lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 8 Apr 2022 16:22:22 +0100
From:   Mark Rutland <mark.rutland@....com>
To:     Tong Tiangen <tongtiangen@...wei.com>
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Catalin Marinas <catalin.marinas@....com>,
        Will Deacon <will@...nel.org>,
        Alexander Viro <viro@...iv.linux.org.uk>, x86@...nel.org,
        "H. Peter Anvin" <hpa@...or.com>,
        linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
        linux-mm@...ck.org
Subject: Re: [RFC PATCH -next V2 5/7] arm64: add get_user to machine check
 safe

On Thu, Apr 07, 2022 at 10:38:04PM +0800, Tong Tiangen wrote:
> 在 2022/4/6 19:22, Mark Rutland 写道:
> > On Wed, Apr 06, 2022 at 09:13:09AM +0000, Tong Tiangen wrote:
> > > Add scenarios get_user to machine check safe. The processing of
> > > EX_TYPE_UACCESS_ERR_ZERO and EX_TYPE_UACCESS_ERR_ZERO_UCE_RECOVERY is same
> > > and both return -EFAULT.
> > 
> > Which uaccess cases do we expect to *not* be recoverable?
> > 
> > Naively I would assume that if we're going to treat a memory error on a uaccess
> > as fatal to userspace we should be able to do that for *any* uacesses.
> > 
> > The commit message should explain why we need the distinction between a
> > recoverable uaccess and a non-recoverable uaccess.
> > 
> > Thanks,
> > Mark.
> 
> Currently, any memory error consumed in kernel mode will lead to panic
> (do_sea()).
> 
> My idea is that not all memory errors consumed in kernel mode are fatal,
> such as copy_ from_ user/get_ user is a memory error consumed when
> reading user data in the process context. In this case, we can not let the
> kernel panic, just kill the process without affecting the operation
> of the system.

I understood this part.

> However, not all uaccess can be recovered without affecting the normal
> operation of the system. The key is not whether it is uaccess, but whether
> there are key data affecting the normal operation of the system in the read
> page.

Ok. Can you give an example of such a case where the a uaccess that hits
a memory error must be fatal?

I think you might be trying to say that for copy_{to,from}_user() we can
make that judgement, but those are combined user+kernel access
primitives, and the *uaccess* part should never be reading from a page
with "key data affecting the normal operation of the system", since
that's userspace memory.

Is there any *userspace access* (e.g. where we use LDTR/STTR today)
where we must treat a memory error as fatal to the system?

Thanks,
Mark.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ