Received: by 10.223.164.221 with SMTP id h29csp1508829wrb; Wed, 1 Nov 2017 18:27:38 -0700 (PDT) X-Google-Smtp-Source: ABhQp+SYXcD3iR1f7z+Fm0BQajyqEsVxmsgMR10nCk/uvlBDpxOTF4gSZQeE6tk4+OTbwglnjgX6 X-Received: by 10.84.248.77 with SMTP id e13mr1490614pln.200.1509586058151; Wed, 01 Nov 2017 18:27:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1509586058; cv=none; d=google.com; s=arc-20160816; b=oLquvOCSXvT3aHJVHCcYA96X7v19qQFsEzO+ZI1bmlOv2oJwuQcMc4+GNPxWRS1F0n aJNx3j4WSJd/nWwuybqMoJ0y8QKJ/oCEuEU8O8OBqHwsN6LH7Mwv+1ncRXAIeRi8abWk 4rF3LpZ0zrW7cwaMR5yiImyUM+iZ0sDlwTGCmrfW0i28cEbKMpKIAHUVNXHjaB6BS/fr nV1hwF5oP+YJQWP9vn9Or8dIoGwZJUhrs8DIk+xhSEgtE5Ok73d9tB+PnAmAnSipgjJF qYhZw5L20rOLomQ3pGLVE8UreQi6gswikCbIzAzlV49qN2WvKgftZNE8BD69y1xnnnvR SmAA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=6sbTOdaX5dxpJ+xQABIFIkSYhGA5ozs63SeTzeYf2Mo=; b=o0js44Esiso8G2GQNwUW1RM7MKMujsGHJXmT+vv+rlFaFd7FlyzRAoGfmXrpDqv//h AnSLqQmF7qRrO1pBfVGNgYVAmwjklrISuNEDQagk1P5vSR1moVAht6qIHzh/A2AARI0L jihTEGryZ0+/CGnFHROdtgnPmEYkZjlEl5pYiL/IeRSJbvyf03FY4umSVc3p2A0K4On/ 1TRwqdi3lsWlK/nx6+DRvYKipzo4HkMbGkgBkY9+I+TZLuBwQiet+FcfELLqyPHHoDAl 6I0XWeA6AB3GXMUFDLueA2FLGTOFNg14FvyYiMbZ8Mq0djxVJAdGh0ETjafSdcj/IAa/ ZeNg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m6si2204140pfm.64.2017.11.01.18.27.24; Wed, 01 Nov 2017 18:27:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934189AbdKBB0K (ORCPT + 99 others); Wed, 1 Nov 2017 21:26:10 -0400 Received: from mail-oi0-f68.google.com ([209.85.218.68]:47283 "EHLO mail-oi0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933083AbdKBB0J (ORCPT ); Wed, 1 Nov 2017 21:26:09 -0400 Received: by mail-oi0-f68.google.com with SMTP id h200so7141315oib.4 for ; Wed, 01 Nov 2017 18:26:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=6sbTOdaX5dxpJ+xQABIFIkSYhGA5ozs63SeTzeYf2Mo=; b=HHB/hHSvyz6+j/5MpXX1Thj0Rwb1ooIHDcZqfRpVbdAvZEsMWWQbvCnFg5kKnJgs7c 0yxue/Mie6vbXDe7KrWVx1X5Dfiu4OjQzydfxszwLbg0pvcpnwzNLCSZD2DMJlwizxH3 wosKfZvC0i2d2H+GYdkCUmNzIQoiEnIdqR534SYs2CLevYqXD5EUXBDihEIQUTRiLM2R U20ld8yRSqSS37Lw0zDJ0Dej5ObsqpXjtnesjlEwwXvV+knSFfjjjHrWAbFhbcSNYafC PXaW3zZnbt2//8mnxj1GlMdqdWuvqaTB55mZ1gP08bYIK4zzG5q19hL7rbW/3FmudLdT +oPw== X-Gm-Message-State: AMCzsaXqasfE6DRT8q6l0qIj66lsrIyLNd2lRYl/f9/KOykJxB4cs4jZ eXjGy1OWRRUAE/FbalpnwFddag== X-Received: by 10.202.71.151 with SMTP id u145mr985675oia.133.1509585968851; Wed, 01 Nov 2017 18:26:08 -0700 (PDT) Received: from ?IPv6:2601:602:9802:a8dc::e174? ([2601:602:9802:a8dc::e174]) by smtp.gmail.com with ESMTPSA id y57sm988962oty.79.2017.11.01.18.26.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 Nov 2017 18:26:07 -0700 (PDT) Subject: Re: [RFC PATCH 0/2] arm64: optional paranoid __{get,put}_user checks To: Kees Cook Cc: Mark Rutland , linux-arm-kernel@lists.infradead.org, LKML , kernel-hardening@lists.openwall.com, Catalin Marinas , Will Deacon References: <20171026090942.7041-1-mark.rutland@arm.com> <77c80381-cf68-aa1a-9112-e057c068eeb6@redhat.com> <20171101120555.yvb65g3wgtxskfh3@lakrids.cambridge.arm.com> <0f2d5f89-2939-06ec-9b59-b19f828d8968@redhat.com> <57fa4bef-9540-6fb1-b2a7-5bf8b01c748a@redhat.com> From: Laura Abbott Message-ID: Date: Wed, 1 Nov 2017 18:25:53 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/01/2017 04:29 PM, Kees Cook wrote: > On Wed, Nov 1, 2017 at 4:05 PM, Laura Abbott wrote: >> On 11/01/2017 03:28 PM, Kees Cook wrote: >>> On Wed, Nov 1, 2017 at 2:13 PM, Laura Abbott wrote: >>>> On 11/01/2017 05:05 AM, Mark Rutland wrote: >>>>> On Tue, Oct 31, 2017 at 04:56:39PM -0700, Laura Abbott wrote: >>>>>> On 10/26/2017 02:09 AM, Mark Rutland wrote: >>>>>>> In Prague, Kees mentioned that it would be nice to have a mechanism to >>>>>>> catch bad __{get,put}_user uses, such as the recent CVE-2017-5123 [1,2] >>>>>>> issue with unsafe_put_user() in waitid(). >>>>>>> >>>>>>> These patches allow an optional access_ok() check to be dropped in >>>>>>> arm64's __{get,put}_user() primitives. These will then BUG() if a bad >>>>>>> user pointer is passed (which should only happen in the absence of an >>>>>>> earlier access_ok() check). >>>>> >>>>>> Turning on the option fails as soon as we hit userspace. On my buildroot >>>>>> based environment I get the help text for ld.so (????) and then a message >>>>>> about attempting to kill init. >>>>> >>>>> Ouch. Thanks for the report, and sorry about this. >>>>> >>>>> The problem is that I evaluate the ptr argument twice in >>>>> __{get,put}_user(), and this may have side effects. >>>>> >>>>> e.g. when the ELF loader does things like: >>>>> >>>>> __put_user((elf_addr_t)p, sp++) >>>>> >>>>> ... we increment sp twice, and write to the wrong user address, leaving >>>>> sp corrupt. >>>>> >>>>> I have an additional patch [1] to fix this, which is in my >>>>> arm64/access-ok branch [2]. >>>>> >>>>> Thanks, >>>>> Mark. >>>>> >>>>> [1] https://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git/commit/?h=arm64/access-ok&id=ebb7ff83eb53b8810395d5cf48712a4ae6d678543 >>>>> [2] https://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git/log/?h=arm64/access-ok >>>>> >>>> >>>> Thanks, the updated patch works. I wrote an LKDTM test to verify >>>> the expected behavior (__{get,put}_user panic whereas {get,put}_user >>>> do not). You're welcome to add Tested-by or I can wait for v2. >>> >>> Nice. :) Out of curiosity, can you check if this correctly BUG()s on a >>> waitid() call when the fixes are reverted? >>> >>> 96ca579a1ecc ("waitid(): Avoid unbalanced user_access_end() on >>> access_ok() error") >>> 1c9fec470b81 ("waitid(): Add missing access_ok() checks") >>> >>> -Kees >>> >> >> Yep, we get a nice bug: >> >> [ 34.783912] ------------[ cut here ]------------ >> [ 34.784484] kernel BUG at kernel/exit.c:1614! > > Awesome! :) > > I wonder how hard it might be to make this happen on x86 too (or > generically). Hmmm x86 looks like it needs the same ptr_argument fixup as arm64 but seems to have a separate unsafe path so it's actually easier to fix up. I have version of this that seems to work so I'll clean it up and send it out tomorrow. Thanks, Laura From 1582908363997905610@xxx Wed Nov 01 23:30:51 +0000 2017 X-GM-THRID: 1582310663202567364 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread