Received: by 2002:ac0:b08d:0:0:0:0:0 with SMTP id l13csp1709737imc; Fri, 22 Feb 2019 09:44:18 -0800 (PST) X-Google-Smtp-Source: AHgI3IY7xFCh7flkhupJ6DeBizFL0xk5wvaouDDuDJLzOHsopo4hJ07Sf/6XaUBkYdYA3eRoipCI X-Received: by 2002:a17:902:be15:: with SMTP id r21mr5184036pls.143.1550857458235; Fri, 22 Feb 2019 09:44:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550857458; cv=none; d=google.com; s=arc-20160816; b=yy6rKqTU4puVicjW8YZHGyfnaA71pDnkVASGv1cpjUmjqsxlEOGqKJr+77/eixnmXP 6BT4HXk/TglS74zlcerbaoGFMMvf/iqFJKuEO5iqR/2pA1xw021IF2oQDuS3l8zYUnqD A9FZYZdmhC5du0IVmHdS/Eb+oC5drV+4gEiJ/BoOxJrPoRfpsJvMEU4Sc+imnB5Ws8t/ ASQdYTOrZ/Ag/5N/9gkWETXfaVJQUqZWDCeABYLGNTfXNQiZX9VTlWZhpJDMWVAAQ1jv nKy2HKnu8qwBp0E5Q+G8UY3NiYI28FiL9uc+w55+l38YscOxLr/O8kuIs/UkW1Okc1zf 4UnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=bU5UdZ6iYT+ZCp9/HUNxGc7BAk/Uq/vv4zTdsyOr9fU=; b=jnCy6hWAEN6JFeQqCg/dTZldSDl4mQSVbQfbc1eVZhgYQ5pk1mZMOyNo5Jat/ffDo/ SdbVnyRozOJjugFPiBA+OnEBS2htJxsZ1p4fgKbb9KZ0E32PfudCHYmJ0IlFiwtwMfSv V3A+YdHxwiE1NaEYGV+FC2xwobbP6UOs5qxDmGBY+e/3K9BHrNiUbo0ce7+ctohUpHVI 2RbPbz3d1fazr1PJIuPi/Z6g9vRMxHEtgCN+KERqQuNTV9e6JIxX5wQEHA6sTnmbkOth ywXpCDuuP55oEL6PaMmxzgR4pXlc+9ObYwePM3L1eudnG6G59nQKkWA4NSDrEY8kQUIu vzhA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=VsmQZX3t; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 71si1884706plb.8.2019.02.22.09.44.03; Fri, 22 Feb 2019 09:44:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=VsmQZX3t; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727483AbfBVRnh (ORCPT + 99 others); Fri, 22 Feb 2019 12:43:37 -0500 Received: from mail-lf1-f66.google.com ([209.85.167.66]:41174 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725832AbfBVRng (ORCPT ); Fri, 22 Feb 2019 12:43:36 -0500 Received: by mail-lf1-f66.google.com with SMTP id e27so2337016lfj.8 for ; Fri, 22 Feb 2019 09:43:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bU5UdZ6iYT+ZCp9/HUNxGc7BAk/Uq/vv4zTdsyOr9fU=; b=VsmQZX3tdylwFZ4Lwi0Kx/2FVzsQ7k2zCeAxNEZuLERlcaixuXrCJ+yWkVFdpCd1Gl lOXB0JCoFVe0BXcY8aY0aUeogmBO62o/nygFz9vstikKb1zOVRigdfyP78jcY5oGRkOy toh6BzeB2RdH3QzOJDZs6EHzqr1b4e8rHvASU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bU5UdZ6iYT+ZCp9/HUNxGc7BAk/Uq/vv4zTdsyOr9fU=; b=Si+JC83/GG2jUlc/o/MCLUbCD/Xmh70FXk90JsxT/vpAITdDd+2Hu1FAVLihVgstaE Nzr7Acqj7l8gJifjK7PRagPw4f9WzmX0Oz/u/VO7xtPEULWalUEXQX3MyMb9Ra9hGjOz u8tmbQZIj/qgnMrjNjAn6QI79TVLh01P1fpMCBoi5UuwjTPiV+UlWIgZSnPwREuU4zRO SoYVNk3ZRnIdlJmvuOP118TiawEOOL7dFsfB2XDgQupOny3ZfFnBkcsfq2+OeQP2G3sM IQJc1Spw4H3nnNHGar3viJdFGopVgOy5XXPNZsKoLUYzc6jJyoJHbxGSQDmtLC5j85B9 q6WQ== X-Gm-Message-State: AHQUAuZYJnER10NTdgJA3hfWQsy2R7aJZx3lQzIFSvjLLCJCfW0Or04F Y+e9f5YkBuBkH9thgs56X6nPRru/9Yw= X-Received: by 2002:a19:c48a:: with SMTP id u132mr2341837lff.16.1550857413142; Fri, 22 Feb 2019 09:43:33 -0800 (PST) Received: from mail-lf1-f46.google.com (mail-lf1-f46.google.com. [209.85.167.46]) by smtp.gmail.com with ESMTPSA id n25sm641338lfe.70.2019.02.22.09.43.31 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Feb 2019 09:43:31 -0800 (PST) Received: by mail-lf1-f46.google.com with SMTP id j1so2327203lfb.10 for ; Fri, 22 Feb 2019 09:43:31 -0800 (PST) X-Received: by 2002:ac2:4433:: with SMTP id w19mr3071940lfl.67.1550857410622; Fri, 22 Feb 2019 09:43:30 -0800 (PST) MIME-Version: 1.0 References: <20190215174712.372898450@goodmis.org> <20190215174945.557218316@goodmis.org> <20190215171539.4682f0b4@gandalf.local.home> <300C4516-A093-43AE-8707-1C42486807A4@amacapital.net> <20190215191949.04604191@gandalf.local.home> <20190219111802.1d6dbaa3@gandalf.local.home> <20190219140330.5dd9e876@gandalf.local.home> <20190220171019.5e81a4946b56982f324f7c45@kernel.org> <20190220094926.0ab575b3@gandalf.local.home> <20190222172745.2c7205d62003c0a858e33278@kernel.org> <20190222173509.88489b7c5d1bf0e2ec2382ee@kernel.org> In-Reply-To: <20190222173509.88489b7c5d1bf0e2ec2382ee@kernel.org> From: Linus Torvalds Date: Fri, 22 Feb 2019 09:43:14 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 1/2 v2] kprobe: Do not use uaccess functions to access kernel memory that can fault To: Masami Hiramatsu Cc: Steven Rostedt , Andy Lutomirski , Linux List Kernel Mailing , Ingo Molnar , Andrew Morton , stable , Changbin Du , Jann Horn , Kees Cook , Andy Lutomirski Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Feb 22, 2019 at 12:35 AM Masami Hiramatsu wrote: > > Or, can we do this? > > long __probe_user_read(void *dst, const void *src, size_t size) > { Add a if (!access_ok(src, size)) ret = -EFAULT; else { .. do the pagefault_disable() etc .. } to after the "set_fs()", and it looks good to me. Make it clear that yes, this works _only_ for user reads. Adn that makes all the games with "kernel_uaccess_faults_ok" pointless, so you can just remove them. (note that the "access_ok()" has to come after we've done "set_fs()", because it takes the address limit from that). Also, since normally we'd expect that we already have USER_DS, it might be worthwhile to do this with a wrapper, something along the lines of mm_segment_t old_fs = get_fs(); if (segment_eq(old_fs, USER_DS)) return __normal_probe_user_read(); set_fs(USER_DS); ret = __normal_probe_user_read(); set_fs(old_fs); return ret; and have that __normal_probe_user_read() just do if (!access_ok(src, size)) return -EFAULT; pagefault_disable(); ret = __copy_from_user_inatomic(dst, ...); pagefault_enable(); return ret ? -EFAULT : 0; which looks more obvious. Also, I would suggest that you just make the argument type be "const void __user *", since the whole point is that this takes a user pointer, and nothing else. Then we should still probably fix up "__probe_kernel_read()" to not allow user accesses. The easiest way to do that is actually likely to use the "unsafe_get_user()" functions *without* doing a uaccess_begin(), which will mean that modern CPU's will simply fault on a kernel access to user space. The nice thing about that is that usually developers will have access to exactly those modern boxes, so the people who notice that it doesn't work are the right people. Alternatively, we should just make it be architecture-specific, so that architectures can decide "this address cannot be a kernel address" and refuse to do it. Linus