Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754963AbeAOMZQ (ORCPT + 1 other); Mon, 15 Jan 2018 07:25:16 -0500 Received: from mail-eopbgr10067.outbound.protection.outlook.com ([40.107.1.67]:32972 "EHLO EUR02-HE1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752403AbeAOMZL (ORCPT ); Mon, 15 Jan 2018 07:25:11 -0500 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Dave.Martin@arm.com; Date: Mon, 15 Jan 2018 12:24:59 +0000 From: Dave P Martin To: Kees Cook Cc: "linux-kernel@vger.kernel.org" , Catalin Marinas , Will Deacon , Christian Borntraeger , Ingo Molnar , James Morse , "Peter Zijlstra (Intel)" , zijun_hu , "linux-arm-kernel@lists.infradead.org" , Linus Torvalds , David Windsor , Alexander Viro , Andrew Morton , Andy Lutomirski , Christoph Hellwig , Christoph Lameter , "David S. Miller" , Laura Abbott , Mark Rutland , "Martin K. Petersen" , Paolo Bonzini , Christoffer Dall , Dave Kleikamp , Jan Kara , Luis de Bethencourt , Marc Zyngier , Rik van Riel , Matthew Garrett , "linux-fsdevel@vger.kernel.org" , "linux-arch@vger.kernel.org" , "netdev@vger.kernel.org" , "linux-mm@kvack.org" , "kernel-hardening@lists.openwall.com" Subject: Re: [PATCH 33/38] arm64: Implement thread_struct whitelist for hardened usercopy Message-ID: <20180115122458.GI12608@e103592.cambridge.arm.com> References: <1515636190-24061-1-git-send-email-keescook@chromium.org> <1515636190-24061-34-git-send-email-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1515636190-24061-34-git-send-email-keescook@chromium.org> User-Agent: Mutt/1.5.23 (2014-03-12) X-Originating-IP: [217.140.96.140] X-ClientProxiedBy: AM5P190CA0029.EURP190.PROD.OUTLOOK.COM (2603:10a6:206:14::42) To HE1PR0801MB2027.eurprd08.prod.outlook.com (2603:10a6:3:50::16) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: f7e2713d-2b34-4824-0f5f-08d55c1301a3 X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(2017052603307)(7153060)(7193020);SRVR:HE1PR0801MB2027; X-Microsoft-Exchange-Diagnostics: 1;HE1PR0801MB2027;3:xKY7jBMjGLFHoaiPo4HVtd5naLGvk+VKcdyF0CWGDPSAh0vYB5wgrX0WaXeFROF5bt5Pef7EjTbhCLVBYl8v1j2lRiq6hODTLhlxHyDuUUME0jZwJC/xVcCdXMaZNHdgATE9HRkqSg40BpPbzK1a3ktepKEV/XshDx5v3+M6Grfe1m+u7gIOgQS/H8qa5rxJIC4dSlqNiG1X4KoF2VbutxyR4GqvEfDQV+ieZ9ZUQUfMDxpY2NJp9fWoLLkFdNIK;25:IvfJZTw3CVPacf3gpUy7KRewO6gCMnuWXS6KI0Vtmg5ae913Rm25jYZlOiciBmTta4WCz/4N3VdJavadagR2B0VHZ+EeEGB44BCYR4PrS/yq06Wpum4M3vTmEBoPrX0OllZZACELyvClcSNiLgBQV34FQ4agF9atiK8GWiUN/fQr0PrMhKTp2f5vUICzFElBZxbfx3+xzoq1JNWrmMSwRXQEuBWDnH59WHlpQfwxKYwWnBJDrpBTD29Vctg9E9o+JS/rq1xnhvyZjz7G5KNboAwnu1rKoX5m9UkIk+/iOzj/fxD4HnN3GXG5ghnti/3t5Fa7fy22wEHALfkbSJJG4Q==;31:9r+pstBIrnh1SDQAOOkbQSy5YiJQ8AXJuiGgQrrs1XZlu0j6B7pfuR8DClMepUVM9u7BTYGjlQJ/7/j5+LjqQCdsP7OLpTeZhLp1Iz2rmUXf2DVVVg/JyTjiCipEl758a9bi0HmSF+Oq/wyKxLdzoMkbWslUp8GUgyV91E41PPAMKXkNUWCIhyY9sSIL0Ro0jPfhvb94+S/SEqY+2I68IgJI8RdX/d9Serv9Ig9Klnc= X-MS-TrafficTypeDiagnostic: HE1PR0801MB2027: Content-Transfer-Encoding: 8BIT X-Microsoft-Exchange-Diagnostics: 1;HE1PR0801MB2027;20:aLoB4tL5YIxbUB+GFpObhBXwcBTfLaJr5qexeKS5TG2sMhQmaFpzHX0gUFkyt4QA/3iVb9cC9gOHSgIlJyeuOxi5esSX3pbyx39JbEOU4MwJMWpn6urbKuJEz17WbuD5GMydlH3yhXkZupFOfjiZNsJHH7gDMbuMecHqto3bSfQRfazVNnquhP7WfEoQRSCOZm7gpIUt7ia1ziz3QdV5jDqesrbKKP2kr61cYGzjqH10TOVshZqSnr8oEZof9c8RfXv5lkuleMYmI+lWj+v2j5a6hHaQFvRXufoYT4uRgR44vUt/coayFd8JfI2LrCGY8n6AL52BWt0EswO9s8Rw7YlH23+GH/M/ly9jNmetNr/L4SlrFZH9kBeHR03qriu6WOBe2ku8HeFOR8lggjbL8xDrhfIncooyprUGViBw73HvuQ4QijUbcx/XxiI3yeObftowTqbrEDfFfsQxqKpmJO1S75ZpgoHX57nMvUYGZkukUPPaL15b4TdxCSv5q9gZ;4:D2Q5irUpzwnYm2Sxub8IcdXzsyFgaR2zJi8+CoZPkI/bCRvP9CskzA8LhGYQ4znM5EYoYxM0d16cayj2OEgAGwEyQg0wtETZ3c4tAr+9hdc2RNOPNKmXtdryY4iWN7zoi0bHzA78dED2ua1d7FHm+Yvm0origJxuCwfIl6teX5NbqErUzoacOzm0KS5A7NM7wZVWJU8izfRE7+Lk/oEU5z46fp+HzjGmnkoSlQrA/b2xWqR9emA0ARPe8De4kwqseQulG/YlUQEbLOx4gCmPxr5kJ0S1hLw7x0jWpFbeY+XTX7Q2z+WErggbaMgeHKiA4Ihl7NPmSzGOmVviLj5u3tvg8qAErOSNWgdAT/x7WVlBRBnMUPm/8rjt5SxKD7s12one5jUXc82eTI/WyoCAt4++F9Ugqew8L2RbM53NtqQ= X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(180628864354917)(190383065149520)(258649278758335)(104084551191319); X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040470)(2401047)(5005006)(8121501046)(93006095)(93001095)(3002001)(3231023)(944501161)(10201501046)(6055026)(6041268)(20161123562045)(20161123564045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011);SRVR:HE1PR0801MB2027;BCL:0;PCL:0;RULEID:(100000803101)(100110400095);SRVR:HE1PR0801MB2027; X-Forefront-PRVS: 0553CBB77A X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(376002)(396003)(366004)(346002)(39380400002)(39860400002)(40434004)(189003)(199004)(24454002)(86362001)(5660300001)(66066001)(478600001)(105586002)(47776003)(316002)(6666003)(4326008)(25786009)(6916009)(2950100002)(8676002)(83506002)(305945005)(8936002)(76176011)(50466002)(68736007)(6246003)(81156014)(97736004)(8746002)(72206003)(386003)(81166006)(7736002)(2906002)(229853002)(58126008)(7416002)(33656002)(59450400001)(55016002)(54906003)(106356001)(5890100001)(7696005)(52116002)(16526018)(1076002)(6116002)(3846002)(53936002)(23726003)(18370500001);DIR:OUT;SFP:1101;SCL:1;SRVR:HE1PR0801MB2027;H:e103592.cambridge.arm.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;HE1PR0801MB2027;23:2jCqSKPBrBGl3lu9uA7oYuSp3Ui7TMhtK60bILf?= =?us-ascii?Q?oDP2SWbnpQ8GiOZhEPdWx+ZlNAatS0XoeIP0vSyJqLIAKY7iQShY+PDAFnnY?= =?us-ascii?Q?zOjHro6ak1vVJQ7POmfohNqCKxD9pP60oFVu7JQKUDl3+bDluqBulBuyki+G?= =?us-ascii?Q?1RAlqAe1FdqL3oQWLn2gNHhTTXRZVRdFAI6TOPecESSt4VZFmf5a0iifqeQ3?= =?us-ascii?Q?234WXx0qTNiujC5qVSrKr9P5fBvStcjoAGEil866o71Hy5Oanq6mUoocHFMs?= =?us-ascii?Q?unHNDuH4YoFcD1G+235BrzLD9lp4hBrzHtlv6GG0ayJRm7egRFrnCIA7BKL+?= =?us-ascii?Q?ISnXR39027u4UE/lXxYIvzCVu6d7DQBlGgw4fkeOWRCT5neK/FakimHd6bJ/?= =?us-ascii?Q?UpBOFPYYNys3MSoSKNLpjpRAYgvpg95FpQByvvXA0lo8Ii4kS2z7ZEvM3mjw?= =?us-ascii?Q?O/FgNu35hBfFDGCEKPw/bdveKd0SfEmtDjV7xPvB8L2NG1qmZCCDjkAOIZTF?= =?us-ascii?Q?fGUKxT19GzmJjUJQ9zB3RXorrUOG4agBbAtu2e1/7sP+PQirQJBUGHZ5ds5Z?= =?us-ascii?Q?y73Jzzs1Fc2OFiK2/g/cC4xukYnvC2L8nexm7WaBGB0urAvD/41ZO98dZuZl?= =?us-ascii?Q?VoBaYwbHmcpuw6h1ue838Ie6cvjFmjJSH3jEYZKWogY6MynlWVB1sm1Eiz3R?= =?us-ascii?Q?h3Doxt4LVccqQzqYGr3delvHghVCJJzJvvi7CdMGPp9jOAoX+fSVMh3l0LHQ?= =?us-ascii?Q?896HhnUfMruAl2hRmEgPS4yeylPrJL9d4QT3cUUSatRMXmV5DZjyk7JGe3Kj?= =?us-ascii?Q?NkY0jeOLXdhSP/IdM+1NxWTaB6VI4U58c8Zm06b+7PWE9Zdhka4lSUEJtRTX?= =?us-ascii?Q?ELJNeAKj0ya1KZ8Yb3sfZ7H4b4irdeor07jXOoA8PXtugD/Ni9LlfCEruX2S?= =?us-ascii?Q?dsxz36q5R33/WmrnkcQOvJHehmseiHJ8Ml1J3Iot3wrfnYzjYjjGSQWWb1/7?= =?us-ascii?Q?KwXzBB53g7p9r0Q6cvUABc+ayiCBFru7itBnGRMYgw9zBi/l4imjW4GCOGc5?= =?us-ascii?Q?pm3n+HpRt5xhsesIIGQz6GK+NitljbYF8QqujktQyhv4F8AX72aMMzT/BiIt?= =?us-ascii?Q?NL2ampvryWekz5MSt/ksEOusVplQ0n+YB60IYfQvB5E8jUW+sOI9EklviMSy?= =?us-ascii?Q?ToVjzx05sCzgBPq6bo+wj4u8tmRgUeAMcyVz7YH8UQOtZ2ox0SKgEEXGyUZx?= =?us-ascii?Q?I0F93/xZRDCWU+2L1y2SDlcZk5AktfBBmyPYUjPYot+w4AHGJSeLHOrje1WR?= =?us-ascii?Q?fOg=3D=3D?= X-Microsoft-Exchange-Diagnostics: 1;HE1PR0801MB2027;6:AzTbRE0z8+OcA8ywn3UAHniBWCiwntV6sMKt+uT5L+T1VAvaksTjZZp1rngrSPZOm3PkIsOUEd18FBbLMuEo2of3DjNqcjAXnd4dlOkYADWJ+ZlqINBf24ZoVzdr7hQLX2lMEmTSW7o0Oza6JxOdQYdOdycmAQhWM6IyDqk8RiCukREOemdiYcoKRRsP10gM2MnjAJlTuBOKUMIdRg+Y1aMLjzEVwEX78hMu6dz89YPPOF3iK2vbb2xFfUpdyELvwkLQocYCRhBp4bMgxFVff+9YBtMN8NuZ3hIqoA22ufZl/26lV70qz4727n9YMskqmowP8puyMlH1KBRwMNoTzLsxjaWS10xS194awt+FJxI=;5:8yT6s2vPVvNuwQ3sViPGeIyB83ZXWblGHiz+V/9k8AwEBp3K7GlOmGs09PE1cFOzIqXB0FVG95C2bp7to0Gb+yZqjkUeyQEl2ypYC7tCNSnnzFCKBUv74bXHYQ3se2IYgq5cDZBjh3VM/oDBmJSqXFHCOwf2rIKelvJ9NxCVisY=;24:9oqcUx5DkmPFKVVcLMm0iHih9/SY7ZjCBKDP69NisuXM8zIO77GhwIxLKP0WFCXSx4lrqYRrunnCmv876TrA1V3QpxrcQ+SuVRD7GLF+QZk=;7:VwntYdjzfbQP2uUjV/LpFZbEwUsIbSFEb97ROMAFHRqQWhBUqziB180CkwB3AHjlGWWOKpZ2dhAf68pS9Zn+MXDHP5XkGKfbR6F/xT6vT4Gwu0qscVhxZiRCHQsv+YtZ3iRq5ItpSHQyY1ZOopiv752EpU10o0kLQKMbRl1OahFDb9d/+A0wEZYeX8r1URSRbZQRcrBzdhUbkL8cQN2EIhmERpHYkl0JK5H3q88fvIU84B/UMJ1hv6L/yb71Tt9E SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jan 2018 12:25:02.7984 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: f7e2713d-2b34-4824-0f5f-08d55c1301a3 X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0801MB2027 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Thu, Jan 11, 2018 at 02:03:05AM +0000, Kees Cook wrote: > This whitelists the FPU register state portion of the thread_struct for > copying to userspace, instead of the default entire structure. > > Cc: Catalin Marinas > Cc: Will Deacon > Cc: Christian Borntraeger > Cc: Ingo Molnar > Cc: James Morse > Cc: "Peter Zijlstra (Intel)" > Cc: Dave Martin > Cc: zijun_hu > Cc: linux-arm-kernel@lists.infradead.org > Signed-off-by: Kees Cook > --- > arch/arm64/Kconfig | 1 + > arch/arm64/include/asm/processor.h | 8 ++++++++ > 2 files changed, 9 insertions(+) > > diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig > index a93339f5178f..c84477e6a884 100644 > --- a/arch/arm64/Kconfig > +++ b/arch/arm64/Kconfig > @@ -90,6 +90,7 @@ config ARM64 > select HAVE_ARCH_MMAP_RND_BITS > select HAVE_ARCH_MMAP_RND_COMPAT_BITS if COMPAT > select HAVE_ARCH_SECCOMP_FILTER > + select HAVE_ARCH_THREAD_STRUCT_WHITELIST > select HAVE_ARCH_TRACEHOOK > select HAVE_ARCH_TRANSPARENT_HUGEPAGE > select HAVE_ARCH_VMAP_STACK > diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h > index 023cacb946c3..e58a5864ec89 100644 > --- a/arch/arm64/include/asm/processor.h > +++ b/arch/arm64/include/asm/processor.h > @@ -113,6 +113,14 @@ struct thread_struct { > struct debug_info debug; /* debugging */ > }; > > +/* Whitelist the fpsimd_state for copying to userspace. */ > +static inline void arch_thread_struct_whitelist(unsigned long *offset, > + unsigned long *size) > +{ > + *offset = offsetof(struct thread_struct, fpsimd_state); > + *size = sizeof(struct fpsimd_state); This should be fpsimd_state.user_fpsimd (fpsimd_state.cpu is important for correctly context switching and not supposed to be user-accessible. A user copy that encompasses that is definitely a bug). Cheers ---Dave IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.