lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <6C9EE370-1BE4-4556-8B79-39BDBBAED7F8@amacapital.net>
Date:   Tue, 3 Jul 2018 10:06:40 -0700
From:   Andy Lutomirski <luto@...capital.net>
To:     Andi Kleen <andi@...stfloor.org>
Cc:     Peter Zijlstra <peterz@...radead.org>,
        Heiko Carstens <heiko.carstens@...ibm.com>,
        Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        linux-kernel <linux-kernel@...r.kernel.org>,
        linux-api <linux-api@...r.kernel.org>,
        "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>,
        Boqun Feng <boqun.feng@...il.com>,
        Dave Watson <davejwatson@...com>, Paul Turner <pjt@...gle.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Russell King <linux@....linux.org.uk>,
        Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>, Chris Lameter <cl@...ux.com>,
        Ben Maurer <bmaurer@...com>, rostedt <rostedt@...dmis.org>,
        Josh Triplett <josh@...htriplett.org>,
        Catalin Marinas <catalin.marinas@....com>,
        Will Deacon <will.deacon@....com>,
        Michael Kerrisk <mtk.manpages@...il.com>,
        Joel Fernandes <joelaf@...gle.com>, michal.simek@...inx.com,
        Martin Schwidefsky <schwidefsky@...ibm.com>,
        Vasily Gorbik <gor@...ux.ibm.com>
Subject: Re: [RFC PATCH for 4.18] rseq: use __u64 for rseq_cs fields, validate user inputs


On Jul 3, 2018, at 9:40 AM, Andi Kleen <andi@...stfloor.org> wrote:

>> 
>> So I think you're good... But yes, you raise an interresting point.
> 
> So it sounds like architectures that don't have an instruction atomic u64
> *_user need to disable interrupts during the access, and somehow handle that
> case when a page fault happens?

I think all this discussion of “atomic” is a huge distraction. The properties we need are:

- User code can change rseq_cs from one valid user pointer to another with a single instruction (or equivalent) such that we can’t end up in the kernel with the write only partially done as seen in that thread.

- The kernel needs to be able to read the value consistently with the above requirement.

I don’t think it’s possible to have a valid implementation of get_user() on any architecture that’s so weak that this doesn’t work.

If user code writes rseq_cs from the wrong thread, I think the user code is buggy and we simply don’t care what happens.  The kernel should be allowed to use an arbitrarily weak read with respect to other threads.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ