lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <30278898-c4b2-4dd6-ba68-a19575f81a65@arm.com>
Date: Thu, 1 Feb 2024 14:51:39 +0530
From: Anshuman Khandual <anshuman.khandual@....com>
To: Alexandru Elisei <alexandru.elisei@....com>, catalin.marinas@....com,
 will@...nel.org, oliver.upton@...ux.dev, maz@...nel.org,
 james.morse@....com, suzuki.poulose@....com, yuzenghui@...wei.com,
 arnd@...db.de, akpm@...ux-foundation.org, mingo@...hat.com,
 peterz@...radead.org, juri.lelli@...hat.com, vincent.guittot@...aro.org,
 dietmar.eggemann@....com, rostedt@...dmis.org, bsegall@...gle.com,
 mgorman@...e.de, bristot@...hat.com, vschneid@...hat.com,
 mhiramat@...nel.org, rppt@...nel.org, hughd@...gle.com
Cc: pcc@...gle.com, steven.price@....com, vincenzo.frascino@....com,
 david@...hat.com, eugenis@...gle.com, kcc@...gle.com, hyesoo.yu@...sung.com,
 linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
 kvmarm@...ts.linux.dev, linux-fsdevel@...r.kernel.org,
 linux-arch@...r.kernel.org, linux-mm@...ck.org,
 linux-trace-kernel@...r.kernel.org
Subject: Re: [PATCH RFC v3 30/35] arm64: mte: ptrace: Handle pages with
 missing tag storage



On 1/25/24 22:12, Alexandru Elisei wrote:
> A page can end up mapped in a MTE enabled VMA without the corresponding tag
> storage block reserved. Tag accesses made by ptrace in this case can lead
> to the wrong tags being read or memory corruption for the process that is
> using the tag storage memory as data.
> 
> Reserve tag storage by treating ptrace accesses like a fault.
> 
> Signed-off-by: Alexandru Elisei <alexandru.elisei@....com>
> ---
> 
> Changes since rfc v2:
> 
> * New patch, issue reported by Peter Collingbourne.
> 
>  arch/arm64/kernel/mte.c | 26 ++++++++++++++++++++++++--
>  1 file changed, 24 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/arm64/kernel/mte.c b/arch/arm64/kernel/mte.c
> index faf09da3400a..b1fa02dad4fd 100644
> --- a/arch/arm64/kernel/mte.c
> +++ b/arch/arm64/kernel/mte.c
> @@ -412,10 +412,13 @@ static int __access_remote_tags(struct mm_struct *mm, unsigned long addr,
>  	while (len) {
>  		struct vm_area_struct *vma;
>  		unsigned long tags, offset;
> +		unsigned int fault_flags;
> +		struct page *page;
> +		vm_fault_t ret;
>  		void *maddr;
> -		struct page *page = get_user_page_vma_remote(mm, addr,
> -							     gup_flags, &vma);
>  
> +get_page:
> +		page = get_user_page_vma_remote(mm, addr, gup_flags, &vma);

But if there is valid page returned here in the first GUP attempt, will there
still be a subsequent handle_mm_fault() on the same vma and addr ?

>  		if (IS_ERR(page)) {
>  			err = PTR_ERR(page);
>  			break;
> @@ -433,6 +436,25 @@ static int __access_remote_tags(struct mm_struct *mm, unsigned long addr,
>  			put_page(page);
>  			break;
>  		}
> +
> +		if (tag_storage_enabled() && !page_tag_storage_reserved(page)) {

Should not '!page' be checked here as well ?

> +			fault_flags = FAULT_FLAG_DEFAULT | \
> +				      FAULT_FLAG_USER | \
> +				      FAULT_FLAG_REMOTE | \
> +				      FAULT_FLAG_ALLOW_RETRY | \
> +				      FAULT_FLAG_RETRY_NOWAIT;
> +			if (write)
> +				fault_flags |= FAULT_FLAG_WRITE;
> +
> +			put_page(page);
> +			ret = handle_mm_fault(vma, addr, fault_flags, NULL);
> +			if (ret & VM_FAULT_ERROR) {
> +				err = -EFAULT;
> +				break;
> +			}
> +			goto get_page;
> +		}
> +
>  		WARN_ON_ONCE(!page_mte_tagged(page));
>  
>  		/* limit access to the end of the page */

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ