lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 26 Jan 2024 11:36:48 -0800
From: Yonghong Song <yonghong.song@...ux.dev>
To: Hou Tao <houtao@...weicloud.com>, x86@...nel.org, bpf@...r.kernel.org
Cc: Dave Hansen <dave.hansen@...ux.intel.com>,
 Andy Lutomirski <luto@...nel.org>, Peter Zijlstra <peterz@...radead.org>,
 Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>,
 Borislav Petkov <bp@...en8.de>, "H . Peter Anvin" <hpa@...or.com>,
 linux-kernel@...r.kernel.org, xingwei lee <xrivendell7@...il.com>,
 Jann Horn <jannh@...gle.com>, Sohil Mehta <sohil.mehta@...el.com>,
 houtao1@...wei.com
Subject: Re: [PATCH bpf v2 3/3] selftest/bpf: Test the read of vsyscall page
 under x86-64


On 1/26/24 3:54 AM, Hou Tao wrote:
> From: Hou Tao <houtao1@...wei.com>
>
> Under x86-64, when using bpf_probe_read_kernel{_str}() or
> bpf_probe_read{_str}() to read vsyscall page, the read may trigger oops,
> so add one test case to ensure that the problem is fixed. Beside those
> four bpf helpers mentioned above, testing the read of vsyscall page by
> using bpf_probe_read_user{_str} and bpf_copy_from_user{_task}() as well.
>
> The test case passes the address of vsyscall page to these six helpers
> and checks whether the returned values are expected:
>
> 1) For bpf_probe_read_kernel{_str}()/bpf_probe_read{_str}(), the
>     expected return value is -ERANGE as shown below:
>
> bpf_probe_read_kernel_common
>    copy_from_kernel_nofault
>      // false, return -ERANGE
>      copy_from_kernel_nofault_allowed
>
> 2) For bpf_probe_read_user{_str}(), the expected return value is -EFAULT
>     as show below:
>
> bpf_probe_read_user_common
>    copy_from_user_nofault
>      // false, return -EFAULT
>      __access_ok
>
> 3) For bpf_copy_from_user(), the expected return value is -EFAULT:
>
> // return -EFAULT
> bpf_copy_from_user
>    copy_from_user
>      _copy_from_user
>        // return false
>        access_ok
>
> 4) For bpf_copy_from_user_task(), the expected return value is -EFAULT:
>
> // return -EFAULT
> bpf_copy_from_user_task
>    access_process_vm
>      // return 0
>      vma_lookup()
>      // return 0
>      expand_stack()
>
> The occurrence of oops depends on the availability of CPU SMAP [1]
> feature and there are three possible configurations of vsyscall page in
> boot cmd-line: vsyscall={xonly|none|emulate}, so there are totally six
> possible combinations. Under all these combinations, the running of the
> test case succeeds.
>
> [1]: https://en.wikipedia.org/wiki/Supervisor_Mode_Access_Prevention
>
> Signed-off-by: Hou Tao <houtao1@...wei.com>

The first two patches look good to me but I think it would be better
if x86 folks can ack on them. The selftest patch LGTM.

Acked-by: Yonghong Song <yonghong.song@...ux.dev>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ