lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3a4c9133-0296-4996-b8a9-46350d6b5f66@efficios.com>
Date: Fri, 17 Oct 2025 08:25:00 -0400
From: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
To: Thomas Gleixner <tglx@...utronix.de>, LKML <linux-kernel@...r.kernel.org>
Cc: kernel test robot <lkp@...el.com>, Russell King <linux@...linux.org.uk>,
 linux-arm-kernel@...ts.infradead.org,
 Linus Torvalds <torvalds@...ux-foundation.org>, x86@...nel.org,
 Madhavan Srinivasan <maddy@...ux.ibm.com>,
 Michael Ellerman <mpe@...erman.id.au>, Nicholas Piggin <npiggin@...il.com>,
 Christophe Leroy <christophe.leroy@...roup.eu>,
 linuxppc-dev@...ts.ozlabs.org, Paul Walmsley <pjw@...nel.org>,
 Palmer Dabbelt <palmer@...belt.com>, linux-riscv@...ts.infradead.org,
 Heiko Carstens <hca@...ux.ibm.com>,
 Christian Borntraeger <borntraeger@...ux.ibm.com>,
 Sven Schnelle <svens@...ux.ibm.com>, linux-s390@...r.kernel.org,
 Andrew Cooper <andrew.cooper3@...rix.com>,
 Julia Lawall <Julia.Lawall@...ia.fr>, Nicolas Palix <nicolas.palix@...g.fr>,
 Peter Zijlstra <peterz@...radead.org>, Darren Hart <dvhart@...radead.org>,
 Davidlohr Bueso <dave@...olabs.net>, André Almeida
 <andrealmeid@...lia.com>, Alexander Viro <viro@...iv.linux.org.uk>,
 Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>,
 linux-fsdevel@...r.kernel.org
Subject: Re: [patch V3 00/12] uaccess: Provide and use scopes for user masked
 access

On 2025-10-17 06:08, Thomas Gleixner wrote:
> This is a follow up on the V2 feedback:
> 
>     https://lore.kernel.org/20250916163004.674341701@linutronix.de
> 
> The main concern over the V2 implementation was the requirement to have
> the code within the macro itself.
> 
> The main reason for that was the issue with ASM GOTO within a auto cleanup
> scope. Clang refuses to build when the ASM GOTO label is outside of the
> scope and GCC silently miscompiles the code and misses the cleanup.
> 
> After some back and forth discussion Linus suggested to put the local label
> workaround into the user access functions themself.
> 
> The second reason for having this construct was to make the potential
> modification of the pointer (when the architecture supports masking) scope
> local, as that preserves the original pointer for the failure path.
> 
> Andrew thankfully pointed me to nested for() loops and after some head
> scratching I managed to get all of it hidden in that construct.
> 
> So now the scoped access looks like this:
> 
> 	scoped_masked_user_read_access(ptr, efault) {
> 	        // @ptr is aliased. An eventual mask modification is scope local
> 		unsafe_get_user(val, ptr, efault);
> 		...
> 	}

Now we're talking! It indeed looks much more like C now. I'll go review
the implementation.

Thanks,

Mathieu


> 	return 0;
> efault:
>          // @ptr is unmodified
> 	do_stuff(ptr);
> 	return -EFAULT;
> 
> 
> Changes vs. V2:
> 
>      - Fix the unsigned long long pointer issue in ARM get_user() -
>        Christophe, Russell
> 
>      - Provide a generic workaround for the ASM GOTO issue and convert the
>        affected architecture code over - Linus
> 
>      - Reimplement the scoped cleanup magic with nested for() loops - Andrew
> 
>      - Provide variants with size provided by the caller - Mathieu
> 
>      - Add get/put_user_masked() helpers for single read/write access
> 
>      - Fixup the usage in futex, x86. select
> 
>      - A clumsy attempt to implement a coccinelle checker which catches
>        access mismatches, e.g. unsafe_put_user() inside a
>        scoped_masked_user_read_access() region. That needs more thought and
>        more coccinelle foo and is just there for discussion.
> 
> The series is based on v6.18-rc1 and also available from git:
> 
>      git://git.kernel.org/pub/scm/linux/kernel/git/tglx/devel.git uaccess/masked
> 
> Thanks,
> 
> 	tglx
> ---
> Thomas Gleixner (12):
>        ARM: uaccess: Implement missing __get_user_asm_dword()
>        uaccess: Provide ASM GOTO safe wrappers for unsafe_*_user()
>        x86/uaccess: Use unsafe wrappers for ASM GOTO
>        powerpc/uaccess: Use unsafe wrappers for ASM GOTO
>        riscv/uaccess: Use unsafe wrappers for ASM GOTO
>        s390/uaccess: Use unsafe wrappers for ASM GOTO
>        uaccess: Provide scoped masked user access regions
>        uaccess: Provide put/get_user_masked()
>        coccinelle: misc: Add scoped_masked_$MODE_access() checker script
>        futex: Convert to scoped masked user access
>        x86/futex: Convert to scoped masked user access
>        select: Convert to scoped masked user access
> 
> ---
>   arch/arm/include/asm/uaccess.h               |   26 ++
>   arch/powerpc/include/asm/uaccess.h           |    8
>   arch/riscv/include/asm/uaccess.h             |    8
>   arch/s390/include/asm/uaccess.h              |    4
>   arch/x86/include/asm/futex.h                 |   75 ++----
>   arch/x86/include/asm/uaccess.h               |   12 -
>   fs/select.c                                  |   12 -
>   include/linux/uaccess.h                      |  313 ++++++++++++++++++++++++++-
>   kernel/futex/futex.h                         |   37 ---
>   scripts/coccinelle/misc/scoped_uaccess.cocci |  108 +++++++++
>   10 files changed, 497 insertions(+), 106 deletions(-)


-- 
Mathieu Desnoyers
EfficiOS Inc.
https://www.efficios.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ