From: Christophe Leroy <christophe.leroy@c-s.fr>
To: Nicholas Piggin <npiggin@gmail.com>,
linuxppc-dev@ozlabs.org, Michael Ellerman <mpe@ellerman.id.au>,
Russell Currey <ruscur@russell.cc>
Subject: Re: [PATCH v6 09/10] powerpc/64s: Implement KUAP for Radix MMU
Date: Fri, 17 Apr 2020 14:02:44 +0200 [thread overview]
Message-ID: <69987eaa-a32d-4c83-d798-ae6e54ffd0a6@c-s.fr> (raw)
In-Reply-To: <1587119526.51khzi2lop.astroid@bobo.none>
Le 17/04/2020 à 12:39, Nicholas Piggin a écrit :
> Excerpts from Christophe Leroy's message of April 17, 2020 8:10 pm:
>>
>>
>> Le 18/04/2019 à 08:51, Michael Ellerman a écrit :
>>> Kernel Userspace Access Prevention utilises a feature of the Radix MMU
>>> which disallows read and write access to userspace addresses. By
>>> utilising this, the kernel is prevented from accessing user data from
>>> outside of trusted paths that perform proper safety checks, such as
>>> copy_{to/from}_user() and friends.
>>>
>>> Userspace access is disabled from early boot and is only enabled when
>>> performing an operation like copy_{to/from}_user(). The register that
>>> controls this (AMR) does not prevent userspace from accessing itself,
>>> so there is no need to save and restore when entering and exiting
>>> userspace.
>>>
>>> When entering the kernel from the kernel we save AMR and if it is not
>>> blocking user access (because eg. we faulted doing a user access) we
>>> reblock user access for the duration of the exception (ie. the page
>>> fault) and then restore the AMR when returning back to the kernel.
>>>
>>> This feature can be tested by using the lkdtm driver (CONFIG_LKDTM=y)
>>> and performing the following:
>>>
>>> # (echo ACCESS_USERSPACE) > [debugfs]/provoke-crash/DIRECT
>>>
>>> If enabled, this should send SIGSEGV to the thread.
>>>
>>> We also add paranoid checking of AMR in switch and syscall return
>>> under CONFIG_PPC_KUAP_DEBUG.
>>>
>>> Co-authored-by: Michael Ellerman <mpe@ellerman.id.au>
>>> Signed-off-by: Russell Currey <ruscur@russell.cc>
>>> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
>>
>> [...]
>>
>>> diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S
>>> index 15c67d2c0534..7cc25389c6bd 100644
>>> --- a/arch/powerpc/kernel/entry_64.S
>>> +++ b/arch/powerpc/kernel/entry_64.S
>>
>> [...]
>>
>>> @@ -594,6 +606,8 @@ _GLOBAL(_switch)
>>> std r23,_CCR(r1)
>>> std r1,KSP(r3) /* Set old stack pointer */
>>>
>>> + kuap_check_amr r9, r10
>>> +
>>> FLUSH_COUNT_CACHE
>>>
>>> /*
>>
>> I'm having a problem with this check. As you know I implemented the
>> exact same check in _switch() in entry_32.S. After adding some printk
>> inside an user_access_begin()/user_access_end() section, I started to
>> get valid user accesses blocked by KUAP. Then I activated
>> CONFIG_PPC_KUAP_DEBUG which led me to WARNINGs on this check.
>>
>> This is due to schedule() being called by printk() inside the section
>> where user access is unlocked. How is this supposed to work ? When
>
> Unlocked user access sections are supposed to be very constrained,
> I think x86's objtool has a checker to verify nothing much gets
> called. Printk shouldn't be.
>
> I was hitting the same assertion and it was because the uaccess
> macros were pulling lots of things into the user access region.
>
> https://patchwork.ozlabs.org/project/linuxppc-dev/patch/20200407041245.600651-1-npiggin@gmail.com/
>
> If that doesn't solve your problem... then now is printk being
> called with user access enabled?
Yes indeed, the printk was called with user access enabled, as I wanted
to print all calls to unsafe_copy_to_user()
Thanks
Christophe
next prev parent reply other threads:[~2020-04-17 12:08 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-18 6:51 [PATCH v6 01/10] powerpc/powernv/idle: Restore IAMR after idle Michael Ellerman
2019-04-18 6:51 ` [PATCH v6 02/10] powerpc/powernv/idle: Restore AMR/UAMOR/AMOR " Michael Ellerman
2019-04-18 6:51 ` [PATCH v6 03/10] powerpc: Add framework for Kernel Userspace Protection Michael Ellerman
2019-04-18 6:51 ` [PATCH v6 04/10] powerpc: Add skeleton for Kernel Userspace Execution Prevention Michael Ellerman
2019-04-18 6:51 ` [PATCH v6 05/10] powerpc: Add a framework for Kernel Userspace Access Protection Michael Ellerman
2019-04-18 6:51 ` [PATCH v6 06/10] powerpc/64: Setup KUP on secondary CPUs Michael Ellerman
2019-04-24 6:03 ` Christophe Leroy
2019-04-18 6:51 ` [PATCH v6 07/10] powerpc/mm/radix: Use KUEP API for Radix MMU Michael Ellerman
2019-04-18 6:51 ` [PATCH v6 08/10] powerpc/lib: Refactor __patch_instruction() to use __put_user_asm() Michael Ellerman
2019-04-18 6:51 ` [PATCH v6 09/10] powerpc/64s: Implement KUAP for Radix MMU Michael Ellerman
2020-04-17 10:10 ` Christophe Leroy
2020-04-17 10:39 ` Nicholas Piggin
2020-04-17 12:02 ` Christophe Leroy [this message]
2019-04-18 6:51 ` [PATCH v6 10/10] powerpc/mm: Detect bad KUAP faults Michael Ellerman
2019-04-21 14:19 ` [v6,01/10] powerpc/powernv/idle: Restore IAMR after idle Michael Ellerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69987eaa-a32d-4c83-d798-ae6e54ffd0a6@c-s.fr \
--to=christophe.leroy@c-s.fr \
--cc=linuxppc-dev@ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=npiggin@gmail.com \
--cc=ruscur@russell.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).