Sun Dec 8 14:31:58 2019 UTC ()

Pull up following revision(s) (requested by ryo in ticket #510):

	sys/arch/arm/arm32/fault.c: revision 1.109

if Thumb-32 bit instruction located on a page boundariy, also need to consider the pc + 2 address.
Fix PR/54720. more detail and PoC are descrived in the PR.


(martin)

diff -r1.108 -r1.108.4.1 src/sys/arch/arm/arm32/fault.c

--- src/sys/arch/arm/arm32/fault.c 2019/04/06 03:06:25	1.108
+++ src/sys/arch/arm/arm32/fault.c 2019/12/08 14:31:57	1.108.4.1

 @@ -1,14 +1,14 @@
-/*	$NetBSD: fault.c,v 1.108 2019/04/06 03:06:25 thorpej Exp $	*/
+/*	$NetBSD: fault.c,v 1.108.4.1 2019/12/08 14:31:57 martin Exp $	*/
 /*
  * Copyright 2003 Wasabi Systems, Inc.
  * All rights reserved.
+ *
  * Written by Steve C. Woodford for Wasabi Systems, Inc.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
 @@ -71,27 +71,27 @@
  * RiscBSD kernel project
+ *
  * fault.c
+ *
  * Fault handlers
+ *
  * Created      : 28/11/94
  */
 #include "opt_ddb.h"
 #include "opt_kgdb.h"
 #include <sys/types.h>
-__KERNEL_RCSID(0, "$NetBSD: fault.c,v 1.108 2019/04/06 03:06:25 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: fault.c,v 1.108.4.1 2019/12/08 14:31:57 martin Exp $");
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
 #include <sys/kernel.h>
 #include <sys/kauth.h>
 #include <sys/cpu.h>
 #include <sys/intr.h>
 #include <uvm/uvm_extern.h>
 #include <uvm/uvm_stat.h>
 #ifdef UVMHIST
 #include <uvm/uvm.h>
 @@ -828,26 +828,29 @@ prefetch_abort_handler(trapframe_t *tf)
 		break;
+	}
 	/* Prefetch aborts cannot happen in kernel mode */
 	if (__predict_false(!user))
 		dab_fatal(tf, 0, tf->tf_pc, NULL, NULL);
 	/* Get fault address */
 	fault_pc = tf->tf_pc;
 	KASSERTMSG(tf == lwp_trapframe(l), "tf %p vs %p", tf, lwp_trapframe(l));
 	UVMHIST_LOG(maphist, " (pc=0x%jx, l=0x%#jx, tf=0x%#jx)",
 	    fault_pc, (uintptr_t)l, (uintptr_t)tf, 0);
 #ifdef THUMB_CODE
  recheck:
 #endif
 	/* Ok validate the address, can only execute in USER space */
 	if (__predict_false(fault_pc >= VM_MAXUSER_ADDRESS ||
 	    (fault_pc < VM_MIN_ADDRESS && vector_page == ARM_VECTORS_LOW))) {
 		KSI_INIT_TRAP(&ksi);
 		ksi.ksi_signo = SIGSEGV;
 		ksi.ksi_code = SEGV_ACCERR;
 		ksi.ksi_addr = (uint32_t *)(intptr_t) fault_pc;
 		ksi.ksi_trap = fault_pc;
 		goto do_trapsignal;
+	}
 	map = &l->l_proc->p_vmspace->vm_map;
 	va = trunc_page(fault_pc);
 @@ -887,26 +890,38 @@ prefetch_abort_handler(trapframe_t *tf)
 		    l->l_cred ? kauth_cred_geteuid(l->l_cred) : -1);
 		ksi.ksi_signo = SIGKILL;
 	} else
 		ksi.ksi_signo = SIGSEGV;
 	ksi.ksi_code = SEGV_MAPERR;
 	ksi.ksi_addr = (uint32_t *)(intptr_t) fault_pc;
 	ksi.ksi_trap = fault_pc;
 do_trapsignal:
 	call_trapsignal(l, tf, &ksi);
 out:
 #ifdef THUMB_CODE
 #define THUMB_32BIT(hi) (((hi) & 0xe000) == 0xe000 && ((hi) & 0x1800))
 	/* thumb-32 instruction was located on page boundary? */
 	if ((tf->tf_spsr & PSR_T_bit) &&
 	    ((fault_pc & PAGE_MASK) == (PAGE_SIZE - THUMB_INSN_SIZE)) &&
 	    THUMB_32BIT(*(uint16_t *)tf->tf_pc)) {
 		fault_pc = tf->tf_pc + THUMB_INSN_SIZE;
 		goto recheck;
+	}
 #endif /* THUMB_CODE */
 	KASSERT(!TRAP_USERMODE(tf) || VALID_R15_PSR(tf->tf_pc, tf->tf_spsr));
 	userret(l);
+}
 /*
  * Tentatively read an 8, 16, or 32-bit value from 'addr'.
  * If the read succeeds, the value is written to 'rptr' and zero is returned.
  * Else, return EFAULT.
  */
 int
 badaddr_read(void *addr, size_t size, void *rptr)
+{
 	extern int badaddr_read_1(const uint8_t *, uint8_t *);