Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2933327imm;
        Fri, 19 Oct 2018 02:07:20 -0700 (PDT)
X-Google-Smtp-Source: ACcGV62U9uTVTjngbR0NRnqF2Jr9+9101Z5oEr1TdUmyo4vkC0WXWiAtFe6e5T/kmJwu7X1mgXs1
X-Received: by 2002:a63:214d:: with SMTP id s13-v6mr31937166pgm.148.1539940040453;
        Fri, 19 Oct 2018 02:07:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539940040; cv=none;
        d=google.com; s=arc-20160816;
        b=tpTP16zUupvURcVmit9Vr0XvYuRb8Jwx5tFK3VlDVaT+jZmlCcE3PCvMGzsPRWyx+I
         obeDyIgnMhs2bcAmlozcA+PbEhVNdjLy0d2Rru7Zah3ucvSyOuQ66Is1/WIb3dKnarVt
         2lupw88G9sY5DXG6GnAp4/WHxA6uOIhb0E5lqe5Qnq/s591WnbVKg5rzVCMLNDAYyNIY
         Osrz4MwC9KWPrj20o11dwVpbp76dPetLJkJnRGt//Kom5FzuBRh9bco8AfaeQJe/F9cS
         UZLBQwzhcj3Y7WtHMpyaH2sshJjkuTmwQ6eWFYk6TaXQ3YYPZbnXnWwdeaSFedutsS0v
         uPgg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject;
        bh=uov9WVpDMdkOzYVzRZz+CORjMz8EGWWRlgr6WK0NWS0=;
        b=cHno4vHAQlIeYDLqtsrDFTE0Sh+I6ymbGlSGQFsmPsu7foHf28ySLl8tS2ctyBXcB2
         rpH5mF9YiSplLQgv00pAqWBJt5tDeeV28hGc6pYt/BGyk9APmZX5JxMi1b09kg2zRkrP
         yS9peFlQBn/s8FJZ2ywvvtASu2KEbbefc73Khp2ZEMIxL0IHIbzRFEkSiY8QBicQxzjf
         5Zi5xTMdkQd9fGxwC6M3oda4jZQzSHzxjvWPxMJN1fC+n+gkDIQyriZVFuobPuMauZVl
         k0US5Y9p/GzsXn0hxcguONwUCK3WCEM5Fn74/6On3bgYU+dEbJNhhg+3V3ICFIWEV4wZ
         BhRg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h185-v6si712097pge.308.2018.10.19.02.07.04;
        Fri, 19 Oct 2018 02:07:20 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727343AbeJSRKC (ORCPT <rfc822;arandomawesomegeek@gmail.com>
        + 99 others); Fri, 19 Oct 2018 13:10:02 -0400
Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:49210 "EHLO
        foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726399AbeJSRKC (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 19 Oct 2018 13:10:02 -0400
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249])
        by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 917C180D;
        Fri, 19 Oct 2018 02:04:50 -0700 (PDT)
Received: from [10.37.10.27] (unknown [10.37.10.27])
        by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id C4CD83F5D3;
        Fri, 19 Oct 2018 02:04:44 -0700 (PDT)
Subject: Re: [PATCH v7 0/8] arm64: untag user pointers passed to the kernel
To:     Evgenii Stepanov <eugenis@google.com>,
        Andrey Konovalov <andreyknvl@google.com>
Cc:     Catalin Marinas <catalin.marinas@arm.com>,
        Will Deacon <will.deacon@arm.com>,
        Mark Rutland <mark.rutland@arm.com>,
        Robin Murphy <robin.murphy@arm.com>,
        Kees Cook <keescook@chromium.org>,
        Kate Stewart <kstewart@linuxfoundation.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Ingo Molnar <mingo@kernel.org>,
        "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
        Shuah Khan <shuah@kernel.org>,
        Linux ARM <linux-arm-kernel@lists.infradead.org>,
        "open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
        Linux Memory Management List <linux-mm@kvack.org>,
        linux-arch <linux-arch@vger.kernel.org>,
        "open list:KERNEL SELFTEST FRAMEWORK" 
        <linux-kselftest@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Chintan Pandya <cpandya@codeaurora.org>,
        Jacob Bramley <Jacob.Bramley@arm.com>,
        Ruben Ayrapetyan <Ruben.Ayrapetyan@arm.com>,
        Lee Smith <Lee.Smith@arm.com>,
        Kostya Serebryany <kcc@google.com>,
        Dmitry Vyukov <dvyukov@google.com>,
        Ramana Radhakrishnan <Ramana.Radhakrishnan@arm.com>,
        Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
References: <cover.1538485901.git.andreyknvl@google.com>
 <be684ce5-92fd-e970-b002-83452cf50abd@arm.com>
 <CAAeHK+yEZTLjgSj8YUzeJec9Pp2TwuLT5nCa1OpfBLXJkx_hhg@mail.gmail.com>
 <CAFKCwrh4-BvFB_R1J0LWcbfeR=d02OazowFuMU+hmq8Y=Dx+4w@mail.gmail.com>
From:   Vincenzo Frascino <vincenzo.frascino@arm.com>
Message-ID: <9bb7fefd-3f8f-266a-3cc9-cc64f8927206@arm.com>
Date:   Fri, 19 Oct 2018 10:04:42 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <CAFKCwrh4-BvFB_R1J0LWcbfeR=d02OazowFuMU+hmq8Y=Dx+4w@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 10/17/18 9:25 PM, Evgenii Stepanov wrote:
> On Wed, Oct 17, 2018 at 7:20 AM, Andrey Konovalov <andreyknvl@google.com> wrote:
>> On Wed, Oct 17, 2018 at 4:06 PM, Vincenzo Frascino
>> <vincenzo.frascino@arm.com> wrote:
>>> Hi Andrey,
>>> I have been thinking a bit lately on how to address the problem of user tagged pointers passed to the kernel through syscalls, and IMHO probably the best way we have to catch them all and make sure that the approach is maintainable in the long term is to introduce shims that tag/untag the pointers passed to the kernel.
>>>
>>> In details, what I am proposing can live either in userspace (preferred solution so that we do not have to relax the ABI) or in kernel space and can be summarized as follows:
>>>  - A shim is specific to a syscall and is called by the libc when it needs to invoke the respective syscall.
>>>  - It is required only if the syscall accepts pointers.
>>>  - It saves the tags of a pointers passed to the syscall in memory (same approach if the we are passing a struct that contains pointers to the kernel, with the difference that all the tags of the pointers in the struct need to be saved singularly)
>>>  - Untags the pointers
>>>  - Invokes the syscall
>>>  - Retags the pointers with the tags stored in memory
>>>  - Returns
>>>
>>> What do you think?
>>
>> Hi Vincenzo,
>>
>> If I correctly understand what you are proposing, I'm not sure if that
>> would work with the countless number of different ioctl calls. For
>> example when an ioctl accepts a struct with a bunch of pointer fields.
>> In this case a shim like the one you propose can't live in userspace,
>> since libc doesn't know about the interface of all ioctls, so it can't
>> know which fields to untag. The kernel knows about those interfaces
>> (since the kernel implements them), but then we would need a custom
>> shim for each ioctl variation, which doesn't seem practical.
> 
> The current patchset handles majority of pointers in a just a few
> common places, like copy_from_user. Userspace shims will need to untag
> & retag all pointer arguments - we are looking at hundreds if not
> thousands of shims. They will also be located in a different code base
> from the syscall / ioctl implementations, which would make them
> impossible to keep up to date.
> 

I agree with both of you, ioctl is the real show stopper for this approach. Thanks for pointing this out.

-- 
Regards,
Vincenzo