| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aTbyPNINxjzU3Lua@shell.armlinux.org.uk> Date: Mon, 8 Dec 2025 15:43:56 +0000 From: "Russell King (Oracle)" <linux@...linux.org.uk> To: Xie Yuanbin <xieyuanbin1@...wei.com> Cc: akpm@...ux-foundation.org, brauner@...nel.org, catalin.marinas@....com, hch@....de, jack@...e.com, linux-arm-kernel@...ts.infradead.org, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, linux-mm@...ck.org, pangliyuan1@...wei.com, torvalds@...ux-foundation.org, viro@...iv.linux.org.uk, wangkefeng.wang@...wei.com, will@...nel.org, wozizhi@...weicloud.com, yangerkun@...wei.com Subject: Re: [Bug report] hash_name() may cross page boundary and trigger sleep in RCU context On Mon, Dec 08, 2025 at 09:18:42PM +0800, Xie Yuanbin wrote: > On Mon, 8 Dec 2025 10:07:25 +0000, Russell King wrote: > > This isn't entirely fixed. A data abort for an alignment fault (thus > > calling do_alignment()) will enable interrupts, and then may call > > do_bad_area(). We can't short-circuit this path like we can with > > do_page_fault() as alignment faults from userspace can be valid for > > the vectors page - not that we should see them, but that doesn't mean > > that there isn't something in userspace that does. > > I had indeed been lacking in consideration regarding do_alignment() > before, so thank you for reply. But, may I ask that, is there a scenario > where user-mode access to kernel addresses causes an alignment fault > (do_alignment())? If you mean, won't permission errors be detected first, then no. Alignment is one of the first things that is checked if alignment faults are enabled. So yes, if userspace attempts an unaigned load of a kernel address, and the CPU does not support / have enabled unaigned load support, then we will get a data abort with the FSR indicating an alignment fault. So do_alignment() wil be entered. Whether branch predictor handling needs to happen in this path is a separate question, but as it's highly likely we'll take an exception anyway and userspace is doing Bad Stuff, I feel it's better to be over-cautious. > In your last email, you described it as follows: > On Fri, 5 Dec 2025 12:08:14 +0000, Russell King wrote: > > Also tested usermode access to kernel space > > which fails with SEGV: > > - read from 0xc0000000 (section permission fault, do_sect_fault) > > - read from 0xffff2000 (page translation fault, do_page_fault) > > - read from 0xffff0000 (vectors page - read possible as expected) > > - write to 0xffff0000 (page permission fault, do_page_fault) > > There seems to be no do_alignment()? Yes, I didn't test this case, because I was only concentrating on the effects of the proposed patch which did not include moving the branch predictor handling. > In other words, is there a way to construct a user-mode testcase which > accesses a kernel address and triggers do_alignment()? Testing these mitigations is very difficult as there's no public test cases for ARM. -- RMK's Patch system: https://www.armlinux.org.uk/developer/patches/ FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
Powered by blists - more mailing lists