• Aneesh Kumar K.V's avatar
    powerpc/mm/hash: Handle user access of kernel address gracefully · 374f3f59
    Aneesh Kumar K.V authored
    In commit 2865d08d ("powerpc/mm: Move the DSISR_PROTFAULT sanity
    check") we moved the protection fault access check before the vma
    lookup. That means we hit that WARN_ON when user space accesses a
    kernel address. Before that commit this was handled by find_vma() not
    finding vma for the kernel address and considering that access as bad
    area access.
    
    Avoid the confusing WARN_ON and convert that to a ratelimited printk.
    
    With the patch we now get:
    
    for load:
      a.out[5997]: User access of kernel address (c00000000000dea0) - exploit attempt? (uid: 1000)
      a.out[5997]: segfault (11) at c00000000000dea0 nip 1317c0798 lr 7fff80d6441c code 1 in a.out[1317c0000+10000]
      a.out[5997]: code: 60000000 60420000 3c4c0002 38427790 4bffff20 3c4c0002 38427784 fbe1fff8
      a.out[5997]: code: f821ffc1 7c3f0b78 60000000 e9228030 <89290000> 993f002f 60000000 383f0040
    
    for exec:
      a.out[6067]: User access of kernel address (c00000000000dea0) - exploit attempt? (uid: 1000)
      a.out[6067]: segfault (11) at c00000000000dea0 nip c00000000000dea0 lr 129d507b0 code 1
      a.out[6067]: Bad NIP, not dumping instructions.
    
    Fixes: 2865d08d ("powerpc/mm: Move the DSISR_PROTFAULT sanity check")
    Signed-off-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
    Tested-by: default avatarBreno Leitao <leitao@debian.org>
    [mpe: Don't split printk() string across lines]
    Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
    374f3f59
fault.c 19.1 KB