Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp7206077imu; Mon, 3 Dec 2018 09:14:08 -0800 (PST) X-Google-Smtp-Source: AFSGD/UItPLSTD3/1sc2GJqeYTHYXiDtxXyHzVWXILR/1lCdYS1/UsU6bRnDpxu/t7tGDrEtPniE X-Received: by 2002:a63:2643:: with SMTP id m64mr13709501pgm.35.1543857248406; Mon, 03 Dec 2018 09:14:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543857248; cv=none; d=google.com; s=arc-20160816; b=JxyB56oU2Uw4Lw/PdxBRpudFiHEwh+HD7nEyMxybG0H4CE2rRYxOEsD/2tUm6Dot2e xaBc7zL5LZzsZkbVsmp0Du1OXa3Sc9LhHfI/M56cOLHoPhBl3tuPFMh31IOlLeiQiNHA QxynjCOSmZd7M56/6sHfClJ/AI63aymjHZ7scc8XbyGs8BxDnqTCxcCOdIBJeX+e+wnC YFsJlKcEe4St1It2GqleXMpbS2CRUYfD17yJ+2ZEgoYvfrzuJNdMC8lQgPawpODmmTGX whuWHu3f+DXzK1ijaCqFxE3GupjlTjzBSyOKJcdhrSyDovNa3RL+EOA6sSeB1YdCVTbT x1ZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=9HVkWJ3PqJcudaRLxgM/Am8Hn4tdO1riERkbjtHP/bA=; b=Otjl29GRmY7sdK9BrLKlICgeG5LUpJrrrrKIfUb068ETl1arCAzHF65riBXy701ICT eBtt7dIWgLjO/cFjDNXrI6lnFehwWTcKGMEmRaz/DOAWs6gxaXNSOz9zdcgcc0WxkdGF w44S5XVc1l+3bEsSNqLivuy/ytO1sq8iH66B+AoEvu3txapT15a/YPWQS6BTiwGBrqGm YRoIPBbqsnDnLX1XhEzGxMTr3XNBzvBNCSqnneabhTog3nwagDoqa2Tmdw5e2QjQuigw +ct0Te5aw9fsK3+jJ6XBHyaZIws0tsex581MUY0HuQoVAdGYpaZcU5C+Q2TlmsmRTFVe C6SA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 16si12510905pgh.58.2018.12.03.09.13.43; Mon, 03 Dec 2018 09:14:08 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726839AbeLCRLP (ORCPT + 99 others); Mon, 3 Dec 2018 12:11:15 -0500 Received: from pegase1.c-s.fr ([93.17.236.30]:48578 "EHLO pegase1.c-s.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726650AbeLCRLP (ORCPT ); Mon, 3 Dec 2018 12:11:15 -0500 Received: from localhost (mailhub1-int [192.168.12.234]) by localhost (Postfix) with ESMTP id 437s315cCKz9v01m; Mon, 3 Dec 2018 18:11:09 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at c-s.fr Received: from pegase1.c-s.fr ([192.168.12.234]) by localhost (pegase1.c-s.fr [192.168.12.234]) (amavisd-new, port 10024) with ESMTP id GJySx5LmMJoZ; Mon, 3 Dec 2018 18:11:09 +0100 (CET) Received: from messagerie.si.c-s.fr (messagerie.si.c-s.fr [192.168.25.192]) by pegase1.c-s.fr (Postfix) with ESMTP id 437s315587z9tyys; Mon, 3 Dec 2018 18:11:09 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by messagerie.si.c-s.fr (Postfix) with ESMTP id 0617D8B7B8; Mon, 3 Dec 2018 18:11:13 +0100 (CET) X-Virus-Scanned: amavisd-new at c-s.fr Received: from messagerie.si.c-s.fr ([127.0.0.1]) by localhost (messagerie.si.c-s.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id cswXRt5T2eYE; Mon, 3 Dec 2018 18:11:12 +0100 (CET) Received: from [192.168.232.3] (unknown [192.168.232.3]) by messagerie.si.c-s.fr (Postfix) with ESMTP id 59B088B79E; Mon, 3 Dec 2018 18:11:12 +0100 (CET) Subject: Re: [RFC PATCH] mm: add probe_user_read() and probe_user_address() To: Kees Cook Cc: Andrew Morton , Michael Ellerman , LKML , PowerPC , Linux-MM References: <336eb81e62d6c683a69d312f533899dcb6bcf770.1539959864.git.christophe.leroy@c-s.fr> From: Christophe LEROY Message-ID: Date: Mon, 3 Dec 2018 18:11:11 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: fr Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Le 19/10/2018 à 17:42, Kees Cook a écrit : > On Fri, Oct 19, 2018 at 8:14 AM, Christophe Leroy > wrote: >> In the powerpc, there are several places implementing safe >> access to user data. This is sometimes implemented using >> probe_kerne_address() with additional access_ok() verification, >> sometimes with get_user() enclosed in a pagefault_disable()/enable() >> pair, etc... : >> show_user_instructions() >> bad_stack_expansion() >> p9_hmi_special_emu() >> fsl_pci_mcheck_exception() >> read_user_stack_64() >> read_user_stack_32() on PPC64 >> read_user_stack_32() on PPC32 >> power_pmu_bhrb_to() >> >> In the same spirit as probe_kernel_read() and probe_kernel_address(), >> this patch adds probe_user_read() and probe_user_address(). >> >> probe_user_read() does the same as probe_kernel_read() but >> first checks that it is really a user address. >> >> probe_user_address() is a shortcut to probe_user_read() >> >> Signed-off-by: Christophe Leroy >> --- >> include/linux/uaccess.h | 10 ++++++++++ >> mm/maccess.c | 33 +++++++++++++++++++++++++++++++++ >> 2 files changed, 43 insertions(+) >> >> diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h >> index efe79c1cdd47..fb00e3f847d7 100644 >> --- a/include/linux/uaccess.h >> +++ b/include/linux/uaccess.h >> @@ -266,6 +266,16 @@ extern long strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count); >> #define probe_kernel_address(addr, retval) \ >> probe_kernel_read(&retval, addr, sizeof(retval)) >> >> +/** >> + * probe_user_address(): safely attempt to read from a user location >> + * @addr: address to read from >> + * @retval: read into this variable >> + * >> + * Returns 0 on success, or -EFAULT. >> + */ >> +#define probe_user_address(addr, retval) \ >> + probe_user_read(&(retval), addr, sizeof(retval)) >> + >> #ifndef user_access_begin >> #define user_access_begin() do { } while (0) >> #define user_access_end() do { } while (0) >> diff --git a/mm/maccess.c b/mm/maccess.c >> index ec00be51a24f..85d4a88a6917 100644 >> --- a/mm/maccess.c >> +++ b/mm/maccess.c >> @@ -67,6 +67,39 @@ long __probe_kernel_write(void *dst, const void *src, size_t size) >> EXPORT_SYMBOL_GPL(probe_kernel_write); >> >> /** >> + * probe_user_read(): safely attempt to read from a user location >> + * @dst: pointer to the buffer that shall take the data >> + * @src: address to read from >> + * @size: size of the data chunk >> + * >> + * Safely read from address @src to the buffer at @dst. If a kernel fault >> + * happens, handle that and return -EFAULT. >> + * >> + * We ensure that the copy_from_user is executed in atomic context so that >> + * do_page_fault() doesn't attempt to take mmap_sem. This makes >> + * probe_user_read() suitable for use within regions where the caller >> + * already holds mmap_sem, or other locks which nest inside mmap_sem. >> + */ >> + >> +long __weak probe_user_read(void *dst, const void *src, size_t size) >> + __attribute__((alias("__probe_user_read"))); > > Let's use #defines to deal with per-arch aliases so we can keep the > inline I'm suggesting below... > >> + >> +long __probe_user_read(void *dst, const void __user *src, size_t size) > > Please make this __always_inline so the "size" variable can be > examined for const-ness by the check_object_size() in > __copy_from_user_inatomic(). Ok, I did as suggested in the patch I just sent. Would it be worth doing the same with the existing probe_kernel_read() and probe_kernel_write() ? Christophe > > -Kees >