Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp1131198rwl;
        Fri, 7 Apr 2023 10:21:09 -0700 (PDT)
X-Google-Smtp-Source: AKy350apk2t4q6toNT8JjlQULxq6e7FSj4HIKMKxYhWCWGlKoovA3YhxLTkJVh2m5rldQKqHwUts
X-Received: by 2002:a05:6402:2547:b0:502:50b0:a879 with SMTP id l7-20020a056402254700b0050250b0a879mr8518435edb.5.1680888069032;
        Fri, 07 Apr 2023 10:21:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1680888069; cv=none;
        d=google.com; s=arc-20160816;
        b=o3GWq4dE2S//MDkUPxC0Ipj4/EyW0zf9lgHL6LnIaeR4hAREsu0VHfEZ9dHq6g/dfv
         17+4i7B40i5/pCUkP5QbK76lVw+xE+gTlaB4Uu6cgVWAdaR+c1aXSW8FIdqGoa47DLZS
         Y5cPvUFTaFprHRTPkr0bEafIspQjlIlnAHDp6apegk8ud2OvPSK5uVkyFfAi3vwDcw7C
         QedCWmfxqwmpNqR72BazqiNRfZYcMAZhwPW+673FyaN7hMm0QtHSNDc3WNRzvINfS2rN
         9+g8IGNpVZMqWXrOALJLmJpdOOxLbKUQu57T7VXPhiAneJc+cCE+wZ4qrOzFHtcPvT6j
         1i3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=/rMtfFsP4cn7PRc7thWyRT6kVwkZQ9lV5jy6inZiGMQ=;
        b=QmuKOSCZv000brT4ffAQt2IaS60OrO+yjBjRhYV0Iagk8XzUtdQ1eN0tSx+cFqrpdb
         11V9I+8MT4BgIjMgy355SkCTR+zY6QxjcHgwGNjZGTiY3G8wLSfAWwHCMA6r9b3TE3WF
         NvEYiXgQfNtrh7rbCTjwHVUJetcfF7DFsyu5tO0F0pnVwKEkDXYxJUTwDNTpW4qtT8xC
         IcGsJGeKSh5eyImy4vfbnrek0L9F50NoyM57wYrTaTpYA+GDt11oVloNThbmTW3or5a3
         ilFZp979EPL+B5vUhWy3s4RLkUHqfByikMv3X1M5/WKRngAFYBpVYxUzdiYPnmdTP6we
         193w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=oKXezr1Z;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id z7-20020aa7c647000000b004fc78b692c7si3319818edr.571.2023.04.07.10.20.43;
        Fri, 07 Apr 2023 10:21:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=oKXezr1Z;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229924AbjDGRTH (ORCPT <rfc822;aprilthirty60@gmail.com>
        + 99 others); Fri, 7 Apr 2023 13:19:07 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53524 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230089AbjDGRS4 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 7 Apr 2023 13:18:56 -0400
Received: from mail-ot1-x342.google.com (mail-ot1-x342.google.com [IPv6:2607:f8b0:4864:20::342])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 589C646BF;
        Fri,  7 Apr 2023 10:18:49 -0700 (PDT)
Received: by mail-ot1-x342.google.com with SMTP id r17-20020a05683002f100b006a131458abfso19775320ote.2;
        Fri, 07 Apr 2023 10:18:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112; t=1680887928; x=1683479928;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=/rMtfFsP4cn7PRc7thWyRT6kVwkZQ9lV5jy6inZiGMQ=;
        b=oKXezr1ZuTmKBFv3swmWuVW5y40pO2HvL0gyj+yk7DSdGd2t+VnK5VF/JG/e04hRuO
         KzYDSpFGPsUMootKeCu/3+xLy1tvnhlwcRfEjUT3bnpLvtX4I67AkEyFnqF2vR/4nzKO
         BNQHboMDs9wwSM4Ok7gojHynr1YBO4KJ3jYiD46owcDQBmuIN/k5bP1JzOReZa7cNSgy
         p9LMq5rE6jk95BWIMhBAUcu8qgx7PPd1GmUrZo7KFhALaElKvMRxKm+G3ZLV4Sp/193w
         ApQsObHY3jBLeRfmjuJLeL6l+EH8xLDAZiRQXSEIBZqI0wNYvx9Ywg3poiLXE5TEhmU9
         3PpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112; t=1680887928; x=1683479928;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=/rMtfFsP4cn7PRc7thWyRT6kVwkZQ9lV5jy6inZiGMQ=;
        b=NuA+3Hv9K6mV+7mKoYhQT5Qj3hYhKgeXjhr1nJWwAt0tMWA87/VnwGKIHBiXnSsO28
         fzo5oar6GKp4MH52A2VV5MBgXDkj82eiSvFV7LYLq7qbZ2qk7oy/FSvVLQMVSfaH+7zH
         L3eeX/nEJ4jtNhtYrwBp6TM5FqzmP61b2QDBxwF+1u2ur1+uUUj1W5+jaX/8xlp6BYxg
         pPIlIyZP+N88ZhUhC3FpHgVTcXEgM0glGsaXkRYNLGeUMm28mmJBqLJFyZJwaThXC+8P
         QLemVJawyP1DLK7N/IsJKZg2nDgqUdGvDCMzCX39IKfJlFFdNsbkx+kb7pzbF50O7nOs
         6Hzg==
X-Gm-Message-State: AAQBX9cnAVFH5/fukWQ4K02R/+4Ok+ylsF9Q7EmVYaDGzWI7xL1O5Wgg
        UoKNd+gO7n/KTARQdFAU4w2pRi4r9d9HVIs=
X-Received: by 2002:a9d:77c3:0:b0:6a3:8c3d:80e7 with SMTP id w3-20020a9d77c3000000b006a38c3d80e7mr1313926otl.6.1680887928559;
        Fri, 07 Apr 2023 10:18:48 -0700 (PDT)
Received: from fedora.mshome.net ([104.184.156.161])
        by smtp.gmail.com with ESMTPSA id l9-20020a9d7349000000b006a2ddc13c46sm1816730otk.78.2023.04.07.10.18.46
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 07 Apr 2023 10:18:48 -0700 (PDT)
From:   Gregory Price <gourry.memverge@gmail.com>
X-Google-Original-From: Gregory Price <gregory.price@memverge.com>
To:     linux-kernel@vger.kernel.org
Cc:     linux-doc@vger.kernel.org, linux-arch@vger.kernel.org,
        oleg@redhat.com, avagin@gmail.com, peterz@infradead.org,
        luto@kernel.org, krisman@collabora.com, tglx@linutronix.de,
        corbet@lwn.net, shuah@kernel.org, catalin.marinas@arm.com,
        arnd@arndb.de, Gregory Price <gregory.price@memverge.com>
Subject: [PATCH v16 2/4] syscall user dispatch: untag selector addresses before access_ok
Date:   Fri,  7 Apr 2023 13:18:32 -0400
Message-Id: <20230407171834.3558-3-gregory.price@memverge.com>
X-Mailer: git-send-email 2.39.1
In-Reply-To: <20230407171834.3558-1-gregory.price@memverge.com>
References: <20230407171834.3558-1-gregory.price@memverge.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
        DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This is a preparatory patch for enabling checkpoint/restart of tasks
utilizing syscall user dispatch via ptrace.

To support checkpoint/restart, ptrace must be able to set the selector
of the tracee.  The selector is a user pointer that may be subject to
memory tagging extensions on some architectures (namely ARM MTE).

access_ok will clear memory tags for tagged addresses on tasks where
memory tagging is enabled.  However, to allow ptrace to set a task's
selector when tracer and tracee are not both tagged or untagged,
the selector address must be untagged when calling access_ok.

Since access_ok utilizes current to determine whether or not to untag
an address, an untagged tracer will always fail to restore a tagged
address in a tagged tracee.  This patch will resolve this issue.

The result of this is that a tagged tracer may be capable of setting
an invalid address, which will cause the tracee to SIGSEGV on next
syscall.  This is equivalent to the tracee setting a bad selector
address (such as selector=0x1).  This is preferable to the alternative
of creating a task_access_ok variant, and is consistent with other
operations which change tracee pointers via ptrace.

For more information, see:
https://lore.kernel.org/all/ZCWXE04nLZ4pXEtM@arm.com/

Signed-off-by: Gregory Price <gregory.price@memverge.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
---
 kernel/entry/syscall_user_dispatch.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/kernel/entry/syscall_user_dispatch.c b/kernel/entry/syscall_user_dispatch.c
index 22396b234854..424f24350f8b 100644
--- a/kernel/entry/syscall_user_dispatch.c
+++ b/kernel/entry/syscall_user_dispatch.c
@@ -87,7 +87,14 @@ static int task_set_syscall_user_dispatch(struct task_struct *task, unsigned lon
 		if (offset && offset + len <= offset)
 			return -EINVAL;
 
-		if (selector && !access_ok(selector, sizeof(*selector)))
+		/*
+		 * access_ok will clear memory tags for tagged addresses on tasks where
+		 * memory tagging is enabled.  To enable a tracer to set a tracee's
+		 * selector not in the same tagging state, the selector address must be
+		 * untagged for access_ok, otherwise an untagged tracer will always fail
+		 * to set a tagged tracee's selector.
+		 */
+		if (selector && !access_ok(untagged_addr(selector), sizeof(*selector)))
 			return -EFAULT;
 
 		break;
-- 
2.39.1