lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 21 May 2019 15:48:56 -0300
From:   Jason Gunthorpe <>
To:     Catalin Marinas <>
Cc:     Andrey Konovalov <>,,,,,,,,,,
        Vincenzo Frascino <>,
        Will Deacon <>,
        Mark Rutland <>,
        Andrew Morton <>,
        Greg Kroah-Hartman <>,
        Kees Cook <>,
        Yishai Hadas <>,
        Felix Kuehling <>,
        Alexander Deucher <>,
        Christian Koenig <>,
        Mauro Carvalho Chehab <>,
        Jens Wiklander <>,
        Alex Williamson <>,
        Leon Romanovsky <>,
        Dmitry Vyukov <>,
        Kostya Serebryany <>,
        Evgeniy Stepanov <>,
        Lee Smith <>,
        Ramana Radhakrishnan <>,
        Jacob Bramley <>,
        Ruben Ayrapetyan <>,
        Robin Murphy <>,
        Luc Van Oostenryck <>,
        Dave Martin <>,
        Kevin Brodsky <>,
        Szabolcs Nagy <>
Subject: Re: [PATCH v15 00/17] arm64: untag user pointers passed to the kernel

On Fri, May 17, 2019 at 03:49:31PM +0100, Catalin Marinas wrote:

> The tagged pointers (whether hwasan or MTE) should ideally be a
> transparent feature for the application writer but I don't think we can
> solve it entirely and make it seamless for the multitude of ioctls().
> I'd say you only opt in to such feature if you know what you are doing
> and the user code takes care of specific cases like ioctl(), hence the
> prctl() proposal even for the hwasan.

I'm not sure such a dire view is warrented.. 

The ioctl situation is not so bad, other than a few special cases,
most drivers just take a 'void __user *' and pass it as an argument to
some function that accepts a 'void __user *'. sparse et al verify

As long as the core functions do the right thing the drivers will be

The only place things get dicy is if someone casts to unsigned long
(ie for vma work) but I think that reflects that our driver facing
APIs for VMAs are compatible with static analysis (ie I have no
earthly idea why get_user_pages() accepts an unsigned long), not that
this is too hard.


Powered by blists - more mailing lists