forked from Minki/linux
f87b1c49bc
When the uaccess .fixup section was renamed to .text.fixup, one case was
missed. Under ld.bfd, the orphaned section was moved close to .text
(since they share the "ax" bits), so things would work normally on
uaccess faults. Under ld.lld, the orphaned section was placed outside
the .text section, making it unreachable.
Link: https://github.com/ClangBuiltLinux/linux/issues/282
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=1020633#c44
Link: https://lore.kernel.org/r/nycvar.YSQ.7.76.1912032147340.17114@knanqh.ubzr
Link: https://lore.kernel.org/lkml/202002071754.F5F073F1D@keescook/
Fixes: c4a84ae39b
("ARM: 8322/1: keep .text and .fixup regions closer together")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
130 lines
2.4 KiB
ArmAsm
130 lines
2.4 KiB
ArmAsm
/* SPDX-License-Identifier: GPL-2.0-only */
|
|
/*
|
|
* linux/arch/arm/lib/copy_from_user.S
|
|
*
|
|
* Author: Nicolas Pitre
|
|
* Created: Sep 29, 2005
|
|
* Copyright: MontaVista Software, Inc.
|
|
*/
|
|
|
|
#include <linux/linkage.h>
|
|
#include <asm/assembler.h>
|
|
#include <asm/unwind.h>
|
|
|
|
/*
|
|
* Prototype:
|
|
*
|
|
* size_t arm_copy_from_user(void *to, const void *from, size_t n)
|
|
*
|
|
* Purpose:
|
|
*
|
|
* copy a block to kernel memory from user memory
|
|
*
|
|
* Params:
|
|
*
|
|
* to = kernel memory
|
|
* from = user memory
|
|
* n = number of bytes to copy
|
|
*
|
|
* Return value:
|
|
*
|
|
* Number of bytes NOT copied.
|
|
*/
|
|
|
|
#ifdef CONFIG_CPU_USE_DOMAINS
|
|
|
|
#ifndef CONFIG_THUMB2_KERNEL
|
|
#define LDR1W_SHIFT 0
|
|
#else
|
|
#define LDR1W_SHIFT 1
|
|
#endif
|
|
|
|
.macro ldr1w ptr reg abort
|
|
ldrusr \reg, \ptr, 4, abort=\abort
|
|
.endm
|
|
|
|
.macro ldr4w ptr reg1 reg2 reg3 reg4 abort
|
|
ldr1w \ptr, \reg1, \abort
|
|
ldr1w \ptr, \reg2, \abort
|
|
ldr1w \ptr, \reg3, \abort
|
|
ldr1w \ptr, \reg4, \abort
|
|
.endm
|
|
|
|
.macro ldr8w ptr reg1 reg2 reg3 reg4 reg5 reg6 reg7 reg8 abort
|
|
ldr4w \ptr, \reg1, \reg2, \reg3, \reg4, \abort
|
|
ldr4w \ptr, \reg5, \reg6, \reg7, \reg8, \abort
|
|
.endm
|
|
|
|
#else
|
|
|
|
#define LDR1W_SHIFT 0
|
|
|
|
.macro ldr1w ptr reg abort
|
|
USERL(\abort, W(ldr) \reg, [\ptr], #4)
|
|
.endm
|
|
|
|
.macro ldr4w ptr reg1 reg2 reg3 reg4 abort
|
|
USERL(\abort, ldmia \ptr!, {\reg1, \reg2, \reg3, \reg4})
|
|
.endm
|
|
|
|
.macro ldr8w ptr reg1 reg2 reg3 reg4 reg5 reg6 reg7 reg8 abort
|
|
USERL(\abort, ldmia \ptr!, {\reg1, \reg2, \reg3, \reg4, \reg5, \reg6, \reg7, \reg8})
|
|
.endm
|
|
|
|
#endif /* CONFIG_CPU_USE_DOMAINS */
|
|
|
|
.macro ldr1b ptr reg cond=al abort
|
|
ldrusr \reg, \ptr, 1, \cond, abort=\abort
|
|
.endm
|
|
|
|
#define STR1W_SHIFT 0
|
|
|
|
.macro str1w ptr reg abort
|
|
W(str) \reg, [\ptr], #4
|
|
.endm
|
|
|
|
.macro str8w ptr reg1 reg2 reg3 reg4 reg5 reg6 reg7 reg8 abort
|
|
stmia \ptr!, {\reg1, \reg2, \reg3, \reg4, \reg5, \reg6, \reg7, \reg8}
|
|
.endm
|
|
|
|
.macro str1b ptr reg cond=al abort
|
|
strb\cond \reg, [\ptr], #1
|
|
.endm
|
|
|
|
.macro enter reg1 reg2
|
|
mov r3, #0
|
|
stmdb sp!, {r0, r2, r3, \reg1, \reg2}
|
|
.endm
|
|
|
|
.macro usave reg1 reg2
|
|
UNWIND( .save {r0, r2, r3, \reg1, \reg2} )
|
|
.endm
|
|
|
|
.macro exit reg1 reg2
|
|
add sp, sp, #8
|
|
ldmfd sp!, {r0, \reg1, \reg2}
|
|
.endm
|
|
|
|
.text
|
|
|
|
ENTRY(arm_copy_from_user)
|
|
#ifdef CONFIG_CPU_SPECTRE
|
|
get_thread_info r3
|
|
ldr r3, [r3, #TI_ADDR_LIMIT]
|
|
uaccess_mask_range_ptr r1, r2, r3, ip
|
|
#endif
|
|
|
|
#include "copy_template.S"
|
|
|
|
ENDPROC(arm_copy_from_user)
|
|
|
|
.pushsection .text.fixup,"ax"
|
|
.align 0
|
|
copy_abort_preamble
|
|
ldmfd sp!, {r1, r2, r3}
|
|
sub r0, r0, r1
|
|
rsb r0, r0, r2
|
|
copy_abort_end
|
|
.popsection
|
|
|