Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp2547652ybp; Sat, 12 Oct 2019 12:19:24 -0700 (PDT) X-Google-Smtp-Source: APXvYqw+dIFgPJtAahbezNlDjDCI7t0Ba0bGTRRpxUfZzPrgSBCE1KZgLD1hRMpG/EhbSh6Ilq+Y X-Received: by 2002:a17:906:68f:: with SMTP id u15mr20366054ejb.306.1570907964861; Sat, 12 Oct 2019 12:19:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570907964; cv=none; d=google.com; s=arc-20160816; b=u44uYAuu8QlvEaH/ie5FY4rzq6I5B3MQKy8DgGJE6F4QAToFTl1CX8JPgV4mU1f0gw tzSl3TpVl8VVgfIO1YluWzdD68rQ6V1YFOlhhX3+swCcTzy9tJ/FETky++CLYcmZVkG+ OBgqp9/Psx4huAJUyJy7Wi8QpcUduSzSaiPRIIYGwW96J11QyT1Ve+2gFsX1oIF9/rTN Fz6638EesYlqE2tdw5iLylbyZa5Bbi2x/T3VtrGB9MGB3f3k2lJKUUvZaWZoGRyqWfj8 lSkcFyaBuYot2j5Kh3iZyvUdoJsqmD3NBWi981GA0qwZ3hVYumyt3od2tP5LbH3jgeKR da8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=iOxLSyvauwwhumHzgnG9xPoY+bBy9JSBRyXvMmFSrNY=; b=ytqpC+p6of5f0jPen2sQYzugo8yga209DwqiOdrqEmrypDLNuHHOBIWyNbYZdNM8tz 75Uv81PCfFNoUUzcH1hBeaYHJUh4vBbAhmZHrrBb1QOjGGS6k7OcQUMbxnBgiyRfUyno yeMJ6Ye7qcCr+kpEnVUHs9VvK/811IiU3LCbPKg24VRB5KPhRWoOS+n/Rr0tTnDpnAFS 6usipT+2SzqZ2q1T0reXp8osrb/UmMmujM/RcCb35a7mCCI0RzG0MsM40VJPXiEwA16L RuRm72KG3cXDs+RJi2+WJcjKtMlf1Fb6KFvlSRzuovU+Dg4GCkzXqX4Nx++elzOmweOO UG1Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="vU+VS9/X"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i18si7851248ejb.145.2019.10.12.12.19.01; Sat, 12 Oct 2019 12:19:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="vU+VS9/X"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729779AbfJLTQk (ORCPT + 99 others); Sat, 12 Oct 2019 15:16:40 -0400 Received: from mail-pl1-f201.google.com ([209.85.214.201]:33112 "EHLO mail-pl1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729708AbfJLTQX (ORCPT ); Sat, 12 Oct 2019 15:16:23 -0400 Received: by mail-pl1-f201.google.com with SMTP id d2so8000625pll.0 for ; Sat, 12 Oct 2019 12:16:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=iOxLSyvauwwhumHzgnG9xPoY+bBy9JSBRyXvMmFSrNY=; b=vU+VS9/Xc5ZZqcPsDEq08NdpvWhOfJ7V11CiZ4nhL2PcL/QGvs8KlCAI5hMoeF6KXe J22BspMsEAuiLiJIPH9KeY/UtlpL5m2+iYdd2QjCwngE1+BYX4B5aB6DBGTGa51xcRRZ p7auEWHT1k/rJ01trWIMLQO1ktUHOm7ANrHV+EA5oZSdYDeUGDY3HHR10CbCtI6QG7oQ FBllhGH81W5jXFSqnF65x0M2rxSJwcQ8Ng0mS9KTEI40+Mi263JknxSzFdEPG2lk53hR pxOLF0KEwfV3qblCcW2h0SnwDGbQdhR13Xq+gSVwFlRPNwOmkP1KRthADORsOvx3xHVR wpmw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=iOxLSyvauwwhumHzgnG9xPoY+bBy9JSBRyXvMmFSrNY=; b=asfCmzSiUWNR7RhzNOr3YOZ/nxmJ/fxAweKheSJEmJoa5xBzyqlnDfuytbREyUT1D2 5J5Jq9mVk4eCcq577J5CUYSZTySx5+JtC9YtC/6+toaKfsd4O/AHpvmFtKyMCn4u0hn9 3kPj4HhjzaZZ1I2pgwhnwgphyyHHLtWPn4hSCx9b/EvACobbN+LnzdhAkOfWAsf59awF 2l73vmyHFtiMPTXbzNB/8X3vd1/fI6sCeZfD3+NbR873ortrSwgylioQ42DqxjLQ4Zs3 clB2/YvatkrzWx77RE9g2eID2dfv/DnC5Xk2d4ruNYMfDdsmpjlwO0yxYAqLoJdL9eGv xIQA== X-Gm-Message-State: APjAAAXbFyTSnnu8rOMqQyIqQQCgPs+uvvAeFFwzvxgDPeYudhKrDibT nOWH1sF4B6yXyvqkYyDxvvzQpxiynUI= X-Received: by 2002:a63:1e1f:: with SMTP id e31mr3212172pge.303.1570907781014; Sat, 12 Oct 2019 12:16:21 -0700 (PDT) Date: Sat, 12 Oct 2019 12:16:00 -0700 In-Reply-To: <20191012191602.45649-1-dancol@google.com> Message-Id: <20191012191602.45649-6-dancol@google.com> Mime-Version: 1.0 References: <20191012191602.45649-1-dancol@google.com> X-Mailer: git-send-email 2.23.0.700.g56cf767bdb-goog Subject: [PATCH 5/7] Let userfaultfd opt out of handling kernel-mode faults From: Daniel Colascione To: linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, lokeshgidra@google.com, dancol@google.com, nnk@google.com Cc: nosh@google.com, timmurray@google.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org userfaultfd handles page faults from both user and kernel code. Add a new UFFD_USER_MODE_ONLY flag for userfaultfd(2) that makes the resulting userfaultfd object refuse to handle faults from kernel mode, treating these faults as if SIGBUS were always raised, causing the kernel code to fail with EFAULT. A future patch adds a knob allowing administrators to give some processes the ability to create userfaultfd file objects only if they pass UFFD_USER_MODE_ONLY, reducing the likelihood that these processes will exploit userfaultfd's ability to delay kernel page faults to open timing windows for future exploits. Signed-off-by: Daniel Colascione --- fs/userfaultfd.c | 5 ++++- include/uapi/linux/userfaultfd.h | 6 ++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index 1123089c3d55..986d23b2cd33 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -389,6 +389,9 @@ vm_fault_t handle_userfault(struct vm_fault *vmf, unsigned long reason) if (ctx->features & UFFD_FEATURE_SIGBUS) goto out; + if ((vmf->flags & FAULT_FLAG_USER) == 0 && + ctx->flags & UFFD_USER_MODE_ONLY) + goto out; /* * If it's already released don't get it. This avoids to loop @@ -1959,7 +1962,7 @@ SYSCALL_DEFINE1(userfaultfd, int, flags) { struct userfaultfd_ctx *ctx; int fd; - static const int uffd_flags = UFFD_SECURE; + static const int uffd_flags = UFFD_SECURE | UFFD_USER_MODE_ONLY; if (!sysctl_unprivileged_userfaultfd && !capable(CAP_SYS_PTRACE)) return -EPERM; diff --git a/include/uapi/linux/userfaultfd.h b/include/uapi/linux/userfaultfd.h index 12d7d40d7f25..eadd1497e7b5 100644 --- a/include/uapi/linux/userfaultfd.h +++ b/include/uapi/linux/userfaultfd.h @@ -239,4 +239,10 @@ struct uffdio_zeropage { * Create a userfaultfd with MAC security checks enabled. */ #define UFFD_SECURE 1 + +/* + * Create a userfaultfd that can handle page faults only in user mode. + */ +#define UFFD_USER_MODE_ONLY 2 + #endif /* _LINUX_USERFAULTFD_H */ -- 2.23.0.700.g56cf767bdb-goog