From: Andy Lutomirski <luto@kernel.org>
To: Christoph Hellwig <hch@infradead.org>
Cc: "Ingo Molnar" <mingo@kernel.org>, "Greg KH" <greg@kroah.com>,
"Thomas Garnier" <thgarnie@google.com>,
"Martin Schwidefsky" <schwidefsky@de.ibm.com>,
"Heiko Carstens" <heiko.carstens@de.ibm.com>,
"Dave Hansen" <dave.hansen@intel.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Thomas Gleixner" <tglx@linutronix.de>,
"David Howells" <dhowells@redhat.com>,
"René Nyffenegger" <mail@renenyffenegger.ch>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Paul E . McKenney" <paulmck@linux.vnet.ibm.com>,
"Eric W . Biederman" <ebiederm@xmission.com>,
"Oleg Nesterov" <oleg@redhat.com>,
"Pavel Tikhomirov" <ptikhomirov@virtuozzo.com>,
"Ingo Molnar" <mingo@redhat.com>,
"H . Peter Anvin" <hpa@zytor.com>,
"Andy Lutomirski" <luto@kernel.org>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Rik van Riel" <riel@redhat.com>,
"Kees Cook" <keescook@chromium.org>,
"Josh Poimboeuf" <jpoimboe@redhat.com>,
"Borislav Petkov" <bp@alien>
Subject: Re: Re: [PATCH v9 1/4] syscalls: Verify address limit before returning to user-mode
Date: Tue, 9 May 2017 06:00:01 -0700 [thread overview]
Message-ID: <CALCETrUh8NO2scaqEM48K70Fo2+V3=Cpyk4JurCDiCYp4nm_+g@mail.gmail.com> (raw)
In-Reply-To: <20170509085659.GA32555@infradead.org>
On Tue, May 9, 2017 at 1:56 AM, Christoph Hellwig <hch@infradead.org> wrote:
> On Tue, May 09, 2017 at 08:45:22AM +0200, Ingo Molnar wrote:
>> We only have ~115 code blocks in the kernel that set/restore KERNEL_DS, it would
>> be a pity to add a runtime check to every system call ...
>
> I think we should simply strive to remove all of them that aren't
> in core scheduler / arch code. Basically evetyytime we do the
>
> oldfs = get_fs();
> set_fs(KERNEL_DS);
> ..
> set_fs(oldfs);
>
> trick we're doing something wrong, and there should always be better
> ways to archive it. E.g. using iov_iter with a ITER_KVEC type
> consistently would already remove most of them.
How about trying to remove all of them? If we could actually get rid
of all of them, we could drop the arch support, and we'd get faster,
simpler, shorter uaccess code throughout the kernel.
The ones in kernel/compat.c are generally garbage. They should be
using compat_alloc_user_space(). Ditto for kernel/power/user.c.
flush_module_icache() is a potentially silly arch thing. Does the
code in kernel/module.c that uses set_fs() actually work?
kernel/signal.c's set_fs() is laziness.
__probe_kernel_read() and __probe_kernel_write() use set_fs(), but
that usage only matters on sane arches* like s390x. We should
arguably have a set_uaccess_address_space() or similar for this
purpose that's a nop on normal arches like x86.
fs/splice.c has some, ahem, interesting uses that have been the source
of nasty exploits in the past. Converting them to use iov_iter
properly would be really, really nice. Christoph, I don't suppose
you'd like to do that?
The others seem to mostly be fixable, but I haven't looked that closely.
Overall, I suspect that a big part of why mitigations like the one
being discussed in this thread were developed is because addr_limit
used to be on the stack, making it (along with restart_block) a really
nice target. This is fixed now on x86, arm64, and s390x, I believe,
and other arches can easily opt in to the fix.
* I'm strongly in favor of arches that have totally separate user and
kernel address spaces. Sadly, the most common arches don't do this.
next prev parent reply other threads:[~2017-05-09 13:00 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-28 15:32 [PATCH v9 1/4] syscalls: Verify address limit before returning to user-mode Thomas Garnier
[not found] ` <20170428153213.137279-1-thgarnie-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
2017-04-28 15:32 ` [PATCH v9 2/4] x86/syscalls: Optimize address limit check Thomas Garnier
2017-05-05 22:18 ` [PATCH v9 1/4] syscalls: Verify address limit before returning to user-mode Thomas Garnier
[not found] ` <CAJcbSZGQsRVg3QZ9QfLn2HBC+RP-7fUTab0bYDJ455d8y8GyNw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-05-08 7:33 ` Ingo Molnar
[not found] ` <20170508073352.caqe3fqf7nuxypgi-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-05-08 7:52 ` Ingo Molnar
[not found] ` <20170508075209.7aluvpwildw325rf-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-05-08 15:22 ` [kernel-hardening] " Daniel Micay
2017-05-08 15:26 ` Kees Cook
2017-05-08 19:51 ` Thomas Garnier
[not found] ` <CAGXu5jL61K0bRSEg9a_LswNyrt3K1J57REbWVcvAXT54zWwtMA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-05-09 6:56 ` Ingo Molnar
[not found] ` <20170509065619.wmqa6z6w3n6xpvrw-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-05-09 11:10 ` Greg KH
[not found] ` <20170509111007.GA14702-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2017-05-09 14:29 ` Thomas Garnier
[not found] ` <CAJcbSZFswDWZoK-1UK+xkRMJ4ttSYbtH2Y5WD5_aPR-8ru6t8A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-05-11 23:17 ` Thomas Garnier
[not found] ` <CAJcbSZEoRyewUtBHvqmNZL9FtT_q42Vmmd-EuC50x-ZRASiHHg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-05-11 23:44 ` Linus Torvalds
[not found] ` <CA+55aFwvQfs_X+paQF6Luc0Rq+W3J2fKuHRou7=ANcquDdXdDA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-05-12 5:28 ` Martin Schwidefsky
2017-05-12 5:34 ` Kees Cook
2017-05-12 5:54 ` Martin Schwidefsky
2017-05-12 19:01 ` Kees Cook
2017-05-12 19:08 ` Russell King - ARM Linux
[not found] ` <CAGXu5jL9vUrn4kpjO+qa4cHmWBypeqP17OGbrMs=5Nz0YpQMZw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-05-12 19:08 ` Linus Torvalds
[not found] ` <CA+55aFzbiBqsYb7vwO=+L4Vp_GOgPu+DBOrq4fBnyzq5DbBehg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-05-12 19:30 ` Kees Cook
[not found] ` <CAGXu5j+xmyJ6RhtPw9rUgs7k3sZ1KKWffvyGGG--oPfu9W42ng-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-05-12 20:21 ` Russell King - ARM Linux
2017-05-12 20:30 ` Peter Zijlstra
[not found] ` <20170512203044.GI4626-IIpfhp3q70z/8w/KjCw3T+5/BudmfyzbbVWyRVo5IupeoWH0uzbU5w@public.gmane.org>
2017-05-12 20:45 ` Russell King - ARM Linux
2017-05-12 21:00 ` Kees Cook
[not found] ` <CAGXu5jL6FPuShBpZfi6+XHqOk4gxocUJRYPHT5oR3HYh3xm+sA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-05-12 21:04 ` Kees Cook
2017-05-13 7:21 ` Christoph Hellwig
2017-05-12 21:06 ` Al Viro
[not found] ` <20170512210645.GS390-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2017-05-12 21:16 ` [kernel-hardening] " Daniel Micay
2017-05-12 21:17 ` Kees Cook
[not found] ` <CAGXu5jJu=VTqp2tzkPB4RAVxdGC+_SSQwrUwdzWpu24AA-zEcg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-05-12 21:23 ` Daniel Micay
2017-05-12 21:41 ` Al Viro
2017-05-12 21:47 ` Rik van Riel
[not found] ` <1494625675.29205.21.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-05-12 22:57 ` Al Viro
[not found] ` <20170512214144.GT390-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2017-05-12 21:50 ` Kees Cook
[not found] ` <CAGXu5j+EatK=DYONRkgovwLgytAnbG8jnAZaMSLckZFNVj3gig-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-05-12 6:57 ` Ingo Molnar
2017-05-12 6:13 ` Andy Lutomirski
2017-05-12 6:58 ` Ingo Molnar
2017-05-12 17:05 ` Thomas Garnier
2017-05-09 16:30 ` [kernel-hardening] " Kees Cook
2017-05-08 12:46 ` Greg KH
[not found] ` <20170508124621.GA20705-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2017-05-09 6:45 ` Ingo Molnar
[not found] ` <20170509064522.anusoikaalvlux3w-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-05-09 8:56 ` Christoph Hellwig
2017-05-09 13:00 ` Andy Lutomirski [this message]
2017-05-09 13:02 ` Christoph Hellwig
2017-05-09 16:03 ` Christoph Hellwig
2017-05-09 16:50 ` Kees Cook
[not found] ` <CAGXu5jKHVMRMKDfn+=kkbm+JkWPhoEtDwKx=QXAYxg1p9bn7PQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-05-09 22:52 ` Andy Lutomirski
[not found] ` <CALCETrV73=cDvaSLOMvb299yaGNJYME8LC-=P+N6p7R1NN97Yg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-05-09 23:31 ` Kees Cook
2017-05-10 1:59 ` Andy Lutomirski
2017-05-10 7:15 ` Christoph Hellwig
[not found] ` <CAGXu5jL6PeQmmdxh5h--fgrMK8DW_XZYpNfDOvvv_o9E3-Kxdw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-05-11 11:22 ` Borislav Petkov
2017-05-10 6:46 ` Christoph Hellwig
[not found] ` <20170509160322.GA15902-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
2017-05-10 2:11 ` Al Viro
2017-05-10 2:45 ` Al Viro
2017-05-10 3:12 ` Al Viro
[not found] ` <20170510031254.GC390-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2017-05-10 3:21 ` Al Viro
[not found] ` <20170510032137.GD390-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2017-05-10 3:39 ` Al Viro
2017-05-10 6:54 ` Christoph Hellwig
2017-05-10 6:53 ` Christoph Hellwig
2017-05-10 7:27 ` Al Viro
2017-05-10 7:35 ` Christoph Hellwig
2017-05-10 6:49 ` Christoph Hellwig
2017-05-10 7:28 ` Arnd Bergmann
2017-05-10 7:35 ` Christoph Hellwig
2017-05-09 16:05 ` Brian Gerst
[not found] ` <CALCETrUh8NO2scaqEM48K70Fo2+V3=Cpyk4JurCDiCYp4nm_+g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-05-10 7:37 ` [kernel-hardening] " Arnd Bergmann
2017-05-10 8:08 ` Al Viro
2017-05-10 8:14 ` Christoph Hellwig
2017-05-11 0:18 ` Andy Lutomirski
2017-05-12 7:00 ` Ingo Molnar
2017-05-12 7:15 ` Al Viro
2017-05-12 7:35 ` Christoph Hellwig
2017-05-12 8:07 ` Christoph Hellwig
2017-05-12 8:23 ` Greg KH
[not found] ` <20170512071549.GP390-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2017-05-12 7:43 ` [kernel-hardening] " Arnd Bergmann
2017-05-12 8:11 ` Christoph Hellwig
2017-05-12 8:16 ` Al Viro
2017-05-12 8:11 ` Al Viro
[not found] ` <20170512081154.GQ390-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2017-05-12 8:20 ` Arnd Bergmann
2017-05-12 23:20 ` Andy Lutomirski
2017-05-08 13:09 ` Kees Cook
2017-05-08 14:02 ` Ingo Molnar
[not found] ` <20170508140230.23kxf2kfeazeo4zr-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-05-08 14:06 ` Jann Horn
[not found] ` <CAG48ez0Hz=CimkPwuq903tgJkGj8gXUtiQJJb-P2zUes6bd6Hw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-05-08 20:48 ` Al Viro
[not found] ` <20170508204858.GT29622-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2017-05-12 23:15 ` Andy Lutomirski
2017-05-08 15:24 ` Kees Cook
[not found] ` <CAGXu5jJ4iY7QZ9wRu5dmm7RHtLh_V6TQh4huWwLCYPKOr63aiA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-05-09 6:34 ` Ingo Molnar
2017-04-28 15:32 ` [PATCH v9 3/4] arm/syscalls: Optimize address limit check Thomas Garnier
2017-04-28 15:32 ` [PATCH v9 4/4] arm64/syscalls: " Thomas Garnier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALCETrUh8NO2scaqEM48K70Fo2+V3=Cpyk4JurCDiCYp4nm_+g@mail.gmail.com' \
--to=luto@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=bp@alien \
--cc=dave.hansen@intel.com \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=greg@kroah.com \
--cc=hch@infradead.org \
--cc=heiko.carstens@de.ibm.com \
--cc=hpa@zytor.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=mail@renenyffenegger.ch \
--cc=mingo@kernel.org \
--cc=mingo@redhat.com \
--cc=oleg@redhat.com \
--cc=paulmck@linux.vnet.ibm.com \
--cc=pbonzini@redhat.com \
--cc=ptikhomirov@virtuozzo.com \
--cc=riel@redhat.com \
--cc=schwidefsky@de.ibm.com \
--cc=tglx@linutronix.de \
--cc=thgarnie@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).