Received: by 2002:ac8:156:0:b0:3e0:cd10:60c8 with SMTP id f22csp194934qtg; Wed, 5 Apr 2023 03:59:16 -0700 (PDT) X-Google-Smtp-Source: AKy350bPLFQh9QxL6ITGA5OFWUgmryZ2V4+6fIPXcoXPKKwyztEuGl0wf3AIVrXgHnCEUNUmxTzo X-Received: by 2002:aa7:c854:0:b0:4ac:bbaa:867a with SMTP id g20-20020aa7c854000000b004acbbaa867amr1353911edt.24.1680692356590; Wed, 05 Apr 2023 03:59:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680692356; cv=none; d=google.com; s=arc-20160816; b=woeTQUfZKt9l6irDGQOnHGvfli2cpJg9L17dtQ9neWIbsvKAVgfVRmu3jbaQDRMi9o 6+8hdaINnqLej2Tdt3Iicv1gaRZhd/I3UuBF7u2lGF6WmRtX8ieBKbsUqWzZsD76+UAD Boq79ATzjhKSyH125RSEd2Y5qSEbygBPwL2PHVZiZ/4sM075hK0I10Cam85qiPWuIWCU n9rj3V7HByUH3e/eQWTEz7vnzxVVAij8HWwF6fdFeWAWyR0JXVRF4oHyWTe8w0XuReEU dCpm2qohhpXmK+jDLeSYmevTdjGPaJoQyJsAb8uzZslG8Lt1Pnd/fHa6X96f3FrcKpNU ljnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=bBBU07eR46BQwsp04rxoIACQb47OPDC41aJfhGLdg/I=; b=wVY4wwTjzOlepC/v7H6nM7ErS29smiVU0Fu7OtiJK8azWx1ou4UpCiTynRZ5PbtJ5t pBmBWQbjqV/GXFH2S9HbNUDLbYZ7YN2EaXV8pHCGs227cf2U6GrvVH1W8I80W/t2K8yd 6r9RxocR7hVB8pDfI+GYlidDXp0pdx0yhZGn2u9DFXJzrjkHGnNelC52Kp7BlDfIN9dj t/xaknt+uLt4a7EzpgQVv4ZDYAvhOSjtE57DH8cvR+rJ5RL7nOpZ3QHFv8LeE7vPp3bH 6JMpjRhnZPZqNaIJvn1JuKNDTCSkLwEg+q1Px9PP3CLpOc3uUwc9bXU8x1VxBNJZpPz8 XOYQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v17-20020aa7cd51000000b00501d70c10bbsi9425087edw.72.2023.04.05.03.58.52; Wed, 05 Apr 2023 03:59:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237595AbjDEK52 (ORCPT + 99 others); Wed, 5 Apr 2023 06:57:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38870 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230313AbjDEK51 (ORCPT ); Wed, 5 Apr 2023 06:57:27 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C863293; Wed, 5 Apr 2023 03:57:26 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 660BF636F1; Wed, 5 Apr 2023 10:57:26 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3690BC433EF; Wed, 5 Apr 2023 10:57:23 +0000 (UTC) Date: Wed, 5 Apr 2023 11:57:20 +0100 From: Catalin Marinas To: Oleg Nesterov Cc: Gregory Price , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, avagin@gmail.com, peterz@infradead.org, luto@kernel.org, krisman@collabora.com, tglx@linutronix.de, corbet@lwn.net, shuah@kernel.org, arnd@arndb.de, Gregory Price Subject: Re: [PATCH v15 2/4] syscall user dispatch: untag selector addresses before access_ok Message-ID: References: <20230330212121.1688-1-gregory.price@memverge.com> <20230330212121.1688-3-gregory.price@memverge.com> <20230404104506.GA24740@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-4.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 04, 2023 at 06:33:40PM +0100, Catalin Marinas wrote: > On Tue, Apr 04, 2023 at 12:45:06PM +0200, Oleg Nesterov wrote: > > doesn't this mean that access_ok() on arm64 could use > > untagged_addr(addr) unconditionally without any security risk? > > Yes, from the security perspective, but there are ABI implications. > > Currently untagged_addr() in access_ok() is conditional on the user > process enabling the tagged address ABI (prctl() that sets a TIF flag). > The reason we did not enable this by default was a slight fear of > breaking the ABI since tagged pointers were not allowed at the syscall > boundary. It turned out that the fear was justified since the > unconditional untagged_addr() in brk() broke user space (see commit > dcde237319e6 "mm: Avoid creating virtual address aliases in > brk()/mmap()/mremap()"; the user was doing an sbrk(PY_SSIZE_T_MAX) and > bits 56 and higher were ignored by the kernel). > > I'd be ok with untagging the address unconditionally in the arm64 > access_ok() introduce another unaliased_access_ok() (I'm not good at > naming functions) that preserves the non-tagged behaviour and we use it > in brk/mmap/mremap(). Actually, I'm wrong here. There's no access_ok() check on the brk() path. The unconditional untagged_addr() prior to dcde237319e6 messed up the comparison between the old and new brk limit and shrank the heap space for a process. So, relaxing access_ok() to always do the untagging should not affect the brk/mmap/mremap() cases. -- Catalin