| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b2b14665-9508-604e-6fa0-c9466dd18e7a@fb.com>
Date: Fri, 1 Mar 2019 06:30:17 +0000
From: Yonghong Song <yhs@...com>
To: Masami Hiramatsu <mhiramat@...nel.org>
CC: Steven Rostedt <rostedt@...dmis.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Shuah Khan <shuah@...nel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"Andy Lutomirski" <luto@...capital.net>,
Ingo Molnar <mingo@...nel.org>,
"Andrew Morton" <akpm@...ux-foundation.org>,
Changbin Du <changbin.du@...il.com>,
Jann Horn <jannh@...gle.com>,
Kees Cook <keescook@...omium.org>,
"Andy Lutomirski" <luto@...nel.org>,
Alexei Starovoitov <alexei.starovoitov@...il.com>,
Nadav Amit <namit@...are.com>,
"Peter Zijlstra" <peterz@...radead.org>,
Joel Fernandes <joel@...lfernandes.org>
Subject: Re: [PATCH v5 3/6] uaccess: Add non-pagefault user-space read
functions
On 2/28/19 6:29 PM, Masami Hiramatsu wrote:
> Hi Yonghong,
>
> On Thu, 28 Feb 2019 22:49:43 +0000
> Yonghong Song <yhs@...com> wrote:
>
>>
>>
>> On 2/28/19 8:03 AM, Masami Hiramatsu wrote:
>>> Add probe_user_read(), strncpy_from_unsafe_user() and
>>> strnlen_unsafe_user() which allows caller to access user-space
>>> in IRQ context.
>>>
>>> Current probe_kernel_read() and strncpy_from_unsafe() are
>>> not available for user-space memory, because it sets
>>> KERNEL_DS while accessing data. On some arch, user address
>>> space and kernel address space can be co-exist, but others
>>> can not. In that case, setting KERNEL_DS means given
>>
>> Just curious. Given the list of arch's currently linux supports,
>> do you know which arch's fall into "user address space and
>> kernel address space" can co-exist, and which arch's cannot?
>
> As far as I can heard, (and based on probe_kernel_read() failure)
> sparc32 (and sparc64?), arm64, and s390 will not work.
> x86 works, but if user patch the 4G/4G, it shouldn't work.
Thanks for the info! Great to know the details.
>
> Thank you,
>
>>
>> Thanks!
>>
>> Yonghong
>>
>>
>>> address is treated as a kernel address space.
>>> Also strnlen_user() is only available from user context since
>>> it can sleep if pagefault is enabled.
>>>
>>> To access user-space memory without pagefault, we need
>>> these new functions which sets USER_DS while accessing
>>> the data.
>>>
>>> Signed-off-by: Masami Hiramatsu <mhiramat@...nel.org>
>>> ---
>>> Changes in v5:
>>> - Simplify probe_user_read() (Thanks, Peter!)
>>> - Add strnlen_unsafe_user()
>>> Changes in v3:
>>> - Use user_access_ok() for probe_user_read().
>>> Changes in v2:
>>> - Simplify strncpy_from_unsafe_user() using strncpy_from_user()
>>> according to Linus's suggestion.
>>> - Simplify probe_user_read() not using intermediate function.
>>> ---
>>> include/linux/uaccess.h | 14 +++++
>>> mm/maccess.c | 122 +++++++++++++++++++++++++++++++++++++++++++++--
>>> 2 files changed, 130 insertions(+), 6 deletions(-)
>>>
>>> diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
>>> index 1afd9dfabe67..5be7f9adb418 100644
>>> --- a/include/linux/uaccess.h
>>> +++ b/include/linux/uaccess.h
>>> @@ -258,6 +258,17 @@ extern long probe_kernel_read(void *dst, const void *src, size_t size);
>>> extern long __probe_kernel_read(void *dst, const void *src, size_t size);
>>>
>>> /*
>>> + * probe_user_read(): safely attempt to read from a location in user space
>>> + * @dst: pointer to the buffer that shall take the data
>>> + * @src: address to read from
>>> + * @size: size of the data chunk
>>> + *
>>> + * Safely read from address @src to the buffer at @dst. If a kernel fault
>>> + * happens, handle that and return -EFAULT.
>>> + */
>>> +extern long probe_user_read(void *dst, const void __user *src, size_t size);
>>> +
>>> +/*
>>> * probe_kernel_write(): safely attempt to write to a location
>>> * @dst: address to write to
>>> * @src: pointer to the data that shall be written
>>> @@ -270,6 +281,9 @@ extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
>>> extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
>>>
>>> extern long strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count);
>>> +extern long strncpy_from_unsafe_user(char *dst, const void __user *unsafe_addr,
>>> + long count);
>>> +extern long strnlen_unsafe_user(const void __user *unsafe_addr, long count);
>>>
>>> /**
>>> * probe_kernel_address(): safely attempt to read from a location
>>> diff --git a/mm/maccess.c b/mm/maccess.c
>>> index ec00be51a24f..d1b2ec78d9ef 100644
>>> --- a/mm/maccess.c
>>> +++ b/mm/maccess.c
>>> @@ -5,8 +5,20 @@
>>> #include <linux/mm.h>
>>> #include <linux/uaccess.h>
>>>
>>> +static __always_inline long
>>> +probe_read_common(void *dst, const void __user *src, size_t size)
>>> +{
>>> + long ret;
>>> +
>>> + pagefault_disable();
>>> + ret = __copy_from_user_inatomic(dst, src, size);
>>> + pagefault_enable();
>>> +
>>> + return ret ? -EFAULT : 0;
>>> +}
>>> +
>>> /**
>>> - * probe_kernel_read(): safely attempt to read from a location
>>> + * probe_kernel_read(): safely attempt to read from a kernel-space location
>>> * @dst: pointer to the buffer that shall take the data
>>> * @src: address to read from
>>> * @size: size of the data chunk
>>> @@ -29,17 +41,45 @@ long __probe_kernel_read(void *dst, const void *src, size_t size)
>>> mm_segment_t old_fs = get_fs();
>>>
>>> set_fs(KERNEL_DS);
>>> - pagefault_disable();
>>> - ret = __copy_from_user_inatomic(dst,
>>> - (__force const void __user *)src, size);
>>> - pagefault_enable();
>>> + ret = probe_read_common(dst, (__force const void __user *)src, size);
>>> set_fs(old_fs);
>>>
>>> - return ret ? -EFAULT : 0;
>>> + return ret;
>>> }
>>> EXPORT_SYMBOL_GPL(probe_kernel_read);
>>>
>>> /**
>>> + * probe_user_read(): safely attempt to read from a user-space location
>>> + * @dst: pointer to the buffer that shall take the data
>>> + * @src: address to read from. This must be a user address.
>>> + * @size: size of the data chunk
>>> + *
>>> + * Safely read from user address @src to the buffer at @dst. If a kernel fault
>>> + * happens, handle that and return -EFAULT.
>>> + */
>>> +
>>> +long __weak probe_user_read(void *dst, const void __user *src, size_t size)
>>> + __attribute__((alias("__probe_user_read")));
>>> +
>>> +long __probe_user_read(void *dst, const void __user *src, size_t size)
>>> +{
>>> + long ret = -EFAULT;
>>> + mm_segment_t old_fs = get_fs();
>>> +
>>> + /*
>>> + * Since this can be called in IRQ context, we carefully set the
>>> + * USER_DS and use user_access_ok() which checks segment setting
>>> + * instead of task context.
>>> + */
>>> + set_fs(USER_DS);
>>> + if (user_access_ok(src, size))
>>> + ret = probe_read_common(dst, src, size);
>>> + set_fs(old_fs);
>>> + return ret;
>>> +}
>>> +EXPORT_SYMBOL_GPL(probe_user_read);
>>> +
>>> +/**
>>> * probe_kernel_write(): safely attempt to write to a location
>>> * @dst: address to write to
>>> * @src: pointer to the data that shall be written
>>> @@ -66,6 +106,7 @@ long __probe_kernel_write(void *dst, const void *src, size_t size)
>>> }
>>> EXPORT_SYMBOL_GPL(probe_kernel_write);
>>>
>>> +
>>> /**
>>> * strncpy_from_unsafe: - Copy a NUL terminated string from unsafe address.
>>> * @dst: Destination address, in kernel space. This buffer must be at
>>> @@ -105,3 +146,72 @@ long strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count)
>>>
>>> return ret ? -EFAULT : src - unsafe_addr;
>>> }
>>> +
>>> +/**
>>> + * strncpy_from_unsafe_user: - Copy a NUL terminated string from unsafe user
>>> + * address.
>>> + * @dst: Destination address, in kernel space. This buffer must be at
>>> + * least @count bytes long.
>>> + * @unsafe_addr: Unsafe user address.
>>> + * @count: Maximum number of bytes to copy, including the trailing NUL.
>>> + *
>>> + * Copies a NUL-terminated string from unsafe user address to kernel buffer.
>>> + *
>>> + * On success, returns the length of the string INCLUDING the trailing NUL.
>>> + *
>>> + * If access fails, returns -EFAULT (some data may have been copied
>>> + * and the trailing NUL added).
>>> + *
>>> + * If @count is smaller than the length of the string, copies @count-1 bytes,
>>> + * sets the last byte of @dst buffer to NUL and returns @count.
>>> + */
>>> +long strncpy_from_unsafe_user(char *dst, const void __user *unsafe_addr,
>>> + long count)
>>> +{
>>> + mm_segment_t old_fs = get_fs();
>>> + long ret;
>>> +
>>> + if (unlikely(count <= 0))
>>> + return 0;
>>> +
>>> + set_fs(USER_DS);
>>> + pagefault_disable();
>>> + ret = strncpy_from_user(dst, unsafe_addr, count);
>>> + pagefault_enable();
>>> + set_fs(old_fs);
>>> + if (ret >= count) {
>>> + ret = count;
>>> + dst[ret - 1] = '\0';
>>> + } else if (ret > 0)
>>> + ret++;
>>> + return ret;
>>> +}
>>> +
>>> +/**
>>> + * strnlen_unsafe_user: - Get the size of a user string INCLUDING final NUL.
>>> + * @unsafe_addr: The string to measure.
>>> + * @count: Maximum count (including NUL character)
>>> + *
>>> + * Get the size of a NUL-terminated string in user space without pagefault.
>>> + *
>>> + * Returns the size of the string INCLUDING the terminating NUL.
>>> + *
>>> + * If the string is too long, returns a number larger than @count. User
>>> + * has to check the return value against "> count".
>>> + * On exception (or invalid count), returns 0.
>>> + *
>>> + * Unlike strnlen_user, this can be used from IRQ handler etc. because
>>> + * it disables pagefaults.
>>> + */
>>> +long strnlen_unsafe_user(const void __user *unsafe_addr, long count)
>>> +{
>>> + mm_segment_t old_fs = get_fs();
>>> + int ret;
>>> +
>>> + set_fs(USER_DS);
>>> + pagefault_disable();
>>> + ret = strnlen_user(unsafe_addr, count);
>>> + pagefault_enable();
>>> + set_fs(old_fs);
>>> + return ret;
>>> +}
>>>
>
>
Powered by blists - more mailing lists