Received: by 10.223.164.221 with SMTP id h29csp192401wrb; Tue, 31 Oct 2017 16:57:35 -0700 (PDT) X-Google-Smtp-Source: ABhQp+T9H+PMpU3AUtPooNWDJ3EM7PSgJQjPtGAx5c41UfQuhpD9OKKLZsjllElpemWPc7LWNG7Y X-Received: by 10.99.95.76 with SMTP id t73mr3665560pgb.57.1509494255856; Tue, 31 Oct 2017 16:57:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1509494255; cv=none; d=google.com; s=arc-20160816; b=aWY/Ixu9srb0ttjuZI8jZiSKSGGU51Vjq0ZcM+hRk4IxO/ARW0hddwcM8bfzZBMTHR 3p676cFEOt6TsQSwezmJMVMQS9bgAlnHsRrrtpKPqwEXI0iTjcXfbEoxg3VO02wIAYHw Voo+GCNGD+fpCUvAsjaENJvS0Nd9L9D2+HSYOgkillmlBuQPeYaL8NSIhZqPIxIAf3Ix cuBb+TZBqdbxwyoQDJsHD9lEzHWMtfYu/3T7SruiZN9aL4FOEHkiYwU+XfwAZfkDPoP5 EpfZBNGdWpsLupz+w95dQlMscrGWyPBIorQ4KLpTOVd1X0omH4hahj27ZUv/0VRCZBKS PSjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=H00acaW+/wzW7NIszQ7KTfuYFsXOP+tFKm+04WjYu2w=; b=uNFfh2Y8qKSCaGqS31fn1j5xa0yA5TomDHZxXO/3utuytq6kYLJD6Lgtufvz5jgnqZ C35dAVzRKz946Aw38NjVRHPL/nW/1H6Us4KOR/0QIwfvByZBr9pkKfq17w5BWfs2xKXO 4zNkTyX1iE7narzn1MM/CmU5dANTwhDMtYuYEWwc3pbqZM+jmWvPbUK+w3/gJ3Us12BP /TeAqFuJwTyCx53wizINgXWkBDOdw0uL9oUTmUAVSy2p2bryR/LIDQRq4S4NqOSylL19 bP9CstexVrbaDREiQFKLr3JV+3jp29PkSPnlHSjYXIMijlIoWbUuId07Kzjm/ID7knpw LVVg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j189si2636428pgd.249.2017.10.31.16.57.21; Tue, 31 Oct 2017 16:57:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754012AbdJaX4p (ORCPT + 99 others); Tue, 31 Oct 2017 19:56:45 -0400 Received: from mail-oi0-f68.google.com ([209.85.218.68]:53855 "EHLO mail-oi0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751347AbdJaX4n (ORCPT ); Tue, 31 Oct 2017 19:56:43 -0400 Received: by mail-oi0-f68.google.com with SMTP id h6so1068510oia.10 for ; Tue, 31 Oct 2017 16:56:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=H00acaW+/wzW7NIszQ7KTfuYFsXOP+tFKm+04WjYu2w=; b=Q/J+UqCh66cig0R3M965h9VfjBBrTumIPKVpGHtJms7c5zFP7EKSAHDf1PNEvz/Ce4 ZZuiPZAACCdZAb62FLwa0RuQjVjyXxXV1BHF9/Z/qHaLkX+Z0iwgFc3LOcz5jab3UdRS zaz/Jp4ia59ZW5DLtYpjhkm3/7gTNx9fM1VWo50Z2ZVoIao9w6iG2B9KBcD/plqFr76+ FMI3cEFKE5sVhfpx0rok+Iv3JOF1adRHhWSmFmjSl85/+QnZkzvOs9zBCkKzKItC0s1L ktjDGyw73Sbdw4Aj+5CP0xgFtKdeE7gRYaM0IkVxFG1rt5tPmlibYH6z/BtJwr4iUx8o Jh5w== X-Gm-Message-State: AMCzsaU4ujVk0txUsTdVoQ0nSzuGdsuBSbdxZsoxorkVCUApwF7iZR1y k+VH4XrNbap/oaQgOh+IkR9YYw== X-Received: by 10.202.94.194 with SMTP id s185mr1703744oib.371.1509494202928; Tue, 31 Oct 2017 16:56:42 -0700 (PDT) Received: from ?IPv6:2601:602:9802:a8dc::e174? ([2601:602:9802:a8dc::e174]) by smtp.gmail.com with ESMTPSA id u16sm1298818otd.78.2017.10.31.16.56.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 31 Oct 2017 16:56:41 -0700 (PDT) Subject: Re: [RFC PATCH 0/2] arm64: optional paranoid __{get,put}_user checks To: Mark Rutland , linux-arm-kernel@lists.infradead.org Cc: linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, Catalin Marinas , Kees Cook , Will Deacon References: <20171026090942.7041-1-mark.rutland@arm.com> From: Laura Abbott Message-ID: <77c80381-cf68-aa1a-9112-e057c068eeb6@redhat.com> Date: Tue, 31 Oct 2017 16:56:39 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <20171026090942.7041-1-mark.rutland@arm.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 10/26/2017 02:09 AM, Mark Rutland wrote: > Hi, > > In Prague, Kees mentioned that it would be nice to have a mechanism to > catch bad __{get,put}_user uses, such as the recent CVE-2017-5123 [1,2] > issue with unsafe_put_user() in waitid(). > > These patches allow an optional access_ok() check to be dropped in > arm64's __{get,put}_user() primitives. These will then BUG() if a bad > user pointer is passed (which should only happen in the absence of an > earlier access_ok() check). > > The first patch rewrites the arm64 access_ok() check in C. This gives > the compiler the visibility it needs to elide redundant access_ok() > checks, so in the common case: > > get_user() > access_ok() > __get_user() > BUG_ON(!access_ok()) > > > ... the compiler can determine that the second access_ok() must return > true, and can elide it along with the BUG_ON(), leaving: > > get_user() > access_ok() > __get_user() > > > ... and thus this sanity check can have no cost in the common case. > > The compiler doesn't always have the visibility to do this (e.g. if the > two access_ok() checks are in different compilation units), but it seems > to manage to do this most of the time -- In testing with v4.14-rc5 > defconfig this only increases the total Image size by 4KiB. > > I had a go at turning this into a BUILD_BUG_ON(), to see if we could > catch this issue at compile time. However, my GCC wasn't able to remove > the BUILD_BUG() from some {get,put}_user cases. Maybe we can fix that, > or maybe we can have some static analysis catch this at build time. > > It's entirely possible that I've made some catastrophic mistake in these > patches; I've only build-tested them so far, and I don't currently have > access to hardware to test on. > > I also haven't yet modified __copy_{to,from}_user and friends along > similar lines, so this is incomplete. If there aren't any major > objections to this approach, I can fold those in for the next spin. > > Thanks, > Mark. > > [1] https://lwn.net/Articles/736348/ > [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=96ca579a1ecc943b75beba58bebb0356f6cc4b51 > > > Mark Rutland (2): > arm64: write __range_ok() in C > arm64: allow paranoid __{get,put}user > > arch/arm64/Kconfig | 9 +++++++++ > arch/arm64/include/asm/uaccess.h | 27 +++++++++++++++++++-------- > 2 files changed, 28 insertions(+), 8 deletions(-) > Turning on the option fails as soon as we hit userspace. On my buildroot based environment I get the help text for ld.so (????) and then a message about attempting to kill init. I get a crash in init on the Hikey Android environment as well. It almost seems like the __range_ok re-write is triggering an error but it only seems to happen when the option is enabled even when I take out the BUG. I'll see if I can get more useful information. Thanks, Laura From 1582490470229602364@xxx Sat Oct 28 08:48:37 +0000 2017 X-GM-THRID: 1582310663202567364 X-Gmail-Labels: Inbox,Category Forums