[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180309150309.4sue2zj6teehx6e3@lakrids.cambridge.arm.com>
Date: Fri, 9 Mar 2018 15:03:09 +0000
From: Mark Rutland <mark.rutland@....com>
To: Andrey Konovalov <andreyknvl@...gle.com>
Cc: Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will.deacon@....com>,
Robin Murphy <robin.murphy@....com>,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
linux-mm@...ck.org, Arnd Bergmann <arnd@...db.de>,
linux-arch@...r.kernel.org, Dmitry Vyukov <dvyukov@...gle.com>,
Kostya Serebryany <kcc@...gle.com>,
Evgeniy Stepanov <eugenis@...gle.com>,
Lee Smith <Lee.Smith@....com>,
Ramana Radhakrishnan <Ramana.Radhakrishnan@....com>,
Jacob Bramley <Jacob.Bramley@....com>,
Ruben Ayrapetyan <Ruben.Ayrapetyan@....com>
Subject: Re: [RFC PATCH 2/6] arm64: untag user addresses in copy_from_user
and others
On Fri, Mar 09, 2018 at 03:02:00PM +0100, Andrey Konovalov wrote:
> copy_from_user (and a few other similar functions) are used to copy data
> from user memory into the kernel memory or vice versa. Since a user can
> provided a tagged pointer to one of the syscalls that use copy_from_user,
> we need to correctly handle such pointers.
I don't think it makes sense to do this in the low-level uaccess
primitives, given we're going to have to untag pointers before common
code can use them, e.g. for comparisons against TASK_SIZE or
user_addr_max().
I think we'll end up with subtle bugs unless we consistently untag
pointers before we get to uaccess primitives. If core code does untag
pointers, then it's redundant to do so here.
Thanks,
Mark.
>
> Do this by untagging user pointers in access_ok and in __uaccess_mask_ptr.
>
> Signed-off-by: Andrey Konovalov <andreyknvl@...gle.com>
> ---
> arch/arm64/include/asm/uaccess.h | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
> index 2d6451cbaa86..24a221678fe3 100644
> --- a/arch/arm64/include/asm/uaccess.h
> +++ b/arch/arm64/include/asm/uaccess.h
> @@ -105,7 +105,8 @@ static inline unsigned long __range_ok(const void __user *addr, unsigned long si
> #define untagged_addr(addr) \
> ((__typeof__(addr))sign_extend64((__u64)(addr), 55))
>
> -#define access_ok(type, addr, size) __range_ok(addr, size)
> +#define access_ok(type, addr, size) \
> + __range_ok(untagged_addr(addr), size)
> #define user_addr_max get_fs
>
> #define _ASM_EXTABLE(from, to) \
> @@ -238,12 +239,15 @@ static inline void uaccess_enable_not_uao(void)
> /*
> * Sanitise a uaccess pointer such that it becomes NULL if above the
> * current addr_limit.
> + * Also untag user pointers that have the top byte tag set.
> */
> #define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr)
> static inline void __user *__uaccess_mask_ptr(const void __user *ptr)
> {
> void __user *safe_ptr;
>
> + ptr = untagged_addr(ptr);
> +
> asm volatile(
> " bics xzr, %1, %2\n"
> " csel %0, %1, xzr, eq\n"
> --
> 2.16.2.395.g2e18187dfd-goog
>
Powered by blists - more mailing lists