Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp895634ybk; Wed, 13 May 2020 16:22:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw1qkOF0McNhB7H6odEH9oedz9gkyDf3plL7xfNzmwu5Md2Y9gpQ9JkwCF2jKyprBKfs6lp X-Received: by 2002:aa7:c401:: with SMTP id j1mr1725844edq.31.1589412158551; Wed, 13 May 2020 16:22:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589412158; cv=none; d=google.com; s=arc-20160816; b=CQp7iWjeTQqwux3JLQVz2Pdt3rOVLttwKc3D6VwXKuDu0K/KcDu2dq6ond7q3+vz8X SpF/mqYCaL6P85dTw95XoaFtqTGp2uni5Go5tbSBuHEPRoU5+RAUU65yDQTv9BvsGvqy 7Loz0iadec6CXUdLneuIXeGGK+YINhF/K1K90LusmF4SIaQP9OtDECSjCTRDKyn72EsW Tq/WlggLKqeEJ2+pFGD7jm1rT/hx8Q03mxan+rAdmdVkkoezBjl3cYIO6++XRJljCBrT Mh16eFa5Jtq41dxAks0SNJa4VfOHv1X0BubA/rtgSq9SADL/0Lp6m3Rm0shxpA6R3g92 7JsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=phWq6l4aTvr/C2K/X4+k/YrVnCjrPXRTWTh12+oYaOk=; b=H6D9JFxwduP3/27iF2HH1DRVEpoYyj5WeNtDznPeLEXPUmZC36kKxTRX7zWQ7gLMW/ aFGFvQHA7rHGXRoHwoglf9609ob9nTeulzOt363xmpLlct7tEcqljFOOdwSDBOM7fkhr 5CP57PGWccO/xM1ad/zSvGVvKlRA/joHR7jdM5VNitHHPa9gXqbG6AVxlUyGWVAmOJLc O5AI4tmBwBRYjXEe1EimwUJWZhLOYA/p23taovorjdcBGM+6Axx1EQ1gmMZmTcgSrRQG 7hO9towI4zcH7C4/C+ifFcLW6NPm7iMSGij1Wy5d6l93NrYk4oZR+sIuNfdQW0P+b44g Pjqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=cD3d6Z8O; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v14si695396edy.341.2020.05.13.16.22.14; Wed, 13 May 2020 16:22:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=cD3d6Z8O; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732560AbgEMXUk (ORCPT + 99 others); Wed, 13 May 2020 19:20:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35008 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1732515AbgEMXUk (ORCPT ); Wed, 13 May 2020 19:20:40 -0400 Received: from mail-lf1-x141.google.com (mail-lf1-x141.google.com [IPv6:2a00:1450:4864:20::141]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 574DDC061A0C for ; Wed, 13 May 2020 16:20:38 -0700 (PDT) Received: by mail-lf1-x141.google.com with SMTP id c21so989185lfb.3 for ; Wed, 13 May 2020 16:20:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=phWq6l4aTvr/C2K/X4+k/YrVnCjrPXRTWTh12+oYaOk=; b=cD3d6Z8Oy8/Dx9WXsRuTcoa6/5Rh9rx4ZXh8joWvH4poHn6SlmiaIW98FjAPsN6Nbh x66jaomRN8ZljFVlOmAhCKb3qMEmAXGGOLhPnCxRlO2Vc19b0KxaWqaBnUOu9g5IgaPv XmTXcJb6msXzq5HV1afcp377hyESwqrNggFac= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=phWq6l4aTvr/C2K/X4+k/YrVnCjrPXRTWTh12+oYaOk=; b=m6DU1DtmBwZYA4YvwDq9nGUTekJ7PEK5yTbceLPE16hBInlgCAjkbrEaNwLXOZF4kD rVmpIskAFewua7E9l6vdlGoVPWHFf8KFfH/t1zwcXw8J7IEClZ/IErhk+njfs9r6zpD8 h2oA5lQNMcAOqe2SA1T9BUTgu3k6XUBcTuobKtOBJ9ClcKwH4oQbrrhpf/MboIJnmwXA kcH7nFI1bp7ttmdskGROlVPjJm8bGWum+jXHwuGQWGtMuawOMNTR7tfGSe2sZ4xfDuCS sEF5R6qHHZ4C+54CrqypK8DyvrduE6GhvP7z8g8CJdu8oO51yrYU3+eZdDpIMZNPm4FF FgTQ== X-Gm-Message-State: AOAM531xvBME4DUv0YJZBUPvyjsoig++5ZjUBBHBpobQBdw95WPFFP1Z Czgq+WnDk7pioizMQ9CdSjKFRxjZNpk= X-Received: by 2002:a19:70d:: with SMTP id 13mr10853lfh.60.1589412035308; Wed, 13 May 2020 16:20:35 -0700 (PDT) Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com. [209.85.167.44]) by smtp.gmail.com with ESMTPSA id l26sm447901ljc.49.2020.05.13.16.20.33 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 13 May 2020 16:20:34 -0700 (PDT) Received: by mail-lf1-f44.google.com with SMTP id c21so989107lfb.3 for ; Wed, 13 May 2020 16:20:33 -0700 (PDT) X-Received: by 2002:a19:ed07:: with SMTP id y7mr1180765lfy.31.1589412033540; Wed, 13 May 2020 16:20:33 -0700 (PDT) MIME-Version: 1.0 References: <20200513160038.2482415-1-hch@lst.de> <10c58b09-5ece-e49f-a7c8-2aa6dfd22fb4@iogearbox.net> In-Reply-To: <10c58b09-5ece-e49f-a7c8-2aa6dfd22fb4@iogearbox.net> From: Linus Torvalds Date: Wed, 13 May 2020 16:20:17 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: clean up and streamline probe_kernel_* and friends v2 To: Daniel Borkmann Cc: Christoph Hellwig , "the arch/x86 maintainers" , Alexei Starovoitov , Masami Hiramatsu , Andrew Morton , linux-parisc@vger.kernel.org, linux-um , Netdev , bpf@vger.kernel.org, Linux-MM , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 13, 2020 at 4:04 PM Daniel Borkmann wrote: > > Aside from comments on list, the series looks reasonable to me. For BPF > the bpf_probe_read() helper would be slightly penalized for probing user > memory given we now test on copy_from_kernel_nofault() first and if that > fails only then fall back to copy_from_user_nofault(), Again, no. If you can't tell that one or the other is always the right thing, then that function is simply buggy and wrong. On sparc and on s390, address X can be _both_ a kernel address and a user address. You need to specify which it is (by using the proper function). The whole "try one first, then the other" doesn't work. They may both "work", and by virtue of that, unless you can state "yes, we always want user space" or "yes, we always want kernel", that "try one or the other" isn't valid. And it can be a real security issue. If a user program can be made to read kernel memory when BPF validated things as a user pointer, it's an obvious security issue. But it can be a security issue the other way around too: if the BPF code expects to get a kernel string, but user space can fool it into reading a user string instead by mapping something of its own into the user space address that aliases the kernel space address, then you can presumably fool the BPF program to do bad things too (eg mess up any BPF packet switching routines?). So BPF really really really needs to specify which one it is. Not specifying it and saying "whichever" is a bug, and a security issue. Linus