lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <kabcughnduiak2ipmzujq5gmsqu4ugfwxpd23gbic2hcinirb4@r3quhedtuvms>
Date: Fri, 22 Nov 2024 11:13:44 +0200
From: "Kirill A. Shutemov" <kirill@...temov.name>
To: Maciej Wieczor-Retman <maciej.wieczor-retman@...el.com>
Cc: Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, 
	Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org, 
	"H. Peter Anvin" <hpa@...or.com>, Shuah Khan <shuah@...nel.org>, linux-kernel@...r.kernel.org, 
	linux-kselftest@...r.kernel.org
Subject: Re: [PATCH v3] selftests/lam: Test get_user() LAM pointer handling

On Fri, Nov 22, 2024 at 09:55:20AM +0100, Maciej Wieczor-Retman wrote:
> Recent change in how get_user() handles pointers [1] has a specific case
> for LAM. It assigns a different bitmask that's later used to check
> whether a pointer comes from userland in get_user().
> 
> While currently commented out (until LASS [2] is merged into the kernel)
> it's worth making changes to the LAM selftest ahead of time.
> 
> Add test case to LAM that utilizes a ioctl (FIOASYNC) syscall which uses
> get_user() in its implementation. Execute the syscall with differently
> tagged pointers to verify that valid user pointers are passing through
> and invalid kernel/non-canonical pointers are not.
> 
> Code was tested on a Sierra Forest Xeon machine that's LAM capable. The
> test was ran without issues with both the LAM lines from [1] untouched
> and commented out. The test was also ran without issues with LAM_SUP
> both enabled and disabled.
> 
> 4/5 level pagetables code paths were also successfully tested in Simics
> on a 5-level capable machine.
> 
> [1] https://lore.kernel.org/all/20241024013214.129639-1-torvalds@linux-foundation.org/
> [2] https://lore.kernel.org/all/20240710160655.3402786-1-alexander.shishkin@linux.intel.com/
> 
> Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman@...el.com>
> ---
> Changelog v3:
> - mmap the pointer passed to get_user to high address if 5 level paging
>   is enabled and to low address if 4 level paging is enabled.
> 
> Changelog v2:
> - Use mmap with HIGH_ADDR to check if we're in 5 or 4 level pagetables.
> 
>  tools/testing/selftests/x86/lam.c | 110 ++++++++++++++++++++++++++++++
>  1 file changed, 110 insertions(+)
> 
> diff --git a/tools/testing/selftests/x86/lam.c b/tools/testing/selftests/x86/lam.c
> index 0ea4f6813930..616a523c3262 100644
> --- a/tools/testing/selftests/x86/lam.c
> +++ b/tools/testing/selftests/x86/lam.c
> @@ -4,6 +4,7 @@
>  #include <stdlib.h>
>  #include <string.h>
>  #include <sys/syscall.h>
> +#include <sys/ioctl.h>
>  #include <time.h>
>  #include <signal.h>
>  #include <setjmp.h>
> @@ -43,7 +44,15 @@
>  #define FUNC_INHERITE           0x20
>  #define FUNC_PASID              0x40
>  
> +/* get_user() pointer test cases */
> +#define GET_USER_USER           0
> +#define GET_USER_KERNEL_TOP     1
> +#define GET_USER_KERNEL_BOT     2
> +#define GET_USER_KERNEL         3
> +
>  #define TEST_MASK               0x7f
> +#define L5_SIGN_EXT_MASK        (0xFFUL << 56)
> +#define L4_SIGN_EXT_MASK        (0x1FFFFUL << 47)
>  
>  #define LOW_ADDR                (0x1UL << 30)
>  #define HIGH_ADDR               (0x3UL << 48)
> @@ -370,6 +379,80 @@ static int handle_syscall(struct testcases *test)
>  	return ret;
>  }
>  
> +static int get_user_syscall(struct testcases *test)
> +{
> +	uint64_t ptr_address, bitmask;
> +	void *p, *ptr;
> +	int ret = 0;
> +	int fd;
> +
> +	p = mmap((void *)HIGH_ADDR, 1, PROT_READ | PROT_WRITE,
> +		 MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
> +
> +	if (p == MAP_FAILED) {
> +		bitmask = L4_SIGN_EXT_MASK;
> +		ptr_address = LOW_ADDR;
> +
> +	} else {
> +		bitmask = L5_SIGN_EXT_MASK;
> +		ptr_address = HIGH_ADDR;
> +	}

Hm. Why not use cpu_has_lam() for the paging check?

> +
> +	munmap(p, 1);
> +
> +	ptr = mmap((void *)ptr_address, 1, PROT_READ | PROT_WRITE,
> +		   MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);

Mapping sizer of 1 byte looks odd. It is not wrong, but looks strange.
Maybe use PAGE_SIZE instead?

> +
> +	if (ptr == MAP_FAILED) {
> +		perror("failed to map byte to pass into get_user");
> +		return 1;
> +	}
> +
> +	if (test->lam != 0) {

It is always true, right?

> +		if (set_lam(test->lam) != 0) {
> +			ret = 2;
> +			goto error;
> +		}
> +	}
> +
> +	fd = memfd_create("lam_ioctl", 0);
> +	if (fd == -1) {
> +		munmap(ptr, 1);
> +		exit(EXIT_FAILURE);
> +	}
> +
> +	switch (test->later) {
> +	case GET_USER_USER:
> +		/* Control group - properly tagger user pointer */
> +		ptr = (void *)set_metadata((uint64_t)ptr, test->lam);
> +		break;
> +	case GET_USER_KERNEL_TOP:
> +		/* Kernel address with top bit cleared */
> +		bitmask &= (bitmask >> 1);
> +		ptr = (void *)((uint64_t)ptr | bitmask);
> +		break;
> +	case GET_USER_KERNEL_BOT:
> +		/* Kernel address with bottom sign-extension bit cleared */
> +		bitmask &= (bitmask << 1);
> +		ptr = (void *)((uint64_t)ptr | bitmask);
> +		break;
> +	case GET_USER_KERNEL:
> +		/* Try to pass a kernel address */
> +		ptr = (void *)((uint64_t)ptr | bitmask);
> +		break;
> +	default:
> +		printf("Invalid test case value passed!\n");
> +		break;
> +	}
> +
> +	if (ioctl(fd, FIOASYNC, ptr) != 0)
> +		ret = 1;
> +
> +error:
> +	munmap(ptr, 1);

	close(fd);

> +	return ret;
> +}
> +
>  int sys_uring_setup(unsigned int entries, struct io_uring_params *p)
>  {
>  	return (int)syscall(__NR_io_uring_setup, entries, p);
> @@ -883,6 +966,33 @@ static struct testcases syscall_cases[] = {
>  		.test_func = handle_syscall,
>  		.msg = "SYSCALL:[Negative] Disable LAM. Dereferencing pointer with metadata.\n",
>  	},
> +	{
> +		.later = GET_USER_USER,
> +		.lam = LAM_U57_BITS,
> +		.test_func = get_user_syscall,
> +		.msg = "GET_USER: get_user() and pass a properly tagged user pointer.\n",
> +	},
> +	{
> +		.later = GET_USER_KERNEL_TOP,
> +		.expected = 1,
> +		.lam = LAM_U57_BITS,
> +		.test_func = get_user_syscall,
> +		.msg = "GET_USER:[Negative] get_user() with a kernel pointer and the top bit cleared.\n",
> +	},
> +	{
> +		.later = GET_USER_KERNEL_BOT,
> +		.expected = 1,
> +		.lam = LAM_U57_BITS,
> +		.test_func = get_user_syscall,
> +		.msg = "GET_USER:[Negative] get_user() with a kernel pointer and the bottom sign-extension bit cleared.\n",
> +	},
> +	{
> +		.later = GET_USER_KERNEL,
> +		.expected = 1,
> +		.lam = LAM_U57_BITS,
> +		.test_func = get_user_syscall,
> +		.msg = "GET_USER:[Negative] get_user() and pass a kernel pointer.\n",
> +	},
>  };
>  
>  static struct testcases mmap_cases[] = {
> -- 
> 2.46.2
> 

-- 
  Kiryl Shutsemau / Kirill A. Shutemov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ