Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6FF7CC636D4 for ; Wed, 1 Feb 2023 09:54:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232143AbjBAJyB (ORCPT ); Wed, 1 Feb 2023 04:54:01 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37276 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230502AbjBAJx7 (ORCPT ); Wed, 1 Feb 2023 04:53:59 -0500 Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6ED234A211 for ; Wed, 1 Feb 2023 01:53:58 -0800 (PST) Received: by mail-lj1-x232.google.com with SMTP id h17so18789894ljq.4 for ; Wed, 01 Feb 2023 01:53:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=hXBLBJgX4EaRecabGDlsbhKYn/5vHTxOlvqGwGoHBPg=; b=kGuhkOUGRiUBb82xnq/SP0PH18a2BT8S1d4JOz6WZAZJ1pjUkuD2ixPSt46h0gUfdn J3o7C+wF049nP5XsvuPSv8RTjjoa+/1JV25eSAFAAv2IOBY89cp3vnPTRwYpWB2pc5H6 amZqseA7VDjMshiL4mh2kEhmuLUFXriQM27ALI2dFc8fl17ujHHsZznv3QFMa4A7hrgi XUJIrFiCgPSrYWwCLPGPLNvO0v5FGURdM1IFSgnm93n1+YkLwpLK3thl+ZyURoKwx/zO ocsJuUvX9Dq8NAHuAgOXho0n+QyU73sM+n8n5iF30fuV/k+QzbmwhlTNOMaOXeEE4xlr hIgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=hXBLBJgX4EaRecabGDlsbhKYn/5vHTxOlvqGwGoHBPg=; b=iQjYjS/GBcZL580iWbzc5cgfEqhnM06nWqMACrk+77iUSXyxt+5AdYCQrIGcwX4oRB 3wI3WwprQSoYKuN2+z6Ib4iVNlXGSjXDt+R52+EO7VAFItkORx85F68Amwpgqhez1FDK GAfHlRaO0ly1vXICDFdaAwQxSWJTSxageE67unttmemp/m/xFXB9WfVUrCLR3LcqMh0G mHum4smJHCH7oZ8ZKShZoXi5H5M9QroEtXd2To3OAngvggFs8VVc7k3+7kqLbRgUJa2A j+qeXi4jWt3bKYeoQuN6WHpKwmdvSGOindvpQUCHQKKYuyTGMKkSlvwI+btisBElt6iK PYNw== X-Gm-Message-State: AO0yUKWs1M+WXVuNW3wGQFAoMqXSch25hOODrZ37cJ5U90RqS3OjocJl SuYzeElhR4jFfHucXFm+8BXreqNlIbO800NmfiFh/g== X-Google-Smtp-Source: AK7set/SnkQ6D+DOsTEIwKu7gH1tVuc4Aop2ZxyXy/5CnDm05inFo7TpmqVd2reBirxiOQVXt78QUDARAskOvz3HHq0= X-Received: by 2002:a05:651c:231b:b0:290:7402:78a1 with SMTP id bi27-20020a05651c231b00b00290740278a1mr233501ljb.183.1675245236576; Wed, 01 Feb 2023 01:53:56 -0800 (PST) MIME-Version: 1.0 References: <20230127162409.2505312-1-elver@google.com> In-Reply-To: From: Dmitry Vyukov Date: Wed, 1 Feb 2023 10:53:44 +0100 Message-ID: Subject: Re: [PATCH v2] perf: Allow restricted kernel breakpoints on user addresses To: Marco Elver Cc: Mark Rutland , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , Alexander Shishkin , Jiri Olsa , Namhyung Kim , linux-perf-users@vger.kernel.org, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, Jann Horn , Thomas Gleixner , Andrey Konovalov Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 1 Feb 2023 at 10:34, Marco Elver wrote: > > On Mon, 30 Jan 2023 at 11:46, Mark Rutland wrote: > [...] > > > This again feels like a deficiency with access_ok(). Is there a better > > > primitive than access_ok(), or can we have something that gives us the > > > guarantee that whatever it says is "ok" is a userspace address? > > > > I don't think so, since this is contextual and temporal -- a helper can't give > > a single correct answert in all cases because it could change. > > That's fair, but unfortunate. Just curious: would > copy_from_user_nofault() reliably fail if it tries to access one of > those mappings but where access_ok() said "ok"? I also wonder if these special mappings are ever accessible in a user task context? If yes, can a racing process_vm_readv/writev mess with these special mappings? We could use copy_from_user() to probe that the watchpoint address is legit. But I think the memory can be potentially PROT_NONE but still legit, so copy_from_user() won't work for these corner cases. > Though that would probably restrict us to only creating watchpoints > for addresses that are actually mapped in the task. > > > In the cases we switch to another mapping, we could try to ensure that we > > enable/disable potentially unsafe watchpoints/breakpoints. > > That seems it'd be too hard to reason that it's 100% safe, everywhere, > on every arch. I'm still convinced we can prohibit creation of such > watchpoints in the first place, but need something other than > access_ok(). > > > Taking a look at arm64, our idmap code might actually be ok, since we usually > > mask all the DAIF bits (and the 'D' or 'Debug' bit masks HW > > breakpoints/watchpoints). For EFI we largely switch to another thread (but not > > always), so that would need some auditing. > > > > So if this only needs to work in per-task mode rather than system-wide mode, I > > reckon we can have some save/restore logic around those special cases where we > > transiently install a mapping, which would protect us. > > It should only work in per-task mode. > > > For the threads that run with special mappings in the low half, I'm not sure > > what to do. If we've ruled out system-wide monitoring I believe those would be > > protected from unprivileged users. > > Can the task actually access those special mappings, or is it only > accessible by the kernel? > > Thanks, > -- Marco