2018-03-09 15:54:30

by Catalin Marinas

[permalink] [raw]
Subject: Re: [RFC PATCH 3/6] mm, arm64: untag user addresses in memory syscalls

On Fri, Mar 09, 2018 at 03:02:01PM +0100, Andrey Konovalov wrote:
> Memory subsystem syscalls accept user addresses as arguments, but don't use
> copy_from_user and other similar functions, so we need to handle this case
> separately.
>
> Untag user pointers passed to madvise, mbind, get_mempolicy, mincore,
> mlock, mlock2, brk, mmap_pgoff, old_mmap, munmap, remap_file_pages,
> mprotect, pkey_mprotect, mremap and msync.
>
> Signed-off-by: Andrey Konovalov <[email protected]>

Please keep the cc list small (maybe linux-arch, linux-arm-kernel) as
I'm sure some lists would consider this spam.

> mm/madvise.c | 2 ++
> mm/mempolicy.c | 6 ++++++
> mm/mincore.c | 2 ++
> mm/mlock.c | 5 +++++
> mm/mmap.c | 9 +++++++++
> mm/mprotect.c | 2 ++
> mm/mremap.c | 2 ++
> mm/msync.c | 3 +++

I'm not yet convinced these functions need to allow tagged pointers.
They are not doing memory accesses but rather dealing with the memory
range, hence an untagged pointer is better suited. There is probably a
reason why the "start" argument is "unsigned long" vs "void __user *"
(in the kernel, not the man page).

--
Catalin


2018-03-09 17:32:51

by Andrey Konovalov

[permalink] [raw]
Subject: Re: [RFC PATCH 3/6] mm, arm64: untag user addresses in memory syscalls

On Fri, Mar 9, 2018 at 4:53 PM, Catalin Marinas <[email protected]> wrote:
> On Fri, Mar 09, 2018 at 03:02:01PM +0100, Andrey Konovalov wrote:
>> Memory subsystem syscalls accept user addresses as arguments, but don't use
>> copy_from_user and other similar functions, so we need to handle this case
>> separately.
>>
>> Untag user pointers passed to madvise, mbind, get_mempolicy, mincore,
>> mlock, mlock2, brk, mmap_pgoff, old_mmap, munmap, remap_file_pages,
>> mprotect, pkey_mprotect, mremap and msync.
>>
>> Signed-off-by: Andrey Konovalov <[email protected]>
>
> Please keep the cc list small (maybe linux-arch, linux-arm-kernel) as
> I'm sure some lists would consider this spam.

OK.

>
>> mm/madvise.c | 2 ++
>> mm/mempolicy.c | 6 ++++++
>> mm/mincore.c | 2 ++
>> mm/mlock.c | 5 +++++
>> mm/mmap.c | 9 +++++++++
>> mm/mprotect.c | 2 ++
>> mm/mremap.c | 2 ++
>> mm/msync.c | 3 +++
>
> I'm not yet convinced these functions need to allow tagged pointers.
> They are not doing memory accesses but rather dealing with the memory
> range, hence an untagged pointer is better suited. There is probably a
> reason why the "start" argument is "unsigned long" vs "void __user *"
> (in the kernel, not the man page).

So that would make the user to untag pointers before passing to these syscalls.

Evgeniy, would that be possible to untag pointers in HWASan before
using memory subsystem syscalls? Is there a reason for untagging them
in the kernel?

>
> --
> Catalin

2018-03-09 17:44:20

by Evgenii Stepanov

[permalink] [raw]
Subject: Re: [RFC PATCH 3/6] mm, arm64: untag user addresses in memory syscalls

On Fri, Mar 9, 2018 at 9:31 AM, Andrey Konovalov <[email protected]> wrote:
> On Fri, Mar 9, 2018 at 4:53 PM, Catalin Marinas <[email protected]> wrote:
>> On Fri, Mar 09, 2018 at 03:02:01PM +0100, Andrey Konovalov wrote:
>>> Memory subsystem syscalls accept user addresses as arguments, but don't use
>>> copy_from_user and other similar functions, so we need to handle this case
>>> separately.
>>>
>>> Untag user pointers passed to madvise, mbind, get_mempolicy, mincore,
>>> mlock, mlock2, brk, mmap_pgoff, old_mmap, munmap, remap_file_pages,
>>> mprotect, pkey_mprotect, mremap and msync.
>>>
>>> Signed-off-by: Andrey Konovalov <[email protected]>
>>
>> Please keep the cc list small (maybe linux-arch, linux-arm-kernel) as
>> I'm sure some lists would consider this spam.
>
> OK.
>
>>
>>> mm/madvise.c | 2 ++
>>> mm/mempolicy.c | 6 ++++++
>>> mm/mincore.c | 2 ++
>>> mm/mlock.c | 5 +++++
>>> mm/mmap.c | 9 +++++++++
>>> mm/mprotect.c | 2 ++
>>> mm/mremap.c | 2 ++
>>> mm/msync.c | 3 +++
>>
>> I'm not yet convinced these functions need to allow tagged pointers.
>> They are not doing memory accesses but rather dealing with the memory
>> range, hence an untagged pointer is better suited. There is probably a
>> reason why the "start" argument is "unsigned long" vs "void __user *"
>> (in the kernel, not the man page).
>
> So that would make the user to untag pointers before passing to these syscalls.
>
> Evgeniy, would that be possible to untag pointers in HWASan before
> using memory subsystem syscalls? Is there a reason for untagging them
> in the kernel?

Generally, no. It's possible to intercept a libc call using symbol
interposition, but I don't know how to rewrite arguments of a raw
system call other than through ptrace, and that creates more problems
than it solves.

AFAIU, it's valid for a program to pass an address obtained from
malloc or, better, posix_memalign to an mm syscall like mprotect().
These arguments are pointers from the userspace point of view.

2018-03-14 15:47:31

by Andrey Konovalov

[permalink] [raw]
Subject: Re: [RFC PATCH 3/6] mm, arm64: untag user addresses in memory syscalls

On Fri, Mar 9, 2018 at 6:42 PM, Evgenii Stepanov <[email protected]> wrote:
> On Fri, Mar 9, 2018 at 9:31 AM, Andrey Konovalov <[email protected]> wrote:
>> On Fri, Mar 9, 2018 at 4:53 PM, Catalin Marinas <[email protected]> wrote:
>>> I'm not yet convinced these functions need to allow tagged pointers.
>>> They are not doing memory accesses but rather dealing with the memory
>>> range, hence an untagged pointer is better suited. There is probably a
>>> reason why the "start" argument is "unsigned long" vs "void __user *"
>>> (in the kernel, not the man page).
>>
>> So that would make the user to untag pointers before passing to these syscalls.
>>
>> Evgeniy, would that be possible to untag pointers in HWASan before
>> using memory subsystem syscalls? Is there a reason for untagging them
>> in the kernel?
>
> Generally, no. It's possible to intercept a libc call using symbol
> interposition, but I don't know how to rewrite arguments of a raw
> system call other than through ptrace, and that creates more problems
> than it solves.
>
> AFAIU, it's valid for a program to pass an address obtained from
> malloc or, better, posix_memalign to an mm syscall like mprotect().
> These arguments are pointers from the userspace point of view.

Catalin, do you think this is a good reason to have the untagging done
in the kernel?

2018-03-14 17:46:20

by Catalin Marinas

[permalink] [raw]
Subject: Re: [RFC PATCH 3/6] mm, arm64: untag user addresses in memory syscalls

On Wed, Mar 14, 2018 at 04:45:20PM +0100, Andrey Konovalov wrote:
> On Fri, Mar 9, 2018 at 6:42 PM, Evgenii Stepanov <[email protected]> wrote:
> > On Fri, Mar 9, 2018 at 9:31 AM, Andrey Konovalov <[email protected]> wrote:
> >> On Fri, Mar 9, 2018 at 4:53 PM, Catalin Marinas <[email protected]> wrote:
> >>> I'm not yet convinced these functions need to allow tagged pointers.
> >>> They are not doing memory accesses but rather dealing with the memory
> >>> range, hence an untagged pointer is better suited. There is probably a
> >>> reason why the "start" argument is "unsigned long" vs "void __user *"
> >>> (in the kernel, not the man page).
> >>
> >> So that would make the user to untag pointers before passing to these syscalls.
> >>
> >> Evgeniy, would that be possible to untag pointers in HWASan before
> >> using memory subsystem syscalls? Is there a reason for untagging them
> >> in the kernel?
> >
> > Generally, no. It's possible to intercept a libc call using symbol
> > interposition, but I don't know how to rewrite arguments of a raw
> > system call other than through ptrace, and that creates more problems
> > than it solves.

With these patches, we are trying to relax the user/kernel ABI so that
tagged pointers can be passed into the kernel. Since this is a new ABI
(or an extension to the existing one), it might be ok to change the libc
so that the top byte is zeroed on specific syscalls before issuing the
SVC.

I agree that it is problematic for HWASan if it only relies on
overriding malloc/free.

> > AFAIU, it's valid for a program to pass an address obtained from
> > malloc or, better, posix_memalign to an mm syscall like mprotect().
> > These arguments are pointers from the userspace point of view.
>
> Catalin, do you think this is a good reason to have the untagging done
> in the kernel?

malloc() or posix_memalign() are C library implementations and it's the
C library (or overridden functions) setting a tag on the returned
pointers. Since the TBI hardware feature allows memory accesses with a
non-zero tag, we could allow them in the kernel for syscalls performing
such accesses on behalf of the user (e.g. get_user/put_user would not
need to clear the tag).

madvise(), OTOH, does not perform a memory access on behalf of the user,
it's just advising the kernel about a range of virtual addresses. That's
where I think, from an ABI perspective, it doesn't make much sense to
allow tags into the kernel for these syscalls (even if it's simpler from
a user space perspective).

(but I don't have a very strong opinion on this ;))

--
Catalin

2018-03-16 01:32:13

by Evgenii Stepanov

[permalink] [raw]
Subject: Re: [RFC PATCH 3/6] mm, arm64: untag user addresses in memory syscalls

On Wed, Mar 14, 2018 at 10:44 AM, Catalin Marinas
<[email protected]> wrote:
> On Wed, Mar 14, 2018 at 04:45:20PM +0100, Andrey Konovalov wrote:
>> On Fri, Mar 9, 2018 at 6:42 PM, Evgenii Stepanov <[email protected]> wrote:
>> > On Fri, Mar 9, 2018 at 9:31 AM, Andrey Konovalov <[email protected]> wrote:
>> >> On Fri, Mar 9, 2018 at 4:53 PM, Catalin Marinas <[email protected]> wrote:
>> >>> I'm not yet convinced these functions need to allow tagged pointers.
>> >>> They are not doing memory accesses but rather dealing with the memory
>> >>> range, hence an untagged pointer is better suited. There is probably a
>> >>> reason why the "start" argument is "unsigned long" vs "void __user *"
>> >>> (in the kernel, not the man page).
>> >>
>> >> So that would make the user to untag pointers before passing to these syscalls.
>> >>
>> >> Evgeniy, would that be possible to untag pointers in HWASan before
>> >> using memory subsystem syscalls? Is there a reason for untagging them
>> >> in the kernel?
>> >
>> > Generally, no. It's possible to intercept a libc call using symbol
>> > interposition, but I don't know how to rewrite arguments of a raw
>> > system call other than through ptrace, and that creates more problems
>> > than it solves.
>
> With these patches, we are trying to relax the user/kernel ABI so that
> tagged pointers can be passed into the kernel. Since this is a new ABI
> (or an extension to the existing one), it might be ok to change the libc
> so that the top byte is zeroed on specific syscalls before issuing the
> SVC.
>
> I agree that it is problematic for HWASan if it only relies on
> overriding malloc/free.
>
>> > AFAIU, it's valid for a program to pass an address obtained from
>> > malloc or, better, posix_memalign to an mm syscall like mprotect().
>> > These arguments are pointers from the userspace point of view.
>>
>> Catalin, do you think this is a good reason to have the untagging done
>> in the kernel?
>
> malloc() or posix_memalign() are C library implementations and it's the
> C library (or overridden functions) setting a tag on the returned
> pointers. Since the TBI hardware feature allows memory accesses with a
> non-zero tag, we could allow them in the kernel for syscalls performing
> such accesses on behalf of the user (e.g. get_user/put_user would not
> need to clear the tag).
>
> madvise(), OTOH, does not perform a memory access on behalf of the user,
> it's just advising the kernel about a range of virtual addresses. That's
> where I think, from an ABI perspective, it doesn't make much sense to
> allow tags into the kernel for these syscalls (even if it's simpler from
> a user space perspective).
>
> (but I don't have a very strong opinion on this ;))

I don't have a strong opinion on this, either.
Ideally, I would like tags to be fully transparent for user space
code. MM syscalls used on a malloc/memalign address are not a very
common pattern, so it might be OK to not allow tags there. But all
such code will have to be changed with explicit knowledge of TBI.