x86/fault: Don't run fixups for SMAP violations

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

A SMAP-violating kernel access is not a recoverable condition. Imagine
kernel code that, outside of a uaccess region, dereferences a pointer to
the user range by accident. If SMAP is on, this will reliably generate
as an intentional user access. This makes it easy for bugs to be
overlooked if code is inadequately tested both with and without SMAP.

This was discovered because BPF can generate invalid accesses to user
memory, but those warnings only got printed if SMAP was off. Make it so
that this type of error will be discovered with SMAP on as well.

[ bp: Massage commit message. ]

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Link: https://lkml.kernel.org/r/66a02343624b1ff46f02a838c497fc05c1a871b3.1612924255.git.luto@kernel.org

authored by

Andy Lutomirski and committed by

Borislav Petkov 5 years ago ca247283 66fcd988

+6 -3

1 changed file

expand all

arch

x86

fault.c

+6 -3

arch/x86/mm/fault.c

··· 1279 1279 */ 1280 1280 if (unlikely(cpu_feature_enabled(X86_FEATURE_SMAP) && 1281 1281 !(error_code & X86_PF_USER) && 1282 - !(regs->flags & X86_EFLAGS_AC))) 1283 - { 1284 - bad_area_nosemaphore(regs, error_code, address); 1282 + !(regs->flags & X86_EFLAGS_AC))) { 1283 + /* 1284 + * No extable entry here. This was a kernel access to an 1285 + * invalid pointer. get_kernel_nofault() will not get here. 1286 + */ 1287 + page_fault_oops(regs, error_code, address); 1285 1288 return; 1286 1289 } 1287 1290