Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932337AbeAKXVR (ORCPT + 1 other); Thu, 11 Jan 2018 18:21:17 -0500 Received: from mail-vk0-f68.google.com ([209.85.213.68]:41138 "EHLO mail-vk0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932150AbeAKXVL (ORCPT ); Thu, 11 Jan 2018 18:21:11 -0500 X-Google-Smtp-Source: ACJfBotE0aBt7hnwxTCO01fBpK52JgLIeZRC41tcd79hfLJekSFK2WsZur0EQtYWozYJLJYKTXqAWOYOCK9iifhROGw= MIME-Version: 1.0 In-Reply-To: <20180111102400.GT17719@n2100.armlinux.org.uk> References: <1515636190-24061-1-git-send-email-keescook@chromium.org> <1515636190-24061-35-git-send-email-keescook@chromium.org> <20180111102400.GT17719@n2100.armlinux.org.uk> From: Kees Cook Date: Thu, 11 Jan 2018 15:21:09 -0800 X-Google-Sender-Auth: OmSCILmjYLUC4syNR1c4DP2efGE Message-ID: Subject: Re: [PATCH 34/38] arm: Implement thread_struct whitelist for hardened usercopy To: Russell King - ARM Linux Cc: LKML , Ingo Molnar , Christian Borntraeger , "Peter Zijlstra (Intel)" , linux-arm-kernel@lists.infradead.org, Linus Torvalds , David Windsor , Alexander Viro , Andrew Morton , Andy Lutomirski , Christoph Hellwig , Christoph Lameter , "David S. Miller" , Laura Abbott , Mark Rutland , "Martin K. Petersen" , Paolo Bonzini , Christoffer Dall , Dave Kleikamp , Jan Kara , Luis de Bethencourt , Marc Zyngier , Rik van Riel , Matthew Garrett , "linux-fsdevel@vger.kernel.org" , linux-arch , Network Development , Linux-MM , kernel-hardening@lists.openwall.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Thu, Jan 11, 2018 at 2:24 AM, Russell King - ARM Linux wrote: > On Wed, Jan 10, 2018 at 06:03:06PM -0800, Kees Cook wrote: >> ARM does not carry FPU state in the thread structure, so it can declare >> no usercopy whitelist at all. > > This comment seems to be misleading. We have stored FP state in the > thread structure for a long time - for example, VFP state is stored > in thread->vfpstate.hard, so we _do_ have floating point state in > the thread structure. > > What I think this commit message needs to describe is why we don't > need a whitelist _despite_ having FP state in the thread structure. > > At the moment, the commit message is making me think that this patch > is wrong and will introduce a regression. Yeah, I will improve this comment; it's not clear enough. The places where I see state copied to/from userspace are all either static sizes or already use bounce buffers (or both). e.g.: err |= __copy_from_user(&hwstate->fpregs, &ufp->fpregs, sizeof(hwstate->fpregs)); I will adjust the commit log and comment to more clearly describe the lack of whitelisting due to all-static sized copies. Thanks! -Kees -- Kees Cook Pixel Security