CVE request - Linux Kernel KGDB/ppc issue

[Hui Zhu <hui.zhu () windriver com>]

Hi All,

The problem is that if KGDB is enabled on a powerpc board, a
test that checks if a page is user or kernel is bypassed.
This means that a user can write to arbitrary kernel address space.

Upon further investigation, we found that kernels older than
the v2.6.30-rc1 release have the same problem for non-booke
ppc chips (74xx, 8641D), so we need two patches for kernels
up to that date, and then one patch for ones after that date.

Thanks,
Hui

> From 6450901836cb2c3dc92edf39a92532e3bb94cb88 Mon Sep 17 00:00:00 2001
From: Wufei <fei.wu () windriver com>
Date: Wed, 28 Apr 2010 17:42:32 -0400
Subject: [PATCH] kgdb: don't needlessly skip PAGE_USER test for Fsl booke

The bypassing of this test is a leftover from 2.4 vintage
kernels, and is no longer appropriate, or even used by KGDB.
Currently KGDB uses probe_kernel_write() for all access to
memory via the KGDB core, so it can simply be deleted.

Signed-off-by: Wufei <fei.wu () windriver com>
Signed-off-by: Jason Wessel <jason.wessel () windriver com>
---
 arch/powerpc/mm/fsl_booke_mmu.c |    5 -----
 1 files changed, 0 insertions(+), 5 deletions(-)

diff --git a/arch/powerpc/mm/fsl_booke_mmu.c b/arch/powerpc/mm/fsl_booke_mmu.c
index c539472..1ce9dd5 100644
--- a/arch/powerpc/mm/fsl_booke_mmu.c
+++ b/arch/powerpc/mm/fsl_booke_mmu.c
@@ -155,15 +155,10 @@ static void settlbcam(int index, unsigned long virt, phys_addr_t phys,
        if (cur_cpu_spec->cpu_features & MMU_FTR_BIG_PHYS)
                TLBCAM[index].MAS7 = (u64)phys >> 32;
 
-#ifndef CONFIG_KGDB /* want user access for breakpoints */
        if (flags & _PAGE_USER) {
           TLBCAM[index].MAS3 |= MAS3_UX | MAS3_UR;
           TLBCAM[index].MAS3 |= ((flags & _PAGE_RW) ? MAS3_UW : 0);
        }
-#else
-       TLBCAM[index].MAS3 |= MAS3_UX | MAS3_UR;
-       TLBCAM[index].MAS3 |= ((flags & _PAGE_RW) ? MAS3_UW : 0);
-#endif
 
        tlbcam_addrs[index].start = virt;
        tlbcam_addrs[index].limit = virt + size - 1;
-- 
1.6.5.2

> From 5a71decdf73021b70a1a45087ad6e5abba81cce8 Mon Sep 17 00:00:00 2001
From: Paul Gortmaker <paul.gortmaker () windriver com>
Date: Wed, 28 Apr 2010 18:39:19 -0400
Subject: [PATCH] kgdb: don't needlessly skip PAGE_USER test

Part of commit 8d1cf34e7ad5c7738ce20d20bd7f002f562cb8b5,
present in 2.6.30-rc1 and newer kernels deletes this needless
KGDB specific skipping of the _PAGE_USER test.

The bypassing of this test is a leftover from 2.4 vintage
kernels, and is no longer appropriate, or even used by KGDB.
Currently KGDB uses probe_kernel_write() for all access to
memory via the KGDB core.

Signed-off-by: Paul Gortmaker <paul.gortmaker () windriver com>
Signed-off-by: Jason Wessel <jason.wessel () windriver com>
---
 arch/powerpc/mm/ppc_mmu_32.c |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/mm/ppc_mmu_32.c b/arch/powerpc/mm/ppc_mmu_32.c
index 49b195e..abedf35 100644
--- a/arch/powerpc/mm/ppc_mmu_32.c
+++ b/arch/powerpc/mm/ppc_mmu_32.c
@@ -136,9 +136,7 @@ void __init setbat(int index, unsigned long virt, phys_addr_t phys,
                wimgxpp |= (flags & _PAGE_RW)? BPP_RW: BPP_RX;
                bat[1].batu = virt | (bl << 2) | 2; /* Vs=1, Vp=0 */
                bat[1].batl = BAT_PHYS_ADDR(phys) | wimgxpp;
-#ifndef CONFIG_KGDB /* want user access for breakpoints */
                if (flags & _PAGE_USER)
-#endif
                        bat[1].batu |= 1;       /* Vp = 1 */
                if (flags & _PAGE_GUARDED) {
                        /* G bit must be zero in IBATs */
-- 
1.6.5.2