lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20180319110002.27419-1-abrodkin@synopsys.com>
Date:   Mon, 19 Mar 2018 14:00:02 +0300
From:   Alexey Brodkin <Alexey.Brodkin@...opsys.com>
To:     linux-snps-arc@...ts.infradead.org
Cc:     linux-kernel@...r.kernel.org,
        Vineet Gupta <Vineet.Gupta1@...opsys.com>,
        Alexey Brodkin <Alexey.Brodkin@...opsys.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Max Filippov <jcmvbkbc@...il.com>, linux-arch@...r.kernel.org
Subject: [PATCH] ARC: Improve cmpxchng syscall implementation

arc_usr_cmpxchg syscall is supposed to be used on platforms
that lack support of Load-Locked/Store-Conditional instructions
in hardware. And in that case we mimic missing hardware features
with help of kernel's sycall that "atomically" checks current
value in memory and then if it matches caller expectation new
value is written to that same location.

What's important in the description above:
 - Check-and-exchange must be "atomical" which means
   preemption must be disabled during entire "transaction"
 - Data accessed is from user-space, i.e. we're dealing
   with virtual addresses

And in current implementation we have a couple of problems:

1. We do disable preemprion around __get_user() & __put_user()
   but that in its turn disables page fault handler.
   That means if a pointer to user's data has no mapping in
   the TLB we won't be able to access required data.
   Instead software "exception handling" code from __get_user_fn()
   will return -EFAULT.

2. What's worse if we're dealing with data from not yet allocated
   page (think of pre-copy-on-write state) we'll successfully
   read data but on write we'll silently return to user-space
   with correct result (which we really read just before). That leads
   to very strange problems in user-space app further down the line
   because new value was never written to the destination.

3. Regardless of what went wrong we'll return from syscall
   and user-space application will continue to execute.
   Even if user's pointer was completely bogus.
   In case of hardware LL/SC that app would have been killed
   by the kernel.

With that change we attempt to imrove on all 3 items above:

1. We still disable preemption around read-and-write of
   user's data but if we happen to fail with either of them
   we're enabling preemption and try to force page fault so
   that we have a correct mapping in the TLB. Then re-try
   again in "atomic" context.

2. If real page fault fails or even access_ok() returns false
   we send SIGSEGV to the user-space process so if something goes
   seriously wrong we'll know about it much earlier.

Signed-off-by: Alexey Brodkin <abrodkin@...opsys.com>
Cc: Peter Zijlstra <peterz@...radead.org>
Cc: Vineet Gupta <vgupta@...opsys.com>
Cc: Max Filippov <jcmvbkbc@...il.com>
Cc: linux-arch@...r.kernel.org
---
 arch/arc/kernel/process.c | 47 +++++++++++++++++++++++++++++++++++++----------
 1 file changed, 37 insertions(+), 10 deletions(-)

diff --git a/arch/arc/kernel/process.c b/arch/arc/kernel/process.c
index 5ac3b547453f..d7d3e16133d6 100644
--- a/arch/arc/kernel/process.c
+++ b/arch/arc/kernel/process.c
@@ -47,7 +47,9 @@ SYSCALL_DEFINE0(arc_gettls)
 SYSCALL_DEFINE3(arc_usr_cmpxchg, int *, uaddr, int, expected, int, new)
 {
 	struct pt_regs *regs = current_pt_regs();
-	int uval = -EFAULT;
+	struct page *page;
+	u32 val;
+	int ret;
 
 	/*
 	 * This is only for old cores lacking LLOCK/SCOND, which by defintion
@@ -60,23 +62,48 @@ SYSCALL_DEFINE3(arc_usr_cmpxchg, int *, uaddr, int, expected, int, new)
 	/* Z indicates to userspace if operation succeded */
 	regs->status32 &= ~STATUS_Z_MASK;
 
-	if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
-		return -EFAULT;
+	ret = access_ok(VERIFY_WRITE, uaddr, sizeof(*uaddr));
+	if (!ret)
+		goto fail;
 
+again:
 	preempt_disable();
 
-	if (__get_user(uval, uaddr))
-		goto done;
-
-	if (uval == expected) {
-		if (!__put_user(new, uaddr))
+	ret = __get_user(val, uaddr);
+	if (ret == -EFAULT) {
+		preempt_enable();
+		ret = get_user_pages_fast((unsigned long)uaddr, 1, 1, &page);
+		if (ret < 0)
+			goto fail;
+
+		put_page(page);
+		goto again;
+	} else if (ret)
+		goto fail;
+
+	if (val == expected) {
+		ret = __put_user(new, uaddr);
+		if (!ret)
 			regs->status32 |= STATUS_Z_MASK;
 	}
 
-done:
 	preempt_enable();
 
-	return uval;
+	if (ret == -EFAULT) {
+		ret = get_user_pages_fast((unsigned long)uaddr, 1, 1, &page);
+		if (ret < 0)
+			goto fail;
+
+		put_page(page);
+		goto again;
+	} else if (ret)
+		goto fail;
+
+	return val;
+
+fail:
+	force_sig(SIGSEGV, current);
+	return ret;
 }
 
 #ifdef CONFIG_ISA_ARCV2
-- 
2.11.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ