Received: by 2002:a05:7412:d1aa:b0:fc:a2b0:25d7 with SMTP id ba42csp790505rdb; Mon, 29 Jan 2024 20:19:15 -0800 (PST) X-Google-Smtp-Source: AGHT+IEqGd3Ujt514WaPl/3sVoCSmvXF2ioBpVcGWeu7irGQoJvD1MqUgWL4fYLw5AQ8iDZ547ox X-Received: by 2002:a05:6402:5213:b0:55f:3d12:eb3c with SMTP id s19-20020a056402521300b0055f3d12eb3cmr495286edd.14.1706588355120; Mon, 29 Jan 2024 20:19:15 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706588355; cv=pass; d=google.com; s=arc-20160816; b=FVPJ/r9NBoM30qoFyobziHcWOeybXxsLYXuW4Q71vBaEDoJ7J9ZdizFRrhDYIDt3l7 FDRhbBlayWAfN3E9aH3SMwJy8tTnhPE1D+FhdBGMN3KykdnTQpypK/1c0y3LsyEHbSiv JqHEI9EpPZZuIs51Amt+eEN+EECYqSUR/D2XejNmvwnSD5Oni4PxlGPib5xNKRGxb7D8 +BYfWUiQjyhOrPHBh3jYbE4c9q8430u4tFzASODabbbPjspKyFMftwSBE79C8tAa/cwH aefdI/JOOwDZLZkIWeHQDh3OzPmxt06Go4qrdcHq5jH9N4JJkxR9VrNNY/rgKs8XJcIX rTLA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-language:content-transfer-encoding:in-reply-to:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:user-agent:date :message-id:from:references:cc:to:subject; bh=GpMtELR9gkkay7QEdLZvQo8Me652ybNy4aSVp4xvTwg=; fh=BAC+8eTRRuUL5nLf93FZFyVEgPjKO1uo3z0OxfVBZEY=; b=sZJu3aut+kQGvuGVK1NmFWRi3PsQNo/yzHali4/tn0xCH1LwsUdrnFsbvXTrJ4eIbE N1EWuqWSK8GZBB6MmDApijRz3drsVIZNXikGFCB4DL0Z9GhSd20iwbFPSnMqr65kvjeF s5Pr3aIcBZZv8/5VGgz5OWVxP/WHoSv5HNa5UJHoYkK/QeHSKfvYhpYzyEZ8wXMaBOY9 LhcMjN7pqH9dUQkBzXRWGYT+hgkr5QBuzO9PEhpnZx65YBDmhzthXg9ZPlTaW1aW3i5b GnTdpYTBpePeNxaYIWQc6KU8d2R8PhHinTwmcmgBeReHcPeeI8zKEP26I9OnHn8PyXlb 5+dQ== ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=huaweicloud.com); spf=pass (google.com: domain of linux-kernel+bounces-43929-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-43929-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id n22-20020a05640205d600b0055f401e37b3si241726edx.505.2024.01.29.20.19.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jan 2024 20:19:15 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-43929-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=huaweicloud.com); spf=pass (google.com: domain of linux-kernel+bounces-43929-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-43929-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 7B3D81F270D5 for ; Tue, 30 Jan 2024 04:19:14 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6DA323771E; Tue, 30 Jan 2024 04:19:03 +0000 (UTC) Received: from dggsgout11.his.huawei.com (dggsgout11.his.huawei.com [45.249.212.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BBBBA374C9; Tue, 30 Jan 2024 04:19:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.51 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706588342; cv=none; b=VJYqkUkuJZX/s4Nx0+V3KlRsX7tGlMh+6BN1awUFahINJ6T+hOm/5Y77LjapG8Nqm9ffU0+SOS1t1UH72XiLRyLvbpSuBWDim3Sxow865u/I9WfYi8XlrFMY5bbIgALj/7Nq+KRafM7gKVy6slBBM+eQwZkfTF884tW4ew20WPk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706588342; c=relaxed/simple; bh=h6snNFdka27Mpzx+nJnLZ5KYtjZX57yK9AQSgiGflu4=; h=Subject:To:Cc:References:From:Message-ID:Date:MIME-Version: In-Reply-To:Content-Type; b=HkAwhXURzI6rbr193HSUEwPIH2tW6oHrwrQbla3EAZHWfI2A5ztjpcFdLuMuuEQ54RQmwxYpxB1DcQA+p2e53xXyMfdwSjZkGQl7i8S1DAbKKXkoEv+ycZOtzFjJ5xZlHNXclje6Mm4lGOjHv439Ta2nunAw70AcLjYuyXIE+d0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=45.249.212.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.19.163.216]) by dggsgout11.his.huawei.com (SkyGuard) with ESMTP id 4TPBkM1VJBz4f3m7Z; Tue, 30 Jan 2024 12:18:51 +0800 (CST) Received: from mail02.huawei.com (unknown [10.116.40.112]) by mail.maildlp.com (Postfix) with ESMTP id A7CFE1A0199; Tue, 30 Jan 2024 12:18:57 +0800 (CST) Received: from [10.174.176.117] (unknown [10.174.176.117]) by APP1 (Coremail) with SMTP id cCh0CgBXdA2reLhluSSoCQ--.26777S2; Tue, 30 Jan 2024 12:18:54 +0800 (CST) Subject: Re: [PATCH bpf v2 2/3] x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() To: Sohil Mehta , x86@kernel.org, bpf@vger.kernel.org Cc: Dave Hansen , Andy Lutomirski , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H . Peter Anvin" , linux-kernel@vger.kernel.org, xingwei lee , Jann Horn , Yonghong Song , houtao1@huawei.com References: <20240126115423.3943360-1-houtao@huaweicloud.com> <20240126115423.3943360-3-houtao@huaweicloud.com> <51d92a32-3d0b-41c5-96ad-0739c6f80256@intel.com> From: Hou Tao Message-ID: <930bbcfe-6697-e8e8-5198-8d9d57beb6b2@huaweicloud.com> Date: Tue, 30 Jan 2024 12:18:51 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 In-Reply-To: <51d92a32-3d0b-41c5-96ad-0739c6f80256@intel.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US X-CM-TRANSID:cCh0CgBXdA2reLhluSSoCQ--.26777S2 X-Coremail-Antispam: 1UD129KBjvJXoWxKF18tF1UWry8tr4rXw48Crg_yoW7Xryfpa 98Ca17KF4jkr18AanrX34v9ayrJa4ktF45WryvyFWrZ39IgFnIyrWDuas3XrZrtFnrKw4x Xr43Aryqvw1DJaDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvIb4IE77IF4wAFF20E14v26r4j6ryUM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4 vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Xr0_Ar1l84ACjcxK6xIIjxv20xvEc7Cj xVAFwI0_Gr1j6F4UJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x 0267AKxVW0oVCq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG 6I80ewAv7VC0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFV Cjc4AY6r1j6r4UM4x0Y48IcVAKI48JM4IIrI8v6xkF7I0E8cxan2IY04v7Mxk0xIA0c2IE e2xFo4CEbIxvr21l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxV Aqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q 6r43MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6x kF7I0E14v26r4j6F4UMIIF0xvE42xK8VAvwI8IcIk0rVWrZr1j6s0DMIIF0xvEx4A2jsIE 14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf 9x07UWE__UUUUU= X-CM-SenderInfo: xkrx3t3r6k3tpzhluzxrxghudrp/ Hi, On 1/30/2024 7:50 AM, Sohil Mehta wrote: > Hi Hou Tao, > > I agree to your approach in this patch. Please see some comments below. > > On 1/26/2024 3:54 AM, Hou Tao wrote: >> From: Hou Tao >> >> When trying to use copy_from_kernel_nofault() to read vsyscall page >> through a bpf program, the following oops was reported: [SNIP] >> It seems the occurrence of oops depends on SMAP feature of CPU. It >> happens as follow: a bpf program uses bpf_probe_read_kernel() to read >> from vsyscall page, bpf_probe_read_kernel() invokes >> copy_from_kernel_nofault() in turn and then invokes __get_user_asm(). >> Because the vsyscall page address is not readable for kernel space, >> a page fault exception is triggered accordingly, handle_page_fault() >> considers the vsyscall page address as a userspace address instead of a >> kernel space address, so the fix-up set-up by bpf isn't applied. Because >> the CPU has SMAP feature and the access happens in kernel mode, so >> page_fault_oops() is invoked and an oops happens. If these is no SMAP >> feature, the fix-up set-up by bpf will be applied and >> copy_from_kernel_nofault() will return -EFAULT instead. >> > I find this paragraph to be a bit hard to follow. I think we can > minimize the reference to SMAP here since it is only helping detect > cross address space accesses. How about something like the following: > > The oops is triggered when: > > 1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall > page and invokes copy_from_kernel_nofault() which in turn calls > __get_user_asm(). > > 2) Because the vsyscall page address is not readable from kernel space, > a page fault exception is triggered accordingly. > > 3) handle_page_fault() considers the vsyscall page address as a user > space address instead of a kernel space address. This results in the > fix-up setup by bpf not being applied and a page_fault_oops() is invoked > due to SMAP. Thanks for the rephrasing. It is much better now. >> Considering handle_page_fault() has already considered the vsyscall page >> address as a userspace address, fix the problem by disallowing vsyscall >> page read for copy_from_kernel_nofault(). >> > I agree, following the same approach as handle_page_fault() seems > reasonable. > >> Originally-by: Thomas Gleixner >> Reported-by: syzbot+72aa0161922eba61b50e@syzkaller.appspotmail.com >> Closes: https://lore.kernel.org/bpf/CAG48ez06TZft=ATH1qh2c5mpS5BT8UakwNkzi6nvK5_djC-4Nw@mail.gmail.com >> Reported-by: xingwei lee >> Closes: https://lore.kernel.org/bpf/CABOYnLynjBoFZOf3Z4BhaZkc5hx_kHfsjiW+UWLoB=w33LvScw@mail.gmail.com >> Signed-off-by: Hou Tao >> --- >> arch/x86/mm/maccess.c | 9 +++++++++ >> 1 file changed, 9 insertions(+) >> >> diff --git a/arch/x86/mm/maccess.c b/arch/x86/mm/maccess.c >> index 6993f026adec9..d9272e1db5224 100644 >> --- a/arch/x86/mm/maccess.c >> +++ b/arch/x86/mm/maccess.c >> @@ -3,6 +3,8 @@ >> #include >> #include >> >> +#include >> + >> #ifdef CONFIG_X86_64 >> bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size) >> { >> @@ -15,6 +17,13 @@ bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size) >> if (vaddr < TASK_SIZE_MAX + PAGE_SIZE) >> return false; >> >> + /* Also consider the vsyscall page as userspace address. Otherwise, >> + * reading the vsyscall page in copy_from_kernel_nofault() may >> + * trigger an oops due to an unhandled page fault. >> + */ > x86 prefers a slightly different style for multi-line comments. Please > refer to https://docs.kernel.org/process/maintainer-tip.html#comment-style. I see. Will update. > > How about rewording the above as: > > /* > * Reading from the vsyscall page may cause an unhandled fault in > * certain cases. Though it is at an address above TASK_SIZE_MAX, it is > * usually considered as a user space address. > */ Thanks for the rewording. Will do in v3. > >> + if (is_vsyscall_vaddr(vaddr)) >> + return false; >> + > It would have been convenient if we had a common check for whether a > particular address is a kernel address or not. fault_in_kernel_space() > serves that purpose to an extent in other places. > > I thought we could rename fault_in_kernel_space() to > vaddr_in_kernel_space() and use it here. But the check in > copy_from_kernel_nofault_allowed() includes the user guard page as well. > So the checks wouldn't exactly be the same. > > I am unsure of the implications if we get rid of that difference. Maybe > we can leave it as-is for now unless someone else chimes in. There is other difference between fault_in_kernel_space() and copy_from_kernel_nofault_allowed(). fault_in_kernel_space() uses address >= TASK_SIZE_MAX to check the kernel space address, but copy_from_kernel_nofault_allowed() uses vaddr >= TASK_SIZE_MAX + PAGE_SIZE to check the kernel space address, so I prefer to keep it as-is. > > Sohil