Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1663506ybb;
        Sun, 29 Mar 2020 10:16:26 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vvutUctvGTObEPKSlxevdHvdaenz0pv3gsUL+/9mdCu3FL3j5snLZKAwz/qOTIU6WkBS4EC
X-Received: by 2002:a05:6830:1bca:: with SMTP id v10mr3568647ota.286.1585502186392;
        Sun, 29 Mar 2020 10:16:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585502186; cv=none;
        d=google.com; s=arc-20160816;
        b=KEjbvunIJ+9wuNfpLWF7picWVAvvBXu1gTiyFuqqvzzZ1OzQozVyp27Dnx9Xf9AUAx
         iwYl1FTK/1d6P7Z6zUnRwj0MCAdG6cZL6S3GJaeIqwT45YhwptQDHLGwbrjyk5BIs1Gb
         H9ytiHq1D45uFhDlmGXZF0iTRFz8AjCcU52wUyu7TlBpGZPZNDdKM6MgaZteLExYiAvv
         Tt6JAnEbKagn1Joa3qxr4sF/ZB1U6aZvW4N+OBXUt8pl2wIaCQQeo9jxnl6JWu8WsCUX
         /dwUNHvDJw1vYOidoKdEBbWlzg2zQdysdk5WO6IT/QNOd7ZJR0ZMsdmZ4xmrKxxkQDJC
         N7qQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=NXS8hN0Ve2GkwCQhpf4okBwifAzH4fzuO6CwUdYBArg=;
        b=N0cKDye9sZkBqRI107hvWCjggWUxSrJKyHj1+cZPh5xnZ4LlQonQMB24pDZfdQEFTC
         n5vOlWWCdYtS7kogzISRerSBkQVm3a87pfxm9p6ceri2sQhKLkcxa2ub+kCPr66c7w+r
         HqXfmqc4tFE/BHfAZiNpHcchywIMa/z0KyYVJrr/l5b/3I0g2dckIBxjgUeLwnJmBiC7
         poo7b3w4Pp2Itsc7zWkj0on9GacvPzQNvuOo0V9KEcM0muPF74skWT/lFHVDmVeseHfl
         TUCe6UGfbH2fHAn9k0y8axxUvwU663d7LN0ZBrYeQJ4/io/sTnRSnsC96gqFaRUsRnEO
         b5Pw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=X4go7Hq+;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b197si4851995oii.198.2020.03.29.10.16.12;
        Sun, 29 Mar 2020 10:16:26 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=X4go7Hq+;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728393AbgC2Quu (ORCPT <rfc822;sduhuangshuai@gmail.com>
        + 99 others); Sun, 29 Mar 2020 12:50:50 -0400
Received: from mail-wr1-f67.google.com ([209.85.221.67]:44905 "EHLO
        mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727323AbgC2Quu (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 29 Mar 2020 12:50:50 -0400
Received: by mail-wr1-f67.google.com with SMTP id m17so18037711wrw.11
        for <linux-kernel@vger.kernel.org>; Sun, 29 Mar 2020 09:50:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=amacapital-net.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=NXS8hN0Ve2GkwCQhpf4okBwifAzH4fzuO6CwUdYBArg=;
        b=X4go7Hq+6ks2H2G3MTGEZEmH85hX5rDqylpU/Z+5KnTtEs5ARvuAhkIY9mAIq8kUSn
         /s+4JhbXn45KMJ0jJVgUeVFCoMcum6vdSi93QFuFKR8M8JZbc5auEIRR5AoNGCK7bkM5
         aq9uo/QPkOG2Bgux1/HH56qVgdfNXW8WF6RcpNvMGkvqJH4k0foA0tPga/QwyCCWx32S
         RnWZ++MWc2qQlP/PhJg8BD8xsWUZS060qDtWsLe8Q2+u7lERsu7061ykeKiXddLkeCsm
         bnb4nOGtM1Ua61NrENTEGR+lzy/n9yRZ3c+gycGKn9aeeH6ACAPQ/YmW1YxM4C3U2Q3X
         jwZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=NXS8hN0Ve2GkwCQhpf4okBwifAzH4fzuO6CwUdYBArg=;
        b=C2J77m4yiy946aFoBuMJNC3RWDZOXiTaeNTvBj5AB7sw+zw4QNsvNkVvkQxvX3i5zD
         eVfsOCJSRNZe5CHUIk1W9Q2GcqJ1aPj2cKUOnF2OtveKez978XMKxj8piVCEHRVp4e+X
         d+W8IKxNp+e2NwMf05Zc95PBPaqdNiSte7LeyL+gslb8m3dE0Y4H23jbhh7ROCaTWbPc
         yJwTKbb5oubaOCpcVrLw8SBI7jMTGtsN6zvbikivmbxxJYA4hOc1HvaUsko82AghB6Mf
         1X818Vy4sS77JT49jrNhkdfH67rF9AX1JorgVYR9Xr3ODuUzQgosalwY/7T14Ymwy5cj
         W+Rg==
X-Gm-Message-State: ANhLgQ2DCMuoXlB58uEK5EU9Fm33EXgM0lm0+N6mu9ZVc73m0Qm7vokM
        EdeOEXtBp4zuMcXXUMQYVDXOoQRrmgiAR7WjpDqknw==
X-Received: by 2002:adf:f2c7:: with SMTP id d7mr10261609wrp.184.1585500646640;
 Sun, 29 Mar 2020 09:50:46 -0700 (PDT)
MIME-Version: 1.0
References: <20200323183620.GD23230@ZenIV.linux.org.uk> <20200323183819.250124-1-viro@ZenIV.linux.org.uk>
 <20200328104857.GA93574@gmail.com> <20200328115936.GA23230@ZenIV.linux.org.uk>
 <20200329092602.GB93574@gmail.com>
In-Reply-To: <20200329092602.GB93574@gmail.com>
From:   Andy Lutomirski <luto@amacapital.net>
Date:   Sun, 29 Mar 2020 09:50:34 -0700
Message-ID: <CALCETrX=nXN14fqu-yEMGwwN-vdSz=-0C3gcOMucmxrCUpevdA@mail.gmail.com>
Subject: Re: [RFC][PATCH 01/22] x86 user stack frame reads: switch to explicit __get_user()
To:     Ingo Molnar <mingo@kernel.org>
Cc:     Al Viro <viro@zeniv.linux.org.uk>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Thomas Gleixner <tglx@linutronix.de>, X86 ML <x86@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Borislav Petkov <bp@alien8.de>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, Mar 29, 2020 at 2:26 AM Ingo Molnar <mingo@kernel.org> wrote:
>
>
> * Al Viro <viro@zeniv.linux.org.uk> wrote:
>
> > > but the __get_user() API doesn't carry the 'unsafe' tag yet.
> > >
> > > Should we add an __unsafe_get_user() alias to it perhaps, and use it
> > > in all code that adds it, like the chunk above? Or rename it to
> > > __unsafe_get_user() outright? No change to the logic, but it would be
> > > more obvious what code has inherited old __get_user() uses and which
> > > code uses __unsafe_get_user() intentionally.
> > >
> > > Even after your series there's 700 uses of __get_user(), so it would
> > > make sense to make a distinction in name at least and tag all unsafe
> > > APIs with an 'unsafe_' prefix.
> >
> > "unsafe" != "lacks access_ok", it's "done under user_access_begin".
>
> Well, I thought the principle was that we'd mark generic APIs that had
> *either* a missing access_ok() check or a missing
> user_access_begin()/end() wrapping marked unsafe_*(), right?
>
> __get_user() has __uaccess_begin()/end() on the inside, but doesn't have
> the access_ok() check, so those calls are 'unsafe' with regard to not
> being safe to untrusted (ptr,size) ranges.
>
> I agree that all of these topics need equal attention:
>
>  - leaking of cleared SMAP state (CLAC), which results in a silent
>    failure.
>
>  - running user accesses without STAC, which results in a crash.
>
>  - not doing an access_ok() check on untrusted (pointer,size) ranges,
>    which results in a silent failure as well.

My incliniation is to just get rid of the __get_user()-style APIs.
There shouldn't be any __get_user() calls that can't be directly
replaced by get_user(), and a single integer comparison is not that
expensive.  On SMAP systems, the speedup of __get_user vs get_user is
negligible.

(It's possible that some arch code somewhere uses __get_user as a way
to say "access user or kernel memory -- I know what I'm doing".  This
is crap if it exists.  It better not happen in generic code because of
sane architectures like s390x.)