| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <685325f8704e46aee6f94e5953121e4f643e2de5.camel@intel.com>
Date: Wed, 15 Jun 2022 19:06:44 +0000
From: "Edgecombe, Rick P" <rick.p.edgecombe@...el.com>
To: "kirill.shutemov@...ux.intel.com" <kirill.shutemov@...ux.intel.com>
CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"peterz@...radead.org" <peterz@...radead.org>,
"hjl.tools@...il.com" <hjl.tools@...il.com>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
"dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>,
"andreyknvl@...il.com" <andreyknvl@...il.com>,
"kcc@...gle.com" <kcc@...gle.com>,
"ak@...ux.intel.com" <ak@...ux.intel.com>,
"dvyukov@...gle.com" <dvyukov@...gle.com>,
"x86@...nel.org" <x86@...nel.org>,
"ryabinin.a.a@...il.com" <ryabinin.a.a@...il.com>,
"Lutomirski, Andy" <luto@...nel.org>,
"glider@...gle.com" <glider@...gle.com>
Subject: Re: [PATCHv3 5/8] x86/uaccess: Provide untagged_addr() and remove
tags before address check
On Wed, 2022-06-15 at 19:58 +0300, Kirill A. Shutemov wrote:
> On Mon, Jun 13, 2022 at 05:36:43PM +0000, Edgecombe, Rick P wrote:
> > On Fri, 2022-06-10 at 17:35 +0300, Kirill A. Shutemov wrote:
> > > +#ifdef CONFIG_X86_64
> > > +/*
> > > + * Mask out tag bits from the address.
> > > + *
> > > + * Magic with the 'sign' allows to untag userspace pointer
> > > without
> > > any branches
> > > + * while leaving kernel addresses intact.
> >
> > Trying to understand the magic part here. I guess how it works is,
> > when
> > the high bit is set, it does the opposite of untagging the
> > addresses by
> > setting the tag bits instead of clearing them. So:
> > - For proper canonical kernel addresses (with U57) it leaves
> > them
> > intact since the tag bits were already set.
> > - For non-canonical kernel-half addresses, it fixes them up.
> > (0xeffffff000000840->0xfffffff000000840)
> > - For U48 and 5 level paging, it corrupts some normal kernel
> > addresses. (0xff90ffffffffffff->0xffffffffffffffff)
> >
> > I just ported this to userspace and threw some addresses at it to
> > see
> > what happened, so hopefully I got that right.
>
> Ouch. Thanks for noticing this. I should have catched this myself.
> Yes,
> this implementation is broken for LAM_U48 on 5-level machine.
>
> What about this:
>
> #define untagged_addr(mm,
> addr) ({ \
> u64 __addr = (__force
> u64)(addr); \
> s64 sign = (s64)__addr >>
> 63; \
> __addr &= (mm)->context.untag_mask |
> sign; \
> (__force
> __typeof__(addr))__addr; \
> })
>
> It makes mask effectively. all-ones for supervisor addresses. And it
> is
> less magic to my eyes.
Yea, it seems to leave kernel half addresses alone now, including
leaving non-canonical addresses as non-canonical and 5 level addresses.
With the new bit math:
Reviewed-by: Rick Edgecombe <rick.p.edgecombe@...el.com>
>
> The generated code also look sane to me:
>
> 11d0: 48 89 f8 mov %rdi,%rax
> 11d3: 48 c1 f8 3f sar $0x3f,%rax
> 11d7: 48 0b 05 52 2e 00 00 or
> 0x2e52(%rip),%rax # 4030 <untag_mask>
> 11de: 48 21 f8 and %rdi,%rax
>
> Any comments?
>
> > Is this special kernel address handling only needed because
> > copy_to_kernel_nofault(), etc call the user helpers?
>
> I did not have any particular use-case in mind. But just if some
> kernel
> address gets there and bits get cleared we will have very hard to
> debug
> bug.
I just was thinking if we could rearrange the code to avoid untagging
kernel addresses, we could skip this, or even VM_WARN_ON() if we see
one. Seems ok either way.
Powered by blists - more mailing lists