From: Russell King <rmk+kernel@armlinux.org.uk>

Date: Fri, 29 Jan 2021 10:19:07 +0000

Subject: ARM: ensure the signal page contains defined contents

Git-commit: 9c698bff66ab4914bb3d71da7dc6112519bde23e

Patch-mainline: v5.11-rc7

References: CVE-2021-21781 bsc#1188445

Ensure that the signal page contains our poison instruction to increase

the protection against ROP attacks and also contains well defined

contents.

Acked-by: Will Deacon <will@kernel.org>

Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>

Signed-off-by: Matthias Brugger <mbrugger@suse.com>

---

 arch/arm/kernel/signal.c | 14 ++++++++------

 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c

index 9d2e916121be..a3a38d0a4c85 100644

--- a/arch/arm/kernel/signal.c

+++ b/arch/arm/kernel/signal.c

@@ -693,18 +693,20 @@ struct page *get_signal_page(void)

 	addr = page_address(page);

+	/* Poison the entire page */

+	memset32(addr, __opcode_to_mem_arm(0xe7fddef1),

+		 PAGE_SIZE / sizeof(u32));

+

 	/* Give the signal return code some randomness */

 	offset = 0x200 + (get_random_int() & 0x7fc);

 	signal_return_offset = offset;

-	/*

-	 * Copy signal return handlers into the vector page, and

-	 * set sigreturn to be a pointer to these.

-	 */

+	/* Copy signal return handlers into the page */

 	memcpy(addr + offset, sigreturn_codes, sizeof(sigreturn_codes));

-	ptr = (unsigned long)addr + offset;

-	flush_icache_range(ptr, ptr + sizeof(sigreturn_codes));

+	/* Flush out all instructions in this page */

+	ptr = (unsigned long)addr;

+	flush_icache_range(ptr, ptr + PAGE_SIZE);

 	return page;

 }

-- 

2.31.1