Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2933327imm; Fri, 19 Oct 2018 02:07:20 -0700 (PDT) X-Google-Smtp-Source: ACcGV62U9uTVTjngbR0NRnqF2Jr9+9101Z5oEr1TdUmyo4vkC0WXWiAtFe6e5T/kmJwu7X1mgXs1 X-Received: by 2002:a63:214d:: with SMTP id s13-v6mr31937166pgm.148.1539940040453; Fri, 19 Oct 2018 02:07:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539940040; cv=none; d=google.com; s=arc-20160816; b=tpTP16zUupvURcVmit9Vr0XvYuRb8Jwx5tFK3VlDVaT+jZmlCcE3PCvMGzsPRWyx+I obeDyIgnMhs2bcAmlozcA+PbEhVNdjLy0d2Rru7Zah3ucvSyOuQ66Is1/WIb3dKnarVt 2lupw88G9sY5DXG6GnAp4/WHxA6uOIhb0E5lqe5Qnq/s591WnbVKg5rzVCMLNDAYyNIY Osrz4MwC9KWPrj20o11dwVpbp76dPetLJkJnRGt//Kom5FzuBRh9bco8AfaeQJe/F9cS UZLBQwzhcj3Y7WtHMpyaH2sshJjkuTmwQ6eWFYk6TaXQ3YYPZbnXnWwdeaSFedutsS0v uPgg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=uov9WVpDMdkOzYVzRZz+CORjMz8EGWWRlgr6WK0NWS0=; b=cHno4vHAQlIeYDLqtsrDFTE0Sh+I6ymbGlSGQFsmPsu7foHf28ySLl8tS2ctyBXcB2 rpH5mF9YiSplLQgv00pAqWBJt5tDeeV28hGc6pYt/BGyk9APmZX5JxMi1b09kg2zRkrP yS9peFlQBn/s8FJZ2ywvvtASu2KEbbefc73Khp2ZEMIxL0IHIbzRFEkSiY8QBicQxzjf 5Zi5xTMdkQd9fGxwC6M3oda4jZQzSHzxjvWPxMJN1fC+n+gkDIQyriZVFuobPuMauZVl k0US5Y9p/GzsXn0hxcguONwUCK3WCEM5Fn74/6On3bgYU+dEbJNhhg+3V3ICFIWEV4wZ BhRg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h185-v6si712097pge.308.2018.10.19.02.07.04; Fri, 19 Oct 2018 02:07:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727343AbeJSRKC (ORCPT + 99 others); Fri, 19 Oct 2018 13:10:02 -0400 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:49210 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726399AbeJSRKC (ORCPT ); Fri, 19 Oct 2018 13:10:02 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 917C180D; Fri, 19 Oct 2018 02:04:50 -0700 (PDT) Received: from [10.37.10.27] (unknown [10.37.10.27]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id C4CD83F5D3; Fri, 19 Oct 2018 02:04:44 -0700 (PDT) Subject: Re: [PATCH v7 0/8] arm64: untag user pointers passed to the kernel To: Evgenii Stepanov , Andrey Konovalov Cc: Catalin Marinas , Will Deacon , Mark Rutland , Robin Murphy , Kees Cook , Kate Stewart , Greg Kroah-Hartman , Andrew Morton , Ingo Molnar , "Kirill A . Shutemov" , Shuah Khan , Linux ARM , "open list:DOCUMENTATION" , Linux Memory Management List , linux-arch , "open list:KERNEL SELFTEST FRAMEWORK" , LKML , Chintan Pandya , Jacob Bramley , Ruben Ayrapetyan , Lee Smith , Kostya Serebryany , Dmitry Vyukov , Ramana Radhakrishnan , Luc Van Oostenryck References: From: Vincenzo Frascino Message-ID: <9bb7fefd-3f8f-266a-3cc9-cc64f8927206@arm.com> Date: Fri, 19 Oct 2018 10:04:42 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 10/17/18 9:25 PM, Evgenii Stepanov wrote: > On Wed, Oct 17, 2018 at 7:20 AM, Andrey Konovalov wrote: >> On Wed, Oct 17, 2018 at 4:06 PM, Vincenzo Frascino >> wrote: >>> Hi Andrey, >>> I have been thinking a bit lately on how to address the problem of user tagged pointers passed to the kernel through syscalls, and IMHO probably the best way we have to catch them all and make sure that the approach is maintainable in the long term is to introduce shims that tag/untag the pointers passed to the kernel. >>> >>> In details, what I am proposing can live either in userspace (preferred solution so that we do not have to relax the ABI) or in kernel space and can be summarized as follows: >>> - A shim is specific to a syscall and is called by the libc when it needs to invoke the respective syscall. >>> - It is required only if the syscall accepts pointers. >>> - It saves the tags of a pointers passed to the syscall in memory (same approach if the we are passing a struct that contains pointers to the kernel, with the difference that all the tags of the pointers in the struct need to be saved singularly) >>> - Untags the pointers >>> - Invokes the syscall >>> - Retags the pointers with the tags stored in memory >>> - Returns >>> >>> What do you think? >> >> Hi Vincenzo, >> >> If I correctly understand what you are proposing, I'm not sure if that >> would work with the countless number of different ioctl calls. For >> example when an ioctl accepts a struct with a bunch of pointer fields. >> In this case a shim like the one you propose can't live in userspace, >> since libc doesn't know about the interface of all ioctls, so it can't >> know which fields to untag. The kernel knows about those interfaces >> (since the kernel implements them), but then we would need a custom >> shim for each ioctl variation, which doesn't seem practical. > > The current patchset handles majority of pointers in a just a few > common places, like copy_from_user. Userspace shims will need to untag > & retag all pointer arguments - we are looking at hundreds if not > thousands of shims. They will also be located in a different code base > from the syscall / ioctl implementations, which would make them > impossible to keep up to date. > I agree with both of you, ioctl is the real show stopper for this approach. Thanks for pointing this out. -- Regards, Vincenzo