Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp6329987rwl; Tue, 4 Apr 2023 10:55:42 -0700 (PDT) X-Google-Smtp-Source: AKy350akUKH8ve2oOl6wQKOFXQ2KhJjWw1g3SAO4z/7zgtAW2/5PTZMtanuiTes0hruSqlzPF/Gq X-Received: by 2002:a17:903:690:b0:1a1:b656:2149 with SMTP id ki16-20020a170903069000b001a1b6562149mr3132218plb.50.1680630941763; Tue, 04 Apr 2023 10:55:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680630941; cv=none; d=google.com; s=arc-20160816; b=P7PGtl6fc9XVIE3+u66XpMroBe1vprGcdTpv9RpSAID6/R+BHSYEGgGwJShORjB0dK 3n9+qmeEyuW7wDoUYaAH4HyGKQq0QIqseNjEQX/YX8UyWFiBxCdYWAQ/XbrRvvvMmjwb iMNRr52xMAWX/pM+CdmXCUbZ2tjVLioBsPLuqb4hsmjAPAjwB5Js4/1ydJtosVuYQPTv 49Tl47I6B1sxMqT18ja0snWzB4EDr3zoKETC9ExLnW+lDIZiKv+NjONFs2QrAE+bN9lh ZkXnhKA4s/2kG9tGJaKcP+iYzaYDo19NYr7PxEJM47gaQlsNcDoF9c8lOXFmSavDzyie kl6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=SOWokKNGap3dUyfGa9222mni3luwECvRwJwg1Frewc8=; b=KcW+U/6D0yziDJMGiETV6eHniNEau3PW+RYAmN8GPbw04rrpe0wk2cTWaty/7DQx0H pw0P3lrrYIx8OSF1D4EjDcJ2KBCEjIopkty+7tt6M0dNcJOJ/JWd9c2Uekcs5WoH3hVw sp4JUNaZmiPAIEipcQlUg6xZis9ud7co/Y0VATThgwKZ72aQ7eR3ch5L3JE0yu22hXzf lBpvEZjTc2orxaGmNLz/5P06ZG4Jao7KOGRwE7Po3unpQ6+eUJHStBm3z2QfJ97IXLi2 Ioi6mGqFBz0k1QiIo2vnwKaPDaX4nlfN8zmQdLWfzCMItrWClE+G6Mrr4xgKP+irP7Bx 1vXA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x23-20020a631717000000b0050f83aa181esi10661503pgl.698.2023.04.04.10.55.30; Tue, 04 Apr 2023 10:55:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232340AbjDDRfO (ORCPT + 99 others); Tue, 4 Apr 2023 13:35:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47744 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231639AbjDDRfN (ORCPT ); Tue, 4 Apr 2023 13:35:13 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A6BBF5BB3; Tue, 4 Apr 2023 10:34:51 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 7810A636D6; Tue, 4 Apr 2023 17:33:46 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6FF33C433EF; Tue, 4 Apr 2023 17:33:43 +0000 (UTC) Date: Tue, 4 Apr 2023 18:33:40 +0100 From: Catalin Marinas To: Oleg Nesterov Cc: Gregory Price , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, avagin@gmail.com, peterz@infradead.org, luto@kernel.org, krisman@collabora.com, tglx@linutronix.de, corbet@lwn.net, shuah@kernel.org, arnd@arndb.de, Gregory Price Subject: Re: [PATCH v15 2/4] syscall user dispatch: untag selector addresses before access_ok Message-ID: References: <20230330212121.1688-1-gregory.price@memverge.com> <20230330212121.1688-3-gregory.price@memverge.com> <20230404104506.GA24740@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230404104506.GA24740@redhat.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 04, 2023 at 12:45:06PM +0200, Oleg Nesterov wrote: > doesn't this mean that access_ok() on arm64 could use > untagged_addr(addr) unconditionally without any security risk? Yes, from the security perspective, but there are ABI implications. Currently untagged_addr() in access_ok() is conditional on the user process enabling the tagged address ABI (prctl() that sets a TIF flag). The reason we did not enable this by default was a slight fear of breaking the ABI since tagged pointers were not allowed at the syscall boundary. It turned out that the fear was justified since the unconditional untagged_addr() in brk() broke user space (see commit dcde237319e6 "mm: Avoid creating virtual address aliases in brk()/mmap()/mremap()"; the user was doing an sbrk(PY_SSIZE_T_MAX) and bits 56 and higher were ignored by the kernel). I'd be ok with untagging the address unconditionally in the arm64 access_ok() introduce another unaliased_access_ok() (I'm not good at naming functions) that preserves the non-tagged behaviour and we use it in brk/mmap/mremap(). This may actually be a good idea as an additional fix. If an application enables the tagged address ABI we still have the address aliasing issue for brk(). We get away with this since glibc, if MTE is enabled, stops using brk() for heap in favour of mmap(PROT_MTE). But one may use hwasan without full MTE and it would have a similar issue. -- Catalin