64() - Fill a memory area with a uint64_t + * @s: Pointer to the start of the area. + * @v: The value to fill the area with + * @count: The number of values to store + * + * Differs from memset() in that it fills with a uint64_t instead + * of a byte. Remember that @count is the number of uint64_ts to + * store, not the number of bytes. + */ +void *memset64(uint64_t *s, uint64_t v, size_t count) +{ + uint64_t *xs = s; + + while (count--) + *xs++ = v; + return s; +} +EXPORT_SYMBOL(memset64); +#endif + #ifndef __HAVE_ARCH_MEMCPY /** * memcpy - Copy one area of memory to another
From: Russell King rmk+kernel@armlinux.org.uk
commit 9c698bff66ab4914bb3d71da7dc6112519bde23e upstream.
Ensure that the signal page contains our poison instruction to increase the protection against ROP attacks and also contains well defined contents.
Acked-by: Will Deacon will@kernel.org Signed-off-by: Russell King rmk+kernel@armlinux.org.uk Reference: CVE-2021-21781 Signed-off-by: Nobuhiro Iwamatsu (CIP) nobuhiro1.iwamatsu@toshiba.co.jp --- arch/arm/kernel/signal.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c index 0a066f03b5ec9b..180c1782ad63d9 100644 --- a/arch/arm/kernel/signal.c +++ b/arch/arm/kernel/signal.c @@ -625,18 +625,20 @@ struct page *get_signal_page(void)
addr = page_address(page);
+ /* Poison the entire page */ + memset32(addr, __opcode_to_mem_arm(0xe7fddef1), + PAGE_SIZE / sizeof(u32)); + /* Give the signal return code some randomness */ offset = 0x200 + (get_random_int() & 0x7fc); signal_return_offset = offset;
- /* - * Copy signal return handlers into the vector page, and - * set sigreturn to be a pointer to these. - */ + /* Copy signal return handlers into the page */ memcpy(addr + offset, sigreturn_codes, sizeof(sigreturn_codes));
- ptr = (unsigned long)addr + offset; - flush_icache_range(ptr, ptr + sizeof(sigreturn_codes)); + /* Flush out all instructions in this page */ + ptr = (unsigned long)addr; + flush_icache_range(ptr, ptr + PAGE_SIZE);
return page; }
On Fri, Jul 30, 2021 at 03:08:03PM +0900, Nobuhiro Iwamatsu wrote:
Hi,
This is a patch series to CVE-2021-21781.
Given that this looks to be a "private" CVE at this point in time: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21781 you are going to have to provide a bit more information here :(
thanks,
greg k-h
On Fri, Jul 30, 2021 at 08:27:20AM +0200, Greg KH wrote:
On Fri, Jul 30, 2021 at 03:08:03PM +0900, Nobuhiro Iwamatsu wrote:
Hi,
This is a patch series to CVE-2021-21781.
Given that this looks to be a "private" CVE at this point in time: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21781 you are going to have to provide a bit more information here :(
Ah, nevermind, patch 2 explains things, this is fine, thanks for the backports.
greg k-h
On Fri, Jul 30, 2021 at 03:08:03PM +0900, Nobuhiro Iwamatsu wrote:
Hi,
This is a patch series to CVE-2021-21781. The patch 9c698bff66ab ("RM: ensure the signal page contains defined contents") depepds on memset32. However, this function is not provided in 4.4 and 4.9. Therefore, we need the patch 3b3c4babd898 ("lib/string.c: add multibyte memset functions") to apply this feature. Another option is to implement only the memset32 function in arch/arm/kernel/signal.c only or using loop memset, but for simplicity we have taken the way of applying the original patch 3b3c4babd898 ("lib/string.c: add multibyte memset functions") that provides memset32 in mainline kernel.
All now queued up, thanks.
greg k-h
linux-stable-mirror@lists.linaro.org
-
Greg KH -
Nobuhiro Iwamatsu