Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp5197326imu; Tue, 8 Jan 2019 13:17:11 -0800 (PST) X-Google-Smtp-Source: ALg8bN7O1uspa8Fs4PrWWg1zD/7am5/gZR3yeeItBzjkYIgN4gcMLDW2/uBp62ao3tP4BVXSfZsT X-Received: by 2002:a17:902:722:: with SMTP id 31mr3371135pli.271.1546982231246; Tue, 08 Jan 2019 13:17:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546982231; cv=none; d=google.com; s=arc-20160816; b=ise5tDT9IUVGB9Ih1v1ypeMnA9xgbHev7owXX5f3cEbFfLZWnh21Q/Hckgqueyv5M7 ZNUsjldMFb1gGlKKYzPzpc0QJUH14eMXh/0PTK7jqHNsS4COa227SQ6YtjvYcOVKnGJn Wn9cJKxu+nSnL0tLJYSy8QX5Yec/y9VRiZC7P+cM7CTeQ+CHduHriOt7CQXh63ezEmz9 +aCQSTYU+OJPNA6zQ5Z1p4JxRaHZBwNqhms5dwqFX/LCCbkJg0GF2oPYsOdfow4xF8/u TbGiWWILMH00S+vtEbRbSuOLzuBusYQ3hKi3n1q6B885tvo+YIMrOtDpY0vIHPIneMy8 ilfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=OWEgAtYm9ccvWmLV8AYycOen3jNVVZL7snbVRoC2Jsg=; b=Ve45uqcND0nihDZOWkKSQHMIQ4uLrq/wH8gwtc57RoPJ6GF1KdlLrnPT3tY9xP/ckc MXKE35ODJea1EA+bfD29oBz+h2vOrPJbxLtT+X6PXKcL0OCD0d4vq4/RaTbV4iB5iN/g IQlcGxFMO/KUHwGUOYtiR5V7muChO12Gi70e5hUfd9sqgrAtZ9LL4SMUXSAgJ4j8NVnH fgvSxoMHQf0PT7SfvD6Y9+s3PXOzpUWL0YkkYAZ6sVezJOdqFSn2lrFGafWMpDl229rL CWSpiv5NNJmOYQeztunA//gkXKW/7fhzo6vtiyhrCOOn63j0g1S6QZvR5EL1nvacg63G zgJg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=n7ju5MIS; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m3si52039029pgs.8.2019.01.08.13.16.54; Tue, 08 Jan 2019 13:17:11 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=n7ju5MIS; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729710AbfAHVOl (ORCPT + 99 others); Tue, 8 Jan 2019 16:14:41 -0500 Received: from mail-vs1-f68.google.com ([209.85.217.68]:44853 "EHLO mail-vs1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729297AbfAHVOl (ORCPT ); Tue, 8 Jan 2019 16:14:41 -0500 Received: by mail-vs1-f68.google.com with SMTP id z23so3398590vsj.11 for ; Tue, 08 Jan 2019 13:14:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=OWEgAtYm9ccvWmLV8AYycOen3jNVVZL7snbVRoC2Jsg=; b=n7ju5MISRSee7cLJdLngz1Mdb6LlSBCNk8BK8mRbvDLCmqIsKwDKgdHG/wpLbfSBDJ SslGEZS8PDhaSwt3lQpLhP4l0PkbnC4k65ZU+BViOEDXcmtKOLwmBcFkBtFv2VfDWijN PUwrTtMH0L7MMnQ5Ibrdde0Pe3QpqRMBUt234= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=OWEgAtYm9ccvWmLV8AYycOen3jNVVZL7snbVRoC2Jsg=; b=r730cgybpQXluauaIQFKiLknwZ1a6cYl0GHDuL+iwa2LvfqWdQZEHfqsjvF/AoszB2 PQ1aWeCwKjlWgMcnN+2Cj3PlQCfMXhoYXb+13jtsG1ikFDNBOiDevvhFAqNKJQLxzRG2 L5Mc68Q1WnahG8zSfOnsdF4Gefgj/0pEfW8n9W74kvgOUVbvGRoPkrI/CjRP1Zw5oCje lihm8h7n8fcrYhg4zkowPzvbTUFAGe6M8BPfo9GypokcqkiGALuMhIRnW7mH44X4Ozw0 JvsVSCEis7hysQpIUkfxLu73rDTHkDZQmSEChxtgMn/olmcmNKHr6Pk2tfalBMOEvdZf AJDQ== X-Gm-Message-State: AJcUukcAgRsrSu2v+hLm3Nmk275biPbSBS/EfsgMkD8jaZTp7sLx8YA1 y5ZTVWjfxS2sLDPZ3IWmc0xUgXgVY0w= X-Received: by 2002:a67:e983:: with SMTP id b3mr1396151vso.231.1546982078943; Tue, 08 Jan 2019 13:14:38 -0800 (PST) Received: from mail-vk1-f178.google.com (mail-vk1-f178.google.com. [209.85.221.178]) by smtp.gmail.com with ESMTPSA id a187sm40090428vkf.26.2019.01.08.13.14.37 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 08 Jan 2019 13:14:37 -0800 (PST) Received: by mail-vk1-f178.google.com with SMTP id t127so1193288vke.8 for ; Tue, 08 Jan 2019 13:14:37 -0800 (PST) X-Received: by 2002:a1f:4982:: with SMTP id w124mr1240075vka.4.1546982076925; Tue, 08 Jan 2019 13:14:36 -0800 (PST) MIME-Version: 1.0 References: <0b0db24e18063076e9d9f4e376994af83da05456.1546932949.git.christophe.leroy@c-s.fr> <20190108114803.583f203b86d4a368ac9796f3@linux-foundation.org> <19c99d33-b796-72df-4212-20255f84efa0@c-s.fr> In-Reply-To: <19c99d33-b796-72df-4212-20255f84efa0@c-s.fr> From: Kees Cook Date: Tue, 8 Jan 2019 13:14:25 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2 1/2] mm: add probe_user_read() To: Christophe Leroy Cc: Andrew Morton , Benjamin Herrenschmidt , Paul Mackerras , Michael Ellerman , Mike Rapoport , LKML , PowerPC , Linux-MM Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 8, 2019 at 1:11 PM Christophe Leroy w= rote: > > > > Le 08/01/2019 =C3=A0 20:48, Andrew Morton a =C3=A9crit : > > On Tue, 8 Jan 2019 07:37:44 +0000 (UTC) Christophe Leroy wrote: > > > >> In powerpc code, there are several places implementing safe > >> access to user data. This is sometimes implemented using > >> probe_kernel_address() with additional access_ok() verification, > >> sometimes with get_user() enclosed in a pagefault_disable()/enable() > >> pair, etc. : > >> show_user_instructions() > >> bad_stack_expansion() > >> p9_hmi_special_emu() > >> fsl_pci_mcheck_exception() > >> read_user_stack_64() > >> read_user_stack_32() on PPC64 > >> read_user_stack_32() on PPC32 > >> power_pmu_bhrb_to() > >> > >> In the same spirit as probe_kernel_read(), this patch adds > >> probe_user_read(). > >> > >> probe_user_read() does the same as probe_kernel_read() but > >> first checks that it is really a user address. > >> > >> ... > >> > >> --- a/include/linux/uaccess.h > >> +++ b/include/linux/uaccess.h > >> @@ -263,6 +263,40 @@ extern long strncpy_from_unsafe(char *dst, const = void *unsafe_addr, long count); > >> #define probe_kernel_address(addr, retval) \ > >> probe_kernel_read(&retval, addr, sizeof(retval)) > >> > >> +/** > >> + * probe_user_read(): safely attempt to read from a user location > >> + * @dst: pointer to the buffer that shall take the data > >> + * @src: address to read from > >> + * @size: size of the data chunk > >> + * > >> + * Returns: 0 on success, -EFAULT on error. > >> + * > >> + * Safely read from address @src to the buffer at @dst. If a kernel = fault > >> + * happens, handle that and return -EFAULT. > >> + * > >> + * We ensure that the copy_from_user is executed in atomic context so= that > >> + * do_page_fault() doesn't attempt to take mmap_sem. This makes > >> + * probe_user_read() suitable for use within regions where the caller > >> + * already holds mmap_sem, or other locks which nest inside mmap_sem. > >> + */ > >> + > >> +#ifndef probe_user_read > >> +static __always_inline long probe_user_read(void *dst, const void __u= ser *src, > >> + size_t size) > >> +{ > >> + long ret; > >> + > >> + if (!access_ok(src, size)) > >> + return -EFAULT; > >> + > >> + pagefault_disable(); > >> + ret =3D __copy_from_user_inatomic(dst, src, size); > >> + pagefault_enable(); > >> + > >> + return ret ? -EFAULT : 0; > >> +} > >> +#endif > > > > Why was the __always_inline needed? > > > > This function is pretty large. Why is it inlined? > > > > Kees told to do that way, see https://patchwork.ozlabs.org/patch/986848/ Yeah, I'd like to make sure we can plumb the size checks down into the user copy primitives. --=20 Kees Cook