[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1321FA0E-51AA-4A4E-9249-8A745F510F93@zytor.com>
Date: Thu, 07 Mar 2019 09:14:45 -0800
From: hpa@...or.com
To: Peter Zijlstra <peterz@...radead.org>,
torvalds@...ux-foundation.org, tglx@...utronix.de,
julien.thierry@....com, will.deacon@....com, luto@...capital.net,
mingo@...nel.org, catalin.marinas@....com, james.morse@....com,
valentin.schneider@....com, brgerst@...il.com, jpoimboe@...hat.com,
luto@...nel.org, bp@...en8.de, dvlasenk@...hat.com
CC: linux-kernel@...r.kernel.org, peterz@...radead.org,
dvyukov@...gle.com, rostedt@...dmis.org
Subject: Re: [PATCH 00/20] objtool: UACCESS validation v3
On March 7, 2019 3:45:11 AM PST, Peter Zijlstra <peterz@...radead.org> wrote:
>Teach objtool to validate the UACCESS (SMAP, PAN) rules with are
>currently
>unenforced and (therefore obviously) violated.
>
>UACCESS sections should be small; we want to limit the amount of code
>that can
>touch userspace. Furthermore, UACCESS state isn't scheduled, this means
>that
>anything that directly calls into the scheduler will result in random
>code
>running with UACCESS enabled and possibly getting back into the UACCESS
>region
>with UACCESS disabled and causing faults.
>
>Forbid any CALL/RET while UACCESS is enabled; but provide a few
>exceptions.
>
>This builds x86_64-allmodconfig clean, and I've only got a few
>randconfig
>failures left (GCC-8) that I'm not quite understanding.
>
>---
> arch/x86/ia32/ia32_signal.c | 29 ++-
> arch/x86/include/asm/asm.h | 24 --
> arch/x86/include/asm/nospec-branch.h | 4 +-
> arch/x86/include/asm/smap.h | 20 ++
> arch/x86/include/asm/uaccess.h | 5 +-
> arch/x86/include/asm/uaccess_64.h | 3 -
> arch/x86/include/asm/xen/hypercall.h | 26 +-
> arch/x86/kernel/signal.c | 2 +-
> arch/x86/lib/copy_user_64.S | 48 ++++
> arch/x86/lib/memcpy_64.S | 3 +-
> arch/x86/lib/usercopy_64.c | 20 --
> drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +-
> include/linux/uaccess.h | 2 +
> kernel/trace/trace_branch.c | 4 +
> lib/Makefile | 1 +
> lib/ubsan.c | 4 +
> mm/kasan/Makefile | 3 +
> mm/kasan/common.c | 10 +
> mm/kasan/report.c | 3 +-
> scripts/Makefile.build | 3 +
> tools/objtool/Makefile | 2 +-
> tools/objtool/arch.h | 8 +-
> tools/objtool/arch/x86/decode.c | 26 +-
> tools/objtool/builtin-check.c | 4 +-
> tools/objtool/builtin.h | 2 +-
>tools/objtool/check.c | 382
>++++++++++++++++++++++-------
> tools/objtool/check.h | 4 +-
> tools/objtool/elf.c | 15 +-
> tools/objtool/elf.h | 3 +-
> tools/objtool/special.c | 10 +-
> tools/objtool/warn.h | 8 +
> 31 files changed, 511 insertions(+), 173 deletions(-)
>
>
>
This is phenomenal. Thank you so much for digging into this. I'm hoping this will greatly reduce the risk of future leakage.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Powered by blists - more mailing lists