lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 29 Apr 2024 10:39:40 +0100
From: Ryan Roberts <ryan.roberts@....com>
To: Peter Xu <peterx@...hat.com>
Cc: Muhammad Usama Anjum <usama.anjum@...labora.com>,
 Catalin Marinas <catalin.marinas@....com>, Will Deacon <will@...nel.org>,
 Joey Gouly <joey.gouly@....com>, Ard Biesheuvel <ardb@...nel.org>,
 Mark Rutland <mark.rutland@....com>,
 Anshuman Khandual <anshuman.khandual@....com>,
 David Hildenbrand <david@...hat.com>, Mike Rapoport <rppt@...ux.ibm.com>,
 Shivansh Vij <shivanshvij@...look.com>,
 linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v1 2/2] arm64/mm: Add uffd write-protect support

On 26/04/2024 14:54, Peter Xu wrote:
> On Fri, Apr 26, 2024 at 02:17:41PM +0100, Ryan Roberts wrote:
>> + Muhammad Usama Anjum <usama.anjum@...labora.com>
>>
>> Hi Peter, Muhammad,
>>
>>
>> On 24/04/2024 12:57, Peter Xu wrote:
>>> Hi, Ryan,
>>>
>>> On Wed, Apr 24, 2024 at 12:10:17PM +0100, Ryan Roberts wrote:
>>>> Let's use the newly-free PTE SW bit (58) to add support for uffd-wp.
>>>>
>>>> The standard handlers are implemented for set/test/clear for both pte
>>>> and pmd. Additionally we must also track the uffd-wp state as a pte swp
>>>> bit, so use a free swap entry pte bit (3).
>>>>
>>>> Signed-off-by: Ryan Roberts <ryan.roberts@....com>
>>>
>>> Looks all sane here from userfault perspective, just one comment below.
>>>
>>>> ---
>>>>  arch/arm64/Kconfig                    |  1 +
>>>>  arch/arm64/include/asm/pgtable-prot.h |  8 ++++
>>>>  arch/arm64/include/asm/pgtable.h      | 55 +++++++++++++++++++++++++++
>>>>  3 files changed, 64 insertions(+)
>>>>
>>>> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
>>>> index 7b11c98b3e84..763e221f2169 100644
>>>> --- a/arch/arm64/Kconfig
>>>> +++ b/arch/arm64/Kconfig
>>>> @@ -255,6 +255,7 @@ config ARM64
>>>>  	select SYSCTL_EXCEPTION_TRACE
>>>>  	select THREAD_INFO_IN_TASK
>>>>  	select HAVE_ARCH_USERFAULTFD_MINOR if USERFAULTFD
>>>> +	select HAVE_ARCH_USERFAULTFD_WP if USERFAULTFD
>>>>  	select TRACE_IRQFLAGS_SUPPORT
>>>>  	select TRACE_IRQFLAGS_NMI_SUPPORT
>>>>  	select HAVE_SOFTIRQ_ON_OWN_STACK
>>>> diff --git a/arch/arm64/include/asm/pgtable-prot.h b/arch/arm64/include/asm/pgtable-prot.h
>>>> index ef952d69fd04..f1e1f6306e03 100644
>>>> --- a/arch/arm64/include/asm/pgtable-prot.h
>>>> +++ b/arch/arm64/include/asm/pgtable-prot.h
>>>> @@ -20,6 +20,14 @@
>>>>  #define PTE_DEVMAP		(_AT(pteval_t, 1) << 57)
>>>>  #define PTE_PROT_NONE		(PTE_UXN)		 /* Reuse PTE_UXN; only when !PTE_VALID */
>>>>  
>>>> +#ifdef CONFIG_HAVE_ARCH_USERFAULTFD_WP
>>>> +#define PTE_UFFD_WP		(_AT(pteval_t, 1) << 58) /* uffd-wp tracking */
>>>> +#define PTE_SWP_UFFD_WP		(_AT(pteval_t, 1) << 3)	 /* only for swp ptes */
>>
>> I've just noticed code in task_mmu.c:
>>
>> static int pagemap_scan_pmd_entry(pmd_t *pmd, unsigned long start,
>> 				  unsigned long end, struct mm_walk *walk)
>> {
>> 	...
>>
>> 	if (!p->arg.category_anyof_mask && !p->arg.category_inverted &&
>> 	    p->arg.category_mask == PAGE_IS_WRITTEN &&
>> 	    p->arg.return_mask == PAGE_IS_WRITTEN) {
>> 		for (addr = start; addr < end; pte++, addr += PAGE_SIZE) {
>> 			unsigned long next = addr + PAGE_SIZE;
>>
>> 			if (pte_uffd_wp(ptep_get(pte))) <<<<<<
>> 				continue;
>>
>> 			...
>> 		}
>> 	}
>> }
>>
>> As far as I can see, you don't know that the pte is present when you do this. So
>> does this imply that the UFFD-WP bit is expected to be in the same position for
>> both present ptes and swap ptes? I had assumed pte_uffd_wp() was for present
>> ptes and pte_swp_uffd_wp() was for swap ptes.
>>
>> As you can see, the way I've implemented this for arm64 the bit is in a
>> different position for these 2 cases. I've just done a slightly different
>> implementation that changes the first patch in this series quite a bit and a
>> bunch of pagemap_ioctl mm kselftests are now failing. I think this is the root
>> cause, but haven't proven it definitively yet.
>>
>> I'm inclined towords thinking the above is a bug and should be fixed so that I
>> can store the bit in different places. What do you think?
> 
> Yep I agree.

OK great - I'll spin a patch to fix this.

> 
> Even on x86_64 they should be defined differently.  It looks like some
> sheer luck the test constantly pass on x86 even if it checked the wrong one.
> 
> Worth checking all the relevant paths in the pagemap code to make sure it's
> checked, e.g. I also see one fast path above this chunk of code which looks
> like to have the same issue.

Yes, spotted that one. I'll audit other sites too.

Thanks!

> 
> Thanks,
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ