1. 26 Nov, 2016 1 commit
    • Balbir Singh's avatar
      powerpc/mm/radix: Prevent kernel execution of user space · 3b10d009
      Balbir Singh authored
      ISA 3 defines new encoded access authority that allows instruction
      access prevention in privileged mode and allows normal access
      to problem state. This patch just enables IAMR (Instruction Authority
      Mask Register), enabling AMR would require more work.
      
      I've tested this with a buggy driver and a simple payload. The payload
      is specific to the build I've tested.
      
      mpe: Also tested with LKDTM:
      
        # echo EXEC_USERSPACE > /sys/kernel/debug/provoke-crash/DIRECT
        lkdtm: Performing direct entry EXEC_USERSPACE
        lkdtm: attempting ok execution at c0000000005bf560
        lkdtm: attempting bad execution at 00003fff8d940000
        Unable to handle kernel paging request for instruction fetch
        Faulting instruction address: 0x3fff8d940000
        Oops: Kernel access of bad area, sig: 11 [#1]
        NIP: 00003fff8d940000 LR: c0000000005bfa58 CTR: 00003fff8d940000
        REGS: c0000000f1fcf900 TRAP: 0400   Not tainted  (4.9.0-rc5-compiler_gcc-6.2.0-00109-g956dbc06232a)
        MSR: 9000000010009033 <SF,HV,EE,ME,IR,DR,RI,LE>  CR: 48002222  XER: 00000000
        ...
        Call Trace:
          lkdtm_EXEC_USERSPACE+0x104/0x120 (unreliable)
          lkdtm_do_action+0x3c/0x80
          direct_entry+0x100/0x1b0
          full_proxy_write+0x94/0x100
          __vfs_write+0x3c/0x1b0
          vfs_write+0xcc/0x230
          SyS_write+0x60/0x110
          system_call+0x38/0xfc
      Signed-off-by: default avatarBalbir Singh <bsingharora@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      3b10d009
  2. 25 Nov, 2016 7 commits
  3. 24 Nov, 2016 1 commit
  4. 23 Nov, 2016 8 commits
  5. 22 Nov, 2016 8 commits
  6. 21 Nov, 2016 1 commit
  7. 18 Nov, 2016 14 commits