lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <jqvqvnx4shpubflb3xrkplefkmjicaqrg2mut3kc7ijgq3i3op@poafl6jo3t7p>
Date: Fri, 22 Nov 2024 12:09:10 +0100
From: Maciej Wieczor-Retman <maciej.wieczor-retman@...el.com>
To: "Kirill A. Shutemov" <kirill@...temov.name>
CC: Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>,
	Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>,
	<x86@...nel.org>, "H. Peter Anvin" <hpa@...or.com>, Shuah Khan
	<shuah@...nel.org>, <linux-kernel@...r.kernel.org>,
	<linux-kselftest@...r.kernel.org>
Subject: Re: [PATCH v3] selftests/lam: Test get_user() LAM pointer handling

On 2024-11-22 at 11:13:44 +0200, Kirill A. Shutemov wrote:
>On Fri, Nov 22, 2024 at 09:55:20AM +0100, Maciej Wieczor-Retman wrote:
>> Recent change in how get_user() handles pointers [1] has a specific case
>> for LAM. It assigns a different bitmask that's later used to check
>> whether a pointer comes from userland in get_user().
>> 
>> While currently commented out (until LASS [2] is merged into the kernel)
>> it's worth making changes to the LAM selftest ahead of time.
>> 
>> Add test case to LAM that utilizes a ioctl (FIOASYNC) syscall which uses
>> get_user() in its implementation. Execute the syscall with differently
>> tagged pointers to verify that valid user pointers are passing through
>> and invalid kernel/non-canonical pointers are not.
>> 
>> Code was tested on a Sierra Forest Xeon machine that's LAM capable. The
>> test was ran without issues with both the LAM lines from [1] untouched
>> and commented out. The test was also ran without issues with LAM_SUP
>> both enabled and disabled.
>> 
>> 4/5 level pagetables code paths were also successfully tested in Simics
>> on a 5-level capable machine.
>> 
>> [1] https://lore.kernel.org/all/20241024013214.129639-1-torvalds@linux-foundation.org/
>> [2] https://lore.kernel.org/all/20240710160655.3402786-1-alexander.shishkin@linux.intel.com/
>> 
>> Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman@...el.com>
>> ---
>> Changelog v3:
>> - mmap the pointer passed to get_user to high address if 5 level paging
>>   is enabled and to low address if 4 level paging is enabled.
>> 
>> Changelog v2:
>> - Use mmap with HIGH_ADDR to check if we're in 5 or 4 level pagetables.
>> 
>>  tools/testing/selftests/x86/lam.c | 110 ++++++++++++++++++++++++++++++
>>  1 file changed, 110 insertions(+)
>> 
>> diff --git a/tools/testing/selftests/x86/lam.c b/tools/testing/selftests/x86/lam.c
>> index 0ea4f6813930..616a523c3262 100644
>> --- a/tools/testing/selftests/x86/lam.c
>> +++ b/tools/testing/selftests/x86/lam.c
>> @@ -4,6 +4,7 @@
>>  #include <stdlib.h>
>>  #include <string.h>
>>  #include <sys/syscall.h>
>> +#include <sys/ioctl.h>
>>  #include <time.h>
>>  #include <signal.h>
>>  #include <setjmp.h>
>> @@ -43,7 +44,15 @@
>>  #define FUNC_INHERITE           0x20
>>  #define FUNC_PASID              0x40
>>  
>> +/* get_user() pointer test cases */
>> +#define GET_USER_USER           0
>> +#define GET_USER_KERNEL_TOP     1
>> +#define GET_USER_KERNEL_BOT     2
>> +#define GET_USER_KERNEL         3
>> +
>>  #define TEST_MASK               0x7f
>> +#define L5_SIGN_EXT_MASK        (0xFFUL << 56)
>> +#define L4_SIGN_EXT_MASK        (0x1FFFFUL << 47)
>>  
>>  #define LOW_ADDR                (0x1UL << 30)
>>  #define HIGH_ADDR               (0x3UL << 48)
>> @@ -370,6 +379,80 @@ static int handle_syscall(struct testcases *test)
>>  	return ret;
>>  }
>>  
>> +static int get_user_syscall(struct testcases *test)
>> +{
>> +	uint64_t ptr_address, bitmask;
>> +	void *p, *ptr;
>> +	int ret = 0;
>> +	int fd;
>> +
>> +	p = mmap((void *)HIGH_ADDR, 1, PROT_READ | PROT_WRITE,
>> +		 MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
>> +
>> +	if (p == MAP_FAILED) {
>> +		bitmask = L4_SIGN_EXT_MASK;
>> +		ptr_address = LOW_ADDR;
>> +
>> +	} else {
>> +		bitmask = L5_SIGN_EXT_MASK;
>> +		ptr_address = HIGH_ADDR;
>> +	}
>
>Hm. Why not use cpu_has_lam() for the paging check?

cpu_has_lam() seems to return what the cpuid reports about LAM being available
on the system.

The problem I was trying to solve here was to determine what pagetable level is
used currently so I can setup the bitmask to create fake kernel pointers below.
Can cpu_has_lam() achieve that? I didn't see any correlation between the cpuid
and active paging mode.

>
>> +
>> +	munmap(p, 1);
>> +
>> +	ptr = mmap((void *)ptr_address, 1, PROT_READ | PROT_WRITE,
>> +		   MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
>
>Mapping sizer of 1 byte looks odd. It is not wrong, but looks strange.
>Maybe use PAGE_SIZE instead?

Okay, I'll try that.

>
>> +
>> +	if (ptr == MAP_FAILED) {
>> +		perror("failed to map byte to pass into get_user");
>> +		return 1;
>> +	}
>> +
>> +	if (test->lam != 0) {
>
>It is always true, right?

Right, I forgot to remove it.

>
>> +		if (set_lam(test->lam) != 0) {
>> +			ret = 2;
>> +			goto error;
>> +		}
>> +	}
>> +
>> +	fd = memfd_create("lam_ioctl", 0);
>> +	if (fd == -1) {
>> +		munmap(ptr, 1);
>> +		exit(EXIT_FAILURE);
>> +	}
>> +
>> +	switch (test->later) {
>> +	case GET_USER_USER:
>> +		/* Control group - properly tagger user pointer */
>> +		ptr = (void *)set_metadata((uint64_t)ptr, test->lam);
>> +		break;
>> +	case GET_USER_KERNEL_TOP:
>> +		/* Kernel address with top bit cleared */
>> +		bitmask &= (bitmask >> 1);
>> +		ptr = (void *)((uint64_t)ptr | bitmask);
>> +		break;
>> +	case GET_USER_KERNEL_BOT:
>> +		/* Kernel address with bottom sign-extension bit cleared */
>> +		bitmask &= (bitmask << 1);
>> +		ptr = (void *)((uint64_t)ptr | bitmask);
>> +		break;
>> +	case GET_USER_KERNEL:
>> +		/* Try to pass a kernel address */
>> +		ptr = (void *)((uint64_t)ptr | bitmask);
>> +		break;
>> +	default:
>> +		printf("Invalid test case value passed!\n");
>> +		break;
>> +	}
>> +
>> +	if (ioctl(fd, FIOASYNC, ptr) != 0)
>> +		ret = 1;
>> +
>> +error:
>> +	munmap(ptr, 1);
>
>	close(fd);

Thanks :)

>
>> +	return ret;
>> +}
>> +
>>  int sys_uring_setup(unsigned int entries, struct io_uring_params *p)
>>  {
>>  	return (int)syscall(__NR_io_uring_setup, entries, p);
>> @@ -883,6 +966,33 @@ static struct testcases syscall_cases[] = {
>>  		.test_func = handle_syscall,
>>  		.msg = "SYSCALL:[Negative] Disable LAM. Dereferencing pointer with metadata.\n",
>>  	},
>> +	{
>> +		.later = GET_USER_USER,
>> +		.lam = LAM_U57_BITS,
>> +		.test_func = get_user_syscall,
>> +		.msg = "GET_USER: get_user() and pass a properly tagged user pointer.\n",
>> +	},
>> +	{
>> +		.later = GET_USER_KERNEL_TOP,
>> +		.expected = 1,
>> +		.lam = LAM_U57_BITS,
>> +		.test_func = get_user_syscall,
>> +		.msg = "GET_USER:[Negative] get_user() with a kernel pointer and the top bit cleared.\n",
>> +	},
>> +	{
>> +		.later = GET_USER_KERNEL_BOT,
>> +		.expected = 1,
>> +		.lam = LAM_U57_BITS,
>> +		.test_func = get_user_syscall,
>> +		.msg = "GET_USER:[Negative] get_user() with a kernel pointer and the bottom sign-extension bit cleared.\n",
>> +	},
>> +	{
>> +		.later = GET_USER_KERNEL,
>> +		.expected = 1,
>> +		.lam = LAM_U57_BITS,
>> +		.test_func = get_user_syscall,
>> +		.msg = "GET_USER:[Negative] get_user() and pass a kernel pointer.\n",
>> +	},
>>  };
>>  
>>  static struct testcases mmap_cases[] = {
>> -- 
>> 2.46.2
>> 
>
>-- 
>  Kiryl Shutsemau / Kirill A. Shutemov

-- 
Kind regards
Maciej Wieczór-Retman

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ