Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2209426imm; Thu, 18 Oct 2018 10:43:12 -0700 (PDT) X-Google-Smtp-Source: ACcGV62JZToHf5duljAk+1R1r9A7irQ5VlwrhMKIbjfTEW5rf8FiHLgdj38WuAoAGx8/7UwP3Jr9 X-Received: by 2002:a17:902:ba8d:: with SMTP id k13-v6mr31094336pls.12.1539884592794; Thu, 18 Oct 2018 10:43:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539884592; cv=none; d=google.com; s=arc-20160816; b=hTTfVVib7ELkA0OmTfng1K32fMShq9fm3/Q3Eja9U4ZyqliefQD+6JyUAlNtn6HYCD SWyaW6p78Wf63HHCDVzdIqUtaY7Hgo1XZgugBs4tVo3WHNGEUbCnzca6LzqSOvMRa6+z MZkflafIT8ZVfd0M/K5He1MQ+vGolGp00qJApsoOkR5C2IuRYFTB1AHyWW7dcFz4CUti tU2BV43UtO0NQ8vsfplrqqfEdp4d0fdCiCfa+RHOZgef7FxRkh+zGAcK7Bu+naqEmyi9 ugwR+FTjOSkJ+RnFLqCiq7IVBzTwWdL8F0rDgfSBlbncqNklyAJfztjucJTuWnPZAilw g5UA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=wpHTPCf877us/48VQxCSJppnQR8EHEtjdynE9Lo3Jig=; b=qosOCbHTTVRWvutpYVl4Mo1QAkxia5NnqXWYYPYa3pteLwDd9Kgn0ww5PPSFqiwRag o9BzG+8z8ycnFXjiJ5xcPId7QPhhBYS0rEjP8FMvcqAvkjyqIkUG/+SIJh7CS1u6NTWo cK+yGouhwKLFM44JM2MQEv7QwCMSm/yshgCMZamIh1YnZk75f7MBSIUDId5vRRAsrn8E pI6ikiCMYGBuEzkRhm/9AEUYVwCyPZP83X/iKu52dGqDKhIX4xMSUmqCAhYC3JU/w1XU pLm/oJLjsmSK7krS1dzIR+q3hdXihBNADJsBy0AkBVKFtPDf36aKZWhA9jlB0U9cOK2M 6UOQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f26-v6si22614865pge.549.2018.10.18.10.42.57; Thu, 18 Oct 2018 10:43:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728031AbeJSBfi (ORCPT + 99 others); Thu, 18 Oct 2018 21:35:38 -0400 Received: from foss.arm.com ([217.140.101.70]:41560 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726269AbeJSBfh (ORCPT ); Thu, 18 Oct 2018 21:35:37 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id D355F341; Thu, 18 Oct 2018 10:33:37 -0700 (PDT) Received: from arrakis.emea.arm.com (arrakis.cambridge.arm.com [10.1.196.80]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 98F373F5D3; Thu, 18 Oct 2018 10:33:33 -0700 (PDT) Date: Thu, 18 Oct 2018 18:33:31 +0100 From: Catalin Marinas To: Evgenii Stepanov Cc: Andrey Konovalov , Mark Rutland , Kate Stewart , "open list:DOCUMENTATION" , Will Deacon , Linux Memory Management List , "open list:KERNEL SELFTEST FRAMEWORK" , Chintan Pandya , Vincenzo Frascino , Shuah Khan , Ingo Molnar , linux-arch , Jacob Bramley , Dmitry Vyukov , Kees Cook , Ruben Ayrapetyan , Ramana Radhakrishnan , Linux ARM , Kostya Serebryany , Greg Kroah-Hartman , LKML , Luc Van Oostenryck , Lee Smith , Andrew Morton , Robin Murphy , "Kirill A . Shutemov" Subject: Re: [PATCH v7 0/8] arm64: untag user pointers passed to the kernel Message-ID: <20181018173330.GG237391@arrakis.emea.arm.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 17, 2018 at 01:25:42PM -0700, Evgenii Stepanov wrote: > On Wed, Oct 17, 2018 at 7:20 AM, Andrey Konovalov wrote: > > On Wed, Oct 17, 2018 at 4:06 PM, Vincenzo Frascino > > wrote: > >> I have been thinking a bit lately on how to address the problem of > >> user tagged pointers passed to the kernel through syscalls, and > >> IMHO probably the best way we have to catch them all and make sure > >> that the approach is maintainable in the long term is to introduce > >> shims that tag/untag the pointers passed to the kernel. > >> > >> In details, what I am proposing can live either in userspace > >> (preferred solution so that we do not have to relax the ABI) or in > >> kernel space and can be summarized as follows: > >> - A shim is specific to a syscall and is called by the libc when > >> it needs to invoke the respective syscall. > >> - It is required only if the syscall accepts pointers. > >> - It saves the tags of a pointers passed to the syscall in memory > >> (same approach if the we are passing a struct that contains > >> pointers to the kernel, with the difference that all the tags of > >> the pointers in the struct need to be saved singularly) > >> - Untags the pointers > >> - Invokes the syscall > >> - Retags the pointers with the tags stored in memory > >> - Returns > >> > >> What do you think? > > > > If I correctly understand what you are proposing, I'm not sure if that > > would work with the countless number of different ioctl calls. For > > example when an ioctl accepts a struct with a bunch of pointer fields. > > In this case a shim like the one you propose can't live in userspace, > > since libc doesn't know about the interface of all ioctls, so it can't > > know which fields to untag. The kernel knows about those interfaces > > (since the kernel implements them), but then we would need a custom > > shim for each ioctl variation, which doesn't seem practical. > > The current patchset handles majority of pointers in a just a few > common places, like copy_from_user. Userspace shims will need to untag > & retag all pointer arguments - we are looking at hundreds if not > thousands of shims. They will also be located in a different code base > from the syscall / ioctl implementations, which would make them > impossible to keep up to date. I think ioctls are a good reason not to attempt such user-space shim layer (though it would have been much easier for the kernel ;)). -- Catalin