Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp1193106imj; Sat, 16 Feb 2019 23:46:13 -0800 (PST) X-Google-Smtp-Source: AHgI3IbxBBj6Te4D5eQ8ybARNkU6Ezyoq8nqJOncdqD0zIkxdpa4pNSBHhYTSpIZKMGr/5bxz4x5 X-Received: by 2002:a17:902:2a66:: with SMTP id i93mr19087016plb.128.1550389573536; Sat, 16 Feb 2019 23:46:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550389573; cv=none; d=google.com; s=arc-20160816; b=EjdweiRg011cZ9c4ELiY8IJoDwhK4fCimUg//zsa/BnM+Dy0kIywGFZf+ExgAZyjv4 YJdMGA6M38/UyM+dIXRrGwOThME/ZraCmEvwD82woAgKP0NCgkphgbnGmfohIAF+1v8X BDzBkP5s0CHB/OAUWuntzGmGOOC3F8HvBDATYGHIrlSx5CYmv+gqhkuDwpQawP/LmQWK p/Pl01jBMkOuBfY7nJXROFvgEKMqivH9sXgQGVnNmo6rzF41k9Bu4adoI5GmEuccHxEC Gr+O2WHMT8hd95WoGeiDrloHIQzN94obiZMd5xu1qcYxp1RMm2RPvSSudTdFP9wCrh7N YRfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=a9CoJd8QEaQlF+xvF+rejKjpEUriky0JKQJZLZzYeSE=; b=m8RxV/tugsnBFbx9E82+NnYWexJqnJ847dsKIkzwMCJFQVxDlqDQABne6UVdXtjGJV gA1RwYarUELmauG7rwwatY6tqlyxs8pF7luIpxOgqn/JhmZ6B6RA2RliyLzrXCRTgTxe jRmb8wEB2vmY8OcSmcHcpX7gM7r3741I4tr2DDHoojIfxwCzdEtryMr9eaabrvXN9jtl +J44cIG1KPbtMvQnJwCalnE9AohDEl165YB7fu/+jHPbxQZl710qaS4BCiZRH/ILqrwa gzSq9wMF97PoHoRsV2WfD1uTcWt5yTrGISfE6ZUocSqZalR1UuVKQSluWI6ZRO9kaj8t HrQw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e192si9816236pfc.28.2019.02.16.23.45.57; Sat, 16 Feb 2019 23:46:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727127AbfBPWZ0 (ORCPT + 99 others); Sat, 16 Feb 2019 17:25:26 -0500 Received: from Galois.linutronix.de ([146.0.238.70]:54869 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726191AbfBPWZ0 (ORCPT ); Sat, 16 Feb 2019 17:25:26 -0500 Received: from p5492e0d8.dip0.t-ipconnect.de ([84.146.224.216] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1gv8Od-0006kg-Ed; Sat, 16 Feb 2019 23:25:19 +0100 Date: Sat, 16 Feb 2019 23:25:18 +0100 (CET) From: Thomas Gleixner To: Jann Horn cc: baloo@gandi.net, Andy Lutomirski , the arch/x86 maintainers , Ingo Molnar , Borislav Petkov , kernel list , Pascal Bouchareine Subject: Re: [PATCH] x86: uaccess: fix regression in unsafe_get_user In-Reply-To: Message-ID: References: <20190215235901.23541-1-baloo@gandi.net> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, 16 Feb 2019, Thomas Gleixner wrote: > On Sat, 16 Feb 2019, Jann Horn wrote: > > On Sat, Feb 16, 2019 at 12:59 AM wrote: > > > When extracting an initramfs, a filename may be near an allocation boundary. > > > Should that happen, strncopy_from_user will invoke unsafe_get_user which > > > may cross the allocation boundary. Should that happen, unsafe_get_user will > > > trigger a page fault, and strncopy_from_user would then bailout to > > > byte_at_a_time behavior. > > > > > > unsafe_get_user is unsafe by nature, and rely on pagefault to detect boundaries. > > > After 9da3f2b74054 ("x86/fault: BUG() when uaccess helpers fault on kernel addresses") > > > it may no longer rely on pagefault as the new page fault handler would > > > trigger a BUG(). > > > > > > This commit allows unsafe_get_user to explicitly trigger pagefaults and > > > handle them directly with the error target label. > > > > Oof. So basically the init code is full of things that just call > > syscalls instead of using VFS functions (which don't actually exist > > for everything), and the VFS syscalls use getname_flags(), which uses > > strncpy_from_user(), which can access out-of-bounds pages on > > architectures that set CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS, and > > that in summary means that all the init code is potentially prone to > > tripping over this? > > Not all init code. It should be only the initramfs decompression. > > > I don't particularly like this approach to fixing it, but I also don't > > have any better ideas, so I guess unless someone else has a bright > > idea, this patch might have to go in. > > So we know that this happens in the context of decompress() which calls > flush_buffer() for every chunk. flush_buffer() gets the start_address and > the length. We also know that the fault can only happen within: > > start_address <= fault_address < start_address + length + 8; > > So something like the untested workaround below should cover the initramfs > oddity and avoid to weaken the protection for all other cases. The other even simpler solution would be to force these functions into the byte at a time code path during init. Too tired to hack that up now. Thanks, tglx