| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Apr 2018 16:45:37 +0200
From: Andrey Konovalov <andreyknvl@...gle.com>
To: "Kirill A. Shutemov" <kirill@...temov.name>
Cc: Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will.deacon@....com>,
Jonathan Corbet <corbet@....net>,
Mark Rutland <mark.rutland@....com>,
Robin Murphy <robin.murphy@....com>,
Al Viro <viro@...iv.linux.org.uk>,
James Morse <james.morse@....com>,
Kees Cook <keescook@...omium.org>,
Bart Van Assche <bart.vanassche@....com>,
Kate Stewart <kstewart@...uxfoundation.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Thomas Gleixner <tglx@...utronix.de>,
Philippe Ombredanne <pombredanne@...b.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Ingo Molnar <mingo@...nel.org>,
"Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>,
Dan Williams <dan.j.williams@...el.com>,
"Aneesh Kumar K . V" <aneesh.kumar@...ux.vnet.ibm.com>,
Zi Yan <zi.yan@...rutgers.edu>,
Linux ARM <linux-arm-kernel@...ts.infradead.org>,
linux-doc@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>,
Linux Memory Management List <linux-mm@...ck.org>,
Dmitry Vyukov <dvyukov@...gle.com>,
Kostya Serebryany <kcc@...gle.com>,
Evgeniy Stepanov <eugenis@...gle.com>,
Lee Smith <Lee.Smith@....com>,
Ramana Radhakrishnan <Ramana.Radhakrishnan@....com>,
Jacob Bramley <Jacob.Bramley@....com>,
Ruben Ayrapetyan <Ruben.Ayrapetyan@....com>
Subject: Re: [PATCH 0/6] arm64: untag user pointers passed to the kernel
On Thu, Apr 19, 2018 at 11:33 AM, Kirill A. Shutemov
<kirill@...temov.name> wrote:
> On Wed, Apr 18, 2018 at 08:53:09PM +0200, Andrey Konovalov wrote:
>> Hi!
>>
>> arm64 has a feature called Top Byte Ignore, which allows to embed pointer
>> tags into the top byte of each pointer. Userspace programs (such as
>> HWASan, a memory debugging tool [1]) might use this feature and pass
>> tagged user pointers to the kernel through syscalls or other interfaces.
>>
>> This patch makes a few of the kernel interfaces accept tagged user
>> pointers. The kernel is already able to handle user faults with tagged
>> pointers and has the untagged_addr macro, which this patchset reuses.
>>
>> We're not trying to cover all possible ways the kernel accepts user
>> pointers in one patchset, so this one should be considered as a start.
>
> How many changes do you anticipate?
>
> This patchset looks small and reasonable, but I see a potential to become a
> boilerplate. Would we need to change every driver which implements ioctl()
> to strip these bits?
I've replied to somewhat similar question in one of the previous
versions of the patchset.
"""
There are two different approaches to untagging the user pointers that I see:
1. Untag user pointers right after they are passed to the kernel.
While this might be possible for pointers that are passed to syscalls
as arguments (Catalin's "hack"), this leaves user pointers, that are
embedded into for example structs that are passed to the kernel. Since
there's no specification of the interface between user space and the
kernel, different kernel parts handle user pointers differently and I
don't see an easy way to cover them all.
2. Untag user pointers where they are used in the kernel.
Although there's no specification on the interface between the user
space and the kernel, the kernel still has to use one of a few
specific ways to access user data (copy_from_user, etc.). So the idea
here is to add untagging into them. This patchset mostly takes this
approach (with the exception of memory subsystem syscalls).
If there's a better approach, I'm open to suggestions.
"""
So if we go with the first way, we'll need to go through every syscall
and ioctl handler, which doesn't seem feasible.
Powered by blists - more mailing lists