| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aKwnMo7UllLZkOcK@lt-gp.iram.es>
Date: Mon, 25 Aug 2025 11:04:50 +0200
From: Gabriel Paubert <paubert@...m.es>
To: Christophe Leroy <christophe.leroy@...roup.eu>
Cc: Michael Ellerman <mpe@...erman.id.au>, Nicholas Piggin <npiggin@...il.com>,
Madhavan Srinivasan <maddy@...ux.ibm.com>,
Alexander Viro <viro@...iv.linux.org.uk>,
Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>,
Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>,
Peter Zijlstra <peterz@...radead.org>,
Darren Hart <dvhart@...radead.org>,
Davidlohr Bueso <dave@...olabs.net>,
Andre Almeida <andrealmeid@...lia.com>,
Andrew Morton <akpm@...ux-foundation.org>,
David Laight <david.laight.linux@...il.com>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Daniel Borkmann <daniel@...earbox.net>, linux-kernel@...r.kernel.org,
linuxppc-dev@...ts.ozlabs.org, linux-fsdevel@...r.kernel.org,
linux-mm@...ck.org, linux-block@...r.kernel.org
Subject: Re: [PATCH v2 10/10] powerpc/uaccess: Implement masked user access
Hi Christophe,
On Fri, Aug 22, 2025 at 11:58:06AM +0200, Christophe Leroy wrote:
> Masked user access avoids the address/size verification by access_ok().
> Allthough its main purpose is to skip the speculation in the
> verification of user address and size hence avoid the need of spec
> mitigation, it also has the advantage of reducing the amount of
> instructions required so it even benefits to platforms that don't
> need speculation mitigation, especially when the size of the copy is
> not know at build time.
>
> So implement masked user access on powerpc. The only requirement is
> to have memory gap that faults between the top user space and the
> real start of kernel area.
>
> On 64 bits platforms the address space is divided that way:
>
> 0xffffffffffffffff +------------------+
> | |
> | kernel space |
> | |
> 0xc000000000000000 +------------------+ <== PAGE_OFFSET
> |//////////////////|
> |//////////////////|
> 0x8000000000000000 |//////////////////|
> |//////////////////|
> |//////////////////|
> 0x0010000000000000 +------------------+ <== TASK_SIZE_MAX
> | |
> | user space |
> | |
> 0x0000000000000000 +------------------+
>
> Kernel is always above 0x8000000000000000 and user always
> below, with a gap in-between. It leads to a 4 instructions sequence:
>
> 80: 7c 69 1b 78 mr r9,r3
> 84: 7c 63 fe 76 sradi r3,r3,63
> 88: 7d 29 18 78 andc r9,r9,r3
> 8c: 79 23 00 4c rldimi r3,r9,0,1
>
> This sequence leaves r3 unmodified when it is below 0x8000000000000000
> and clamps it to 0x8000000000000000 if it is above.
>
This comment looks wrong: the second instruction converts r3 to a
replicated sign bit of the address ((addr>0)?0:-1) if treating the
address as signed. After that the code only modifies the MSB of r3. So I
don't see how r3 could be unchanged from the original value...
OTOH, I believe the following 3 instructions sequence would work,
input address (a) in r3, scratch value (tmp) in r9, both intptr_t:
sradi r9,r3,63 ; tmp = (a >= 0) ? 0L : -1L;
andc r3,r3,r9 ; a = a & ~tmp; (equivalently a = (a >= 0) ? a : 0)
rldimi r3,r9,0,1 ; copy MSB of tmp to MSB of a
But maybe I goofed...
Gabriel
Powered by blists - more mailing lists