Patch "ARM: ensure the signal page contains defined contents" has been added to the 4.4-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Fri, 30 Jul 2021 08:36:13 +0200

This is a note to let you know that I've just added the patch titled

    ARM: ensure the signal page contains defined contents

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     arm-ensure-the-signal-page-contains-defined-contents.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 9c698bff66ab4914bb3d71da7dc6112519bde23e Mon Sep 17 00:00:00 2001
From: Russell King <rmk+kernel@xxxxxxxxxxxxxxx>
Date: Fri, 29 Jan 2021 10:19:07 +0000
Subject: ARM: ensure the signal page contains defined contents

From: Russell King <rmk+kernel@xxxxxxxxxxxxxxx>

commit 9c698bff66ab4914bb3d71da7dc6112519bde23e upstream.

Ensure that the signal page contains our poison instruction to increase
the protection against ROP attacks and also contains well defined
contents.

Acked-by: Will Deacon <will@xxxxxxxxxx>
Signed-off-by: Russell King <rmk+kernel@xxxxxxxxxxxxxxx>
Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 arch/arm/kernel/signal.c |   14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

--- a/arch/arm/kernel/signal.c
+++ b/arch/arm/kernel/signal.c
@@ -625,18 +625,20 @@ struct page *get_signal_page(void)
 
 	addr = page_address(page);
 
+	/* Poison the entire page */
+	memset32(addr, __opcode_to_mem_arm(0xe7fddef1),
+		 PAGE_SIZE / sizeof(u32));
+
 	/* Give the signal return code some randomness */
 	offset = 0x200 + (get_random_int() & 0x7fc);
 	signal_return_offset = offset;
 
-	/*
-	 * Copy signal return handlers into the vector page, and
-	 * set sigreturn to be a pointer to these.
-	 */
+	/* Copy signal return handlers into the page */
 	memcpy(addr + offset, sigreturn_codes, sizeof(sigreturn_codes));
 
-	ptr = (unsigned long)addr + offset;
-	flush_icache_range(ptr, ptr + sizeof(sigreturn_codes));
+	/* Flush out all instructions in this page */
+	ptr = (unsigned long)addr;
+	flush_icache_range(ptr, ptr + PAGE_SIZE);
 
 	return page;
 }


Patches currently in stable-queue which might be from rmk+kernel@xxxxxxxxxxxxxxx are

queue-4.4/lib-string.c-add-multibyte-memset-functions.patch
queue-4.4/arm-ensure-the-signal-page-contains-defined-contents.patch






