| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 May 2020 07:12:13 +0200
From: Christoph Hellwig <hch@....de>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Christoph Hellwig <hch@....de>,
the arch/x86 maintainers <x86@...nel.org>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Masami Hiramatsu <mhiramat@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
linux-parisc@...r.kernel.org,
linux-um <linux-um@...ts.infradead.org>,
Netdev <netdev@...r.kernel.org>, bpf@...r.kernel.org,
Linux-MM <linux-mm@...ck.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 15/15] x86: use non-set_fs based maccess routines
On Wed, May 06, 2020 at 12:01:32PM -0700, Linus Torvalds wrote:
> Oh, absolutely. I did *NOT* mean that you'd use "unsafe_get_user()" as
> the actual interface. I just meant that as an implementation detail on
> x86, using "unsafe_get_user()" instead of "__get_user_size()"
> internally both simplifies the implementation, and means that it
> doesn't clash horribly with my local changes.
I had a version that just wrapped them, but somehow wasn't able to
make it work due to all the side effects vs macros issues. Maybe I
need to try again, the current version seemed like a nice way out
as it avoided a lot of the silly casting.
> Btw, that brings up another issue: so that people can't mis-use those
> kernel accessors and use them for user addresses, they probably should
> actually do something like
>
> if ((long)addr >= 0)
> goto error_label;
>
> on x86. IOW, have the "strict" kernel pointer behavior.
>
> Otherwise somebody will start using them for user pointers, and it
> will happen to work on old x86 without CLAC/STAC support.
>
> Of course, maybe CLAC/STAC is so common these days (at least with
> developers) that we don't have to worry about it.
The actual public routines (probe_kernel_read and co) get these
checks through probe_kernel_read_allowed, which is implemented by
the x86 code. Doing this for every 1-8 byte access might be a little
slow, though. Do you really fear drivers starting to use the low-level
helper? Maybe we need to move those into a different header than
<asm/uaccess.h> that makes it more clear that they are internal?
> But here you see what it is, if you want to. __get_user_size()
> technically still exists, but it has the "target branch" semantics in
> here, so your patch clashes badly with it.
The target branch semantics actually are what I want, that is how the
maccess code is structured. This is the diff I'd need for the calling
conventions in your bundle:
diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index 765e18417b3ba..d1c8aacedade1 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -526,14 +526,8 @@ do { \
#define HAVE_ARCH_PROBE_KERNEL
#define arch_kernel_read(dst, src, type, err_label) \
-do { \
- int __kr_err; \
- \
__get_user_size(*((type *)dst), (__force type __user *)src, \
- sizeof(type), __kr_err); \
- if (unlikely(__kr_err)) \
- goto err_label; \
-} while (0)
+ sizeof(type), err_label); \
#define arch_kernel_write(dst, src, type, err_label) \
__put_user_size(*((type *)(src)), (__force type __user *)(dst), \
Powered by blists - more mailing lists