| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Jan 2024 15:50:54 -0800
From: Sohil Mehta <sohil.mehta@...el.com>
To: Hou Tao <houtao@...weicloud.com>, <x86@...nel.org>, <bpf@...r.kernel.org>
CC: Dave Hansen <dave.hansen@...ux.intel.com>, Andy Lutomirski
<luto@...nel.org>, Peter Zijlstra <peterz@...radead.org>, Thomas Gleixner
<tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov
<bp@...en8.de>, "H . Peter Anvin" <hpa@...or.com>,
<linux-kernel@...r.kernel.org>, xingwei lee <xrivendell7@...il.com>, "Jann
Horn" <jannh@...gle.com>, Yonghong Song <yonghong.song@...ux.dev>,
<houtao1@...wei.com>
Subject: Re: [PATCH bpf v2 2/3] x86/mm: Disallow vsyscall page read for
copy_from_kernel_nofault()
Hi Hou Tao,
I agree to your approach in this patch. Please see some comments below.
On 1/26/2024 3:54 AM, Hou Tao wrote:
> From: Hou Tao <houtao1@...wei.com>
>
> When trying to use copy_from_kernel_nofault() to read vsyscall page
> through a bpf program, the following oops was reported:
>
> BUG: unable to handle page fault for address: ffffffffff600000
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0
> Oops: 0000 [#1] PREEMPT SMP PTI
> CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......
> RIP: 0010:copy_from_kernel_nofault+0x6f/0x110
> ......
> Call Trace:
> <TASK>
> ? copy_from_kernel_nofault+0x6f/0x110
> bpf_probe_read_kernel+0x1d/0x50
> bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d
> trace_call_bpf+0xc5/0x1c0
> perf_call_bpf_enter.isra.0+0x69/0xb0
> perf_syscall_enter+0x13e/0x200
> syscall_trace_enter+0x188/0x1c0
> do_syscall_64+0xb5/0xe0
> entry_SYSCALL_64_after_hwframe+0x6e/0x76
> </TASK>
> ......
> ---[ end trace 0000000000000000 ]---
>
> It seems the occurrence of oops depends on SMAP feature of CPU. It
> happens as follow: a bpf program uses bpf_probe_read_kernel() to read
> from vsyscall page, bpf_probe_read_kernel() invokes
> copy_from_kernel_nofault() in turn and then invokes __get_user_asm().
> Because the vsyscall page address is not readable for kernel space,
> a page fault exception is triggered accordingly, handle_page_fault()
> considers the vsyscall page address as a userspace address instead of a
> kernel space address, so the fix-up set-up by bpf isn't applied. Because
> the CPU has SMAP feature and the access happens in kernel mode, so
> page_fault_oops() is invoked and an oops happens. If these is no SMAP
> feature, the fix-up set-up by bpf will be applied and
> copy_from_kernel_nofault() will return -EFAULT instead.
>
I find this paragraph to be a bit hard to follow. I think we can
minimize the reference to SMAP here since it is only helping detect
cross address space accesses. How about something like the following:
The oops is triggered when:
1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall
page and invokes copy_from_kernel_nofault() which in turn calls
__get_user_asm().
2) Because the vsyscall page address is not readable from kernel space,
a page fault exception is triggered accordingly.
3) handle_page_fault() considers the vsyscall page address as a user
space address instead of a kernel space address. This results in the
fix-up setup by bpf not being applied and a page_fault_oops() is invoked
due to SMAP.
> Considering handle_page_fault() has already considered the vsyscall page
> address as a userspace address, fix the problem by disallowing vsyscall
> page read for copy_from_kernel_nofault().
>
I agree, following the same approach as handle_page_fault() seems
reasonable.
> Originally-by: Thomas Gleixner <tglx@...utronix.de>
> Reported-by: syzbot+72aa0161922eba61b50e@...kaller.appspotmail.com
> Closes: https://lore.kernel.org/bpf/CAG48ez06TZft=ATH1qh2c5mpS5BT8UakwNkzi6nvK5_djC-4Nw@mail.gmail.com
> Reported-by: xingwei lee <xrivendell7@...il.com>
> Closes: https://lore.kernel.org/bpf/CABOYnLynjBoFZOf3Z4BhaZkc5hx_kHfsjiW+UWLoB=w33LvScw@mail.gmail.com
> Signed-off-by: Hou Tao <houtao1@...wei.com>
> ---
> arch/x86/mm/maccess.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/arch/x86/mm/maccess.c b/arch/x86/mm/maccess.c
> index 6993f026adec9..d9272e1db5224 100644
> --- a/arch/x86/mm/maccess.c
> +++ b/arch/x86/mm/maccess.c
> @@ -3,6 +3,8 @@
> #include <linux/uaccess.h>
> #include <linux/kernel.h>
>
> +#include <asm/vsyscall.h>
> +
> #ifdef CONFIG_X86_64
> bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size)
> {
> @@ -15,6 +17,13 @@ bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size)
> if (vaddr < TASK_SIZE_MAX + PAGE_SIZE)
> return false;
>
> + /* Also consider the vsyscall page as userspace address. Otherwise,
> + * reading the vsyscall page in copy_from_kernel_nofault() may
> + * trigger an oops due to an unhandled page fault.
> + */
x86 prefers a slightly different style for multi-line comments. Please
refer to https://docs.kernel.org/process/maintainer-tip.html#comment-style.
How about rewording the above as:
/*
* Reading from the vsyscall page may cause an unhandled fault in
* certain cases. Though it is at an address above TASK_SIZE_MAX, it is
* usually considered as a user space address.
*/
> + if (is_vsyscall_vaddr(vaddr))
> + return false;
> +
It would have been convenient if we had a common check for whether a
particular address is a kernel address or not. fault_in_kernel_space()
serves that purpose to an extent in other places.
I thought we could rename fault_in_kernel_space() to
vaddr_in_kernel_space() and use it here. But the check in
copy_from_kernel_nofault_allowed() includes the user guard page as well.
So the checks wouldn't exactly be the same.
I am unsure of the implications if we get rid of that difference. Maybe
we can leave it as-is for now unless someone else chimes in.
Sohil
Powered by blists - more mailing lists