Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp5173942imb; Thu, 7 Mar 2019 09:17:57 -0800 (PST) X-Google-Smtp-Source: APXvYqxVpztvJ9Ga+0t4/fyB+nUIDwWBAHQhpKZ/XtetlpBUCmeqeM5PrWAo8P/chNC2/apmD4/J X-Received: by 2002:a17:902:25ab:: with SMTP id y40mr13783448pla.62.1551979077091; Thu, 07 Mar 2019 09:17:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551979077; cv=none; d=google.com; s=arc-20160816; b=ft+v1sxszdogwZ+FySXVV0CWW+x5XV2qzolY8N168Tf6FRFd7gF43t3GHO5TDkTTs7 vS95U+PYxcuLHOySSVDvBtvvQIUqjnnBeyTQRgVPEXYbeQa0ViacYfYilxaGcnoFOyhg CBJwlvdoI0NWHEC+dUld1LOw8MMRKaQQs6WbaJwwFewKv2uGqgJqWALzHPfJhdQB+efM Yjpq1sR6e7whXoCeapSC/a4QyWrSBzK911WTFRlKTlsE3kQozyinblDWoP81bIl9q9iF GYX10l/ae3Bhdbyf4YbEOuUsEZaOXrEI87IPMWgEoXFUQV1POjL//1iaUsGgt9ERfNqF aL7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:from:cc:to:subject :content-transfer-encoding:mime-version:references:in-reply-to :user-agent:date; bh=yd+d7d1osoVU8/lX2GeUiri7ZowJ2ZoMa4cj8fSNCJs=; b=qNcFByKCtsn3/dPTCcPTlmiFgLEWmkul1kRrVPMuVCrUhuLLcRN4k+TwqEf4WO0XZa B+Bxpmd6+B8Euur2UCSHO/+3l1kFDvNvZaWdMfU81njwHjiQzw7Pj1DbMF6jTKHjGm5k icLiWqCJeSaabYyUw6NRhaQ6dwLOBjV6vTXZG4qXO1oR+92lPeDKjhqgpgMZO1N8gPjc 3zwcG30gX2z2E2HnwzmczYOEX6qNuKuL62/kI8AT6dSuKE64aPpl66xcZAWBpedbxF9m wyW3Fjp2yw/WudJFaBd4FZsQS+OBiJhcseY6mRVsV6z8gS9tCf9Yua1rEPl619acI7T3 eeHw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o33si4740778pld.46.2019.03.07.09.17.41; Thu, 07 Mar 2019 09:17:57 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726508AbfCGRPm convert rfc822-to-8bit (ORCPT + 99 others); Thu, 7 Mar 2019 12:15:42 -0500 Received: from terminus.zytor.com ([198.137.202.136]:52751 "EHLO mail.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726172AbfCGRPl (ORCPT ); Thu, 7 Mar 2019 12:15:41 -0500 Received: from [172.19.131.165] ([8.46.77.96]) (authenticated bits=0) by mail.zytor.com (8.15.2/8.15.2) with ESMTPSA id x27HErM42268389 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 7 Mar 2019 09:14:57 -0800 Date: Thu, 07 Mar 2019 09:14:45 -0800 User-Agent: K-9 Mail for Android In-Reply-To: <20190307114511.870090179@infradead.org> References: <20190307114511.870090179@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT Subject: Re: [PATCH 00/20] objtool: UACCESS validation v3 To: Peter Zijlstra , torvalds@linux-foundation.org, tglx@linutronix.de, julien.thierry@arm.com, will.deacon@arm.com, luto@amacapital.net, mingo@kernel.org, catalin.marinas@arm.com, james.morse@arm.com, valentin.schneider@arm.com, brgerst@gmail.com, jpoimboe@redhat.com, luto@kernel.org, bp@alien8.de, dvlasenk@redhat.com CC: linux-kernel@vger.kernel.org, peterz@infradead.org, dvyukov@google.com, rostedt@goodmis.org From: hpa@zytor.com Message-ID: <1321FA0E-51AA-4A4E-9249-8A745F510F93@zytor.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On March 7, 2019 3:45:11 AM PST, Peter Zijlstra wrote: >Teach objtool to validate the UACCESS (SMAP, PAN) rules with are >currently >unenforced and (therefore obviously) violated. > >UACCESS sections should be small; we want to limit the amount of code >that can >touch userspace. Furthermore, UACCESS state isn't scheduled, this means >that >anything that directly calls into the scheduler will result in random >code >running with UACCESS enabled and possibly getting back into the UACCESS >region >with UACCESS disabled and causing faults. > >Forbid any CALL/RET while UACCESS is enabled; but provide a few >exceptions. > >This builds x86_64-allmodconfig clean, and I've only got a few >randconfig >failures left (GCC-8) that I'm not quite understanding. > >--- > arch/x86/ia32/ia32_signal.c | 29 ++- > arch/x86/include/asm/asm.h | 24 -- > arch/x86/include/asm/nospec-branch.h | 4 +- > arch/x86/include/asm/smap.h | 20 ++ > arch/x86/include/asm/uaccess.h | 5 +- > arch/x86/include/asm/uaccess_64.h | 3 - > arch/x86/include/asm/xen/hypercall.h | 26 +- > arch/x86/kernel/signal.c | 2 +- > arch/x86/lib/copy_user_64.S | 48 ++++ > arch/x86/lib/memcpy_64.S | 3 +- > arch/x86/lib/usercopy_64.c | 20 -- > drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- > include/linux/uaccess.h | 2 + > kernel/trace/trace_branch.c | 4 + > lib/Makefile | 1 + > lib/ubsan.c | 4 + > mm/kasan/Makefile | 3 + > mm/kasan/common.c | 10 + > mm/kasan/report.c | 3 +- > scripts/Makefile.build | 3 + > tools/objtool/Makefile | 2 +- > tools/objtool/arch.h | 8 +- > tools/objtool/arch/x86/decode.c | 26 +- > tools/objtool/builtin-check.c | 4 +- > tools/objtool/builtin.h | 2 +- >tools/objtool/check.c | 382 >++++++++++++++++++++++------- > tools/objtool/check.h | 4 +- > tools/objtool/elf.c | 15 +- > tools/objtool/elf.h | 3 +- > tools/objtool/special.c | 10 +- > tools/objtool/warn.h | 8 + > 31 files changed, 511 insertions(+), 173 deletions(-) > > > This is phenomenal. Thank you so much for digging into this. I'm hoping this will greatly reduce the risk of future leakage. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.