lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <e68e8c3a-2d22-4385-9de5-e167974604fd@ghiti.fr>
Date: Mon, 6 Jan 2025 15:37:10 +0100
From: Alexandre Ghiti <alex@...ti.fr>
To: Clément Léger <cleger@...osinc.com>,
 Paul Walmsley <paul.walmsley@...ive.com>, Palmer Dabbelt
 <palmer@...belt.com>,
 "open list:RISC-V ARCHITECTURE" <linux-riscv@...ts.infradead.org>,
 open list <linux-kernel@...r.kernel.org>
Cc: Samuel Holland <samuel.holland@...ive.com>
Subject: Re: [PATCH] riscv: misaligned: disable pagefault before accessing
 user memory

Hi Clément,

On 03/01/2025 17:02, Clément Léger wrote:
> Calling copy_{from/to}_user() in interrupt context might actually sleep
> and display a BUG message:
>
> [   10.377019] BUG: sleeping function called from invalid context at include/linux/uaccess.h:162
> [   10.379868] in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 88, name: ssh-keygen
> [   10.380009] preempt_count: 0, expected: 0
> [   10.380324] CPU: 0 UID: 0 PID: 88 Comm: ssh-keygen Not tainted 6.13.0-rc5-00013-g3435cd5f1331-dirty #19
> [   10.380639] Hardware name: riscv-virtio,qemu (DT)
> [   10.380798] Call Trace:
> [   10.381108] [<ffffffff80013d30>] dump_backtrace+0x1c/0x24
> [   10.381690] [<ffffffff800022d8>] show_stack+0x28/0x34
> [   10.381812] [<ffffffff8000ee1c>] dump_stack_lvl+0x4a/0x68
> [   10.381958] [<ffffffff8000ee4e>] dump_stack+0x14/0x1c
> [   10.382047] [<ffffffff80065e0a>] __might_resched+0xfa/0x104
> [   10.382172] [<ffffffff80065e56>] __might_sleep+0x42/0x66
> [   10.382267] [<ffffffff801b0c5e>] __might_fault+0x1c/0x24
> [   10.382363] [<ffffffff804415e4>] _copy_from_user+0x28/0xc2
> [   10.382459] [<ffffffff800152ca>] handle_misaligned_load+0x1ca/0x2fc
> [   10.382565] [<ffffffff80a033a0>] do_trap_load_misaligned+0x24/0xee
> [   10.382714] [<ffffffff80a0dc66>] handle_exception+0x146/0x152
>
> In order to safely handle user memory access from this context, disable
> page fault while copying user memory. Although this might lead to copy
> failure in some cases (offlined page), this is the best we can try to be
> safe.
>
> Fixes: b686ecdeacf6 ("riscv: misaligned: Restrict user access to kernel memory")
> Signed-off-by: Clément Léger <cleger@...osinc.com>
>
> ---
>   arch/riscv/kernel/traps_misaligned.c | 26 ++++++++++++++++++++++----
>   1 file changed, 22 insertions(+), 4 deletions(-)
>
> diff --git a/arch/riscv/kernel/traps_misaligned.c b/arch/riscv/kernel/traps_misaligned.c
> index 7cc108aed74e..75a08ed20070 100644
> --- a/arch/riscv/kernel/traps_misaligned.c
> +++ b/arch/riscv/kernel/traps_misaligned.c
> @@ -355,7 +355,7 @@ static int handle_scalar_misaligned_load(struct pt_regs *regs)
>   {
>   	union reg_data val;
>   	unsigned long epc = regs->epc;
> -	unsigned long insn;
> +	unsigned long insn, copy_len;
>   	unsigned long addr = regs->badaddr;
>   	int fp = 0, shift = 0, len = 0;
>   
> @@ -441,7 +441,16 @@ static int handle_scalar_misaligned_load(struct pt_regs *regs)
>   
>   	val.data_u64 = 0;
>   	if (user_mode(regs)) {
> -		if (copy_from_user(&val, (u8 __user *)addr, len))
> +		/*
> +		 * We can not sleep in exception context. Disable pagefault to
> +		 * avoid a potential sleep while accessing user memory. Side
> +		 * effect is that if it would have sleep, then the copy will
> +		 * fail.
> +		 */
> +		pagefault_disable();
> +		copy_len = copy_from_user(&val, (u8 __user *)addr, len);
> +		pagefault_enable();
> +		if (copy_len)
>   			return -1;
>   	} else {
>   		memcpy(&val, (u8 *)addr, len);
> @@ -463,7 +472,7 @@ static int handle_scalar_misaligned_store(struct pt_regs *regs)
>   {
>   	union reg_data val;
>   	unsigned long epc = regs->epc;
> -	unsigned long insn;
> +	unsigned long insn, copy_len;
>   	unsigned long addr = regs->badaddr;
>   	int len = 0, fp = 0;
>   
> @@ -539,7 +548,16 @@ static int handle_scalar_misaligned_store(struct pt_regs *regs)
>   		return -EOPNOTSUPP;
>   
>   	if (user_mode(regs)) {
> -		if (copy_to_user((u8 __user *)addr, &val, len))
> +		/*
> +		 * We can not sleep in exception context. Disable pagefault to
> +		 * avoid a potential sleep while accessing user memory. Side
> +		 * effect is that if it would have sleep, then the copy will
> +		 * fail.
> +		 */
> +		pagefault_disable();
> +		copy_len = copy_to_user((u8 __user *)addr, &val, len);
> +		pagefault_enable();
> +		if (copy_len)
>   			return -1;
>   	} else {
>   		memcpy((u8 *)addr, &val, len);


I'm wondering why the irqs are disabled here? What prevents us from 
enabling them? IIUC, if for some reason the user page is not in memory, 
we will fail the misaligned access and kill the process, so such 
failures could be completely random right?

But if we go for this solution, I think the same needs to be done in 
__read_insn().

Let me know if I misunderstood something.

Thanks,

Alex

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ