From: Guenter Roeck <linux@roeck-us.net>
To: Christoph Hellwig <hch@lst.de>
Cc: linux-arch@vger.kernel.org, Nick Hu <nickhu@andestech.com>,
linux-kernel@vger.kernel.org, Palmer Dabbelt <palmer@dabbelt.com>,
Greentime Hu <green.hu@gmail.com>,
Paul Walmsley <paul.walmsley@sifive.com>,
Andrew Morton <akpm@linux-foundation.org>,
Vincent Chen <deanbo422@gmail.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-riscv@lists.infradead.org
Subject: Re: [PATCH 1/6] syscalls: use uaccess_kernel in addr_limit_user_check
Date: Mon, 20 Jul 2020 22:30:30 -0700 [thread overview]
Message-ID: <7fc565fe-411e-6a0b-8aaf-0bf808f0d6a9@roeck-us.net> (raw)
In-Reply-To: <20200721052022.GA10011@lst.de>
On 7/20/20 10:20 PM, Christoph Hellwig wrote:
> On Mon, Jul 20, 2020 at 10:15:37PM -0700, Guenter Roeck wrote:
>>>> - if (CHECK_DATA_CORRUPTION(uaccess_kernel(),
>>>> + if (CHECK_DATA_CORRUPTION(!uaccess_kernel(),
>>>>
>>>> How does this work anywhere ?
>>>
>>> No, that is the wrong check - we want to make sure the address
>>> space override doesn't leak to userspace. The problem is that
>>> armnommu (and m68knommu, but that doesn't call the offending
>>> function) pretends to not have a kernel address space, which doesn't
>>> really work. Here is the fix I sent out yesterday, which I should
>>> have Cc'ed you on, sorry:
>>>
>>
>> The patch below makes sense, and it does work, but I still suspect
>> that something with your original patch is wrong, or at least suspicious.
>> Reason: My change above (Adding the "!") works for _all_ of my arm boot
>> tests. Or, in other words, it doesn't make a difference if true
>> or false is passed as first parameter of CHECK_DATA_CORRUPTION(), except
>> for nommu systems. Also, unless I am really missing something, your
>> original patch _does_ reverse the logic.
>
> Well. segment_eq is in current mainline used in two places:
>
> 1) to implement uaccess_kernel
> 2) in addr_limit_user_check to implement uaccess_kernel-like
> semantics using a strange reverse notation
>
> I think the explanation for your observation is how addr_limit_user_check
> is called on arm. The addr_limit_check_failed wrapper for it is called
> from assembly code, but only after already checking the addr_limit,
> basically duplicating the segment_eq check. So for mmu builds it won't
> get called unless we leak the kernel address space override, which
> is a pretty fatal error and won't show up in your boot tests. The
> only good way to test it is by explicit injecting it using the
> lkdtm module.
>
Guess I lost it somewhere. Are you saying the check was wrong all along
and your patch fixed it ?
Thanks,
Guenter
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2020-07-21 5:30 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-14 10:54 clean up address limit helpers v2 Christoph Hellwig
2020-07-14 10:55 ` [PATCH 1/6] syscalls: use uaccess_kernel in addr_limit_user_check Christoph Hellwig
2020-07-18 1:38 ` Guenter Roeck
2020-07-18 9:48 ` Christoph Hellwig
2020-07-18 14:54 ` Guenter Roeck
2020-07-20 22:10 ` Guenter Roeck
2020-07-21 4:58 ` Christoph Hellwig
2020-07-21 5:15 ` Guenter Roeck
2020-07-21 5:20 ` Christoph Hellwig
2020-07-21 5:30 ` Guenter Roeck [this message]
2020-07-21 5:35 ` Christoph Hellwig
2020-07-14 10:55 ` [PATCH 2/6] nds32: use uaccess_kernel in show_regs Christoph Hellwig
2020-07-14 10:55 ` [PATCH 3/6] riscv: include <asm/pgtable.h> in <asm/uaccess.h> Christoph Hellwig
2020-07-14 10:55 ` [PATCH 4/6] uaccess: remove segment_eq Christoph Hellwig
2020-07-14 15:27 ` Linus Torvalds
2020-07-14 10:55 ` [PATCH 5/6] uaccess: add force_uaccess_{begin,end} helpers Christoph Hellwig
2020-07-14 15:29 ` Linus Torvalds
2020-07-14 10:55 ` [PATCH 6/6] exec: use force_uaccess_begin during exec and exit Christoph Hellwig
2020-07-15 3:33 ` Eric W. Biederman
2020-07-15 6:06 ` Christoph Hellwig
2020-07-16 23:49 ` clean up address limit helpers v2 Andrew Morton
2020-07-17 6:06 ` Christoph Hellwig
2020-07-20 15:54 ` [PATCH 0/6] arm: don't call addr_limit_user_check for nommu Christoph Hellwig
-- strict thread matches above, loose matches on Subject: below --
2020-07-10 13:57 clean up address limit helpers Christoph Hellwig
2020-07-10 13:57 ` [PATCH 1/6] syscalls: use uaccess_kernel in addr_limit_user_check Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7fc565fe-411e-6a0b-8aaf-0bf808f0d6a9@roeck-us.net \
--to=linux@roeck-us.net \
--cc=akpm@linux-foundation.org \
--cc=deanbo422@gmail.com \
--cc=green.hu@gmail.com \
--cc=hch@lst.de \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=nickhu@andestech.com \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).