| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 5 May 2021 13:51:06 +0000
From: David Laight <David.Laight@...LAB.COM>
To: 'Josh Poimboeuf' <jpoimboe@...hat.com>
CC: Al Viro <viro@...iv.linux.org.uk>,
"x86@...nel.org" <x86@...nel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Will Deacon <will@...nel.org>,
Dan Williams <dan.j.williams@...el.com>,
Andrea Arcangeli <aarcange@...hat.com>,
"Waiman Long" <longman@...hat.com>,
Peter Zijlstra <peterz@...radead.org>,
"Thomas Gleixner" <tglx@...utronix.de>,
Andrew Cooper <andrew.cooper3@...rix.com>,
Andy Lutomirski <luto@...nel.org>,
Christoph Hellwig <hch@....de>,
"Mark Rutland" <mark.rutland@....com>,
Borislav Petkov <bp@...en8.de>
Subject: RE: [PATCH v4 3/4] x86/uaccess: Use pointer masking to limit uaccess
speculation
From: Josh Poimboeuf
> Sent: 05 May 2021 14:20
...
> > access_ok() and mask_user_ptr() are doing much the same check.
> > Is there scope for making access_ok() return the masked pointer?
> >
> > So the canonical calling code would be:
> > uptr = access_ok(uptr, size);
> > if (!uptr)
> > return -EFAULT;
> >
> > This would error requests for address 0 earlier - but I don't
> > believe they are ever valid in Linux.
> > (Some historic x86 a.out formats did load to address 0.)
> >
> > Clearly for a follow up patch.
>
> Yeah. I mentioned a similar idea in the cover letter.
>
> But I'm thinking we should still rename it to access_ok_mask(), or
> otherwise change the API to avoid the masked value getting ignored.
Something like:
if (access_ok_mask(&uaddr, size))
return -EFAULT;
might work.
> But that'll be a much bigger patch.
True - and would need to be done is stages.
The other optimisation is for short/sequential accesses.
In particular get_user() and copy_from_user().
Here the 'size' argument can often be avoided.
Either because only the base address is ever accessed, or the
kernel guarantees an unmapped page between user and kernel addresses.
IIRC x86 has to have an unmapped page because of 'issues' with
prefetch across the boundary.
I don't know if it is on the user or kernel side - doesn't really matter.
Also for typical 64bit architectures where there is a big address hole
around 1ul << 63, access_ok() can just check (for example):
if (((long)uaddr | size) & ~0ul << 56)
return -EFAULT.
(change the 56 to match the TASK_SIZE_MAX).
The compiler will then optimise away any constant size.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Powered by blists - more mailing lists