From: Christophe Leroy <christophe.leroy@c-s.fr>
To: Michael Ellerman <mpe@ellerman.id.au>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>
Cc: linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org
Subject: Re: [PATCH v2 6/6] powerpc: Implement user_access_begin and friends
Date: Fri, 24 Jan 2020 12:40:23 +0100 [thread overview]
Message-ID: <0c2855c2-a6d6-6b35-7f69-f55add58dfb8@c-s.fr> (raw)
In-Reply-To: <87ftg6icc8.fsf@mpe.ellerman.id.au>
Le 23/01/2020 à 13:31, Michael Ellerman a écrit :
> Michael Ellerman <mpe@ellerman.id.au> writes:
>> Christophe Leroy <christophe.leroy@c-s.fr> writes:
>>> Today, when a function like strncpy_from_user() is called,
>>> the userspace access protection is de-activated and re-activated
>>> for every word read.
>>>
>>> By implementing user_access_begin and friends, the protection
>>> is de-activated at the beginning of the copy and re-activated at the
>>> end.
>>>
>>> Implement user_access_begin(), user_access_end() and
>>> unsafe_get_user(), unsafe_put_user() and unsafe_copy_to_user()
>>>
>>> For the time being, we keep user_access_save() and
>>> user_access_restore() as nops.
>>
>> That means we will run with user access enabled in a few more places, but
>> it's only used sparingly AFAICS:
>>
>> kernel/trace/trace_branch.c: unsigned long flags = user_access_save();
>> lib/ubsan.c: unsigned long flags = user_access_save();
>> lib/ubsan.c: unsigned long ua_flags = user_access_save();
>> mm/kasan/common.c: unsigned long flags = user_access_save();
>>
>> And we don't have objtool checking that user access enablement isn't
>> leaking in the first place, so I guess it's OK for us not to implement
>> these to begin with?
>
> It looks like we can implement them on on all three KUAP
> implementations.
>
> For radix and 8xx we just return/set the relevant SPR.
>
> For book3s/32/kup.h I think we'd just need to add a KUAP_CURRENT case to
> allow_user_access()?
Can't do that, we don't want to keep the info in current->thread.kuap
after user_access_save(), otherwise we might unexpectedly re-open access
through an interrupt.
And if we use KUAP_CURRENT case of prevent_user_access(), it means we'll
read current->thread.kuap twice.
So, just regenerate addr and end from the flags, and use
allow_user_access() and prevent_user_access() as usual.
I'll have it in v4
Christophe
WARNING: multiple messages have this Message-ID (diff)
From: Christophe Leroy <christophe.leroy@c-s.fr>
To: Michael Ellerman <mpe@ellerman.id.au>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>
Cc: linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 6/6] powerpc: Implement user_access_begin and friends
Date: Fri, 24 Jan 2020 12:40:23 +0100 [thread overview]
Message-ID: <0c2855c2-a6d6-6b35-7f69-f55add58dfb8@c-s.fr> (raw)
In-Reply-To: <87ftg6icc8.fsf@mpe.ellerman.id.au>
Le 23/01/2020 à 13:31, Michael Ellerman a écrit :
> Michael Ellerman <mpe@ellerman.id.au> writes:
>> Christophe Leroy <christophe.leroy@c-s.fr> writes:
>>> Today, when a function like strncpy_from_user() is called,
>>> the userspace access protection is de-activated and re-activated
>>> for every word read.
>>>
>>> By implementing user_access_begin and friends, the protection
>>> is de-activated at the beginning of the copy and re-activated at the
>>> end.
>>>
>>> Implement user_access_begin(), user_access_end() and
>>> unsafe_get_user(), unsafe_put_user() and unsafe_copy_to_user()
>>>
>>> For the time being, we keep user_access_save() and
>>> user_access_restore() as nops.
>>
>> That means we will run with user access enabled in a few more places, but
>> it's only used sparingly AFAICS:
>>
>> kernel/trace/trace_branch.c: unsigned long flags = user_access_save();
>> lib/ubsan.c: unsigned long flags = user_access_save();
>> lib/ubsan.c: unsigned long ua_flags = user_access_save();
>> mm/kasan/common.c: unsigned long flags = user_access_save();
>>
>> And we don't have objtool checking that user access enablement isn't
>> leaking in the first place, so I guess it's OK for us not to implement
>> these to begin with?
>
> It looks like we can implement them on on all three KUAP
> implementations.
>
> For radix and 8xx we just return/set the relevant SPR.
>
> For book3s/32/kup.h I think we'd just need to add a KUAP_CURRENT case to
> allow_user_access()?
Can't do that, we don't want to keep the info in current->thread.kuap
after user_access_save(), otherwise we might unexpectedly re-open access
through an interrupt.
And if we use KUAP_CURRENT case of prevent_user_access(), it means we'll
read current->thread.kuap twice.
So, just regenerate addr and end from the flags, and use
allow_user_access() and prevent_user_access() as usual.
I'll have it in v4
Christophe
next prev parent reply other threads:[~2020-01-24 11:40 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-22 17:52 [PATCH v2 1/6] fs/readdir: Fix filldir() and filldir64() use of user_access_begin() Christophe Leroy
2020-01-22 17:52 ` Christophe Leroy
2020-01-22 17:52 ` [PATCH v2 2/6] powerpc/32s: Fix bad_kuap_fault() Christophe Leroy
2020-01-22 17:52 ` Christophe Leroy
2020-01-22 17:52 ` [PATCH v2 3/6] powerpc/kuap: Fix set direction in allow/prevent_user_access() Christophe Leroy
2020-01-22 17:52 ` Christophe Leroy
2020-01-22 17:52 ` [PATCH v2 4/6] powerpc/32s: Drop NULL addr verification Christophe Leroy
2020-01-22 17:52 ` Christophe Leroy
2020-01-22 17:52 ` [PATCH v2 5/6] powerpc/32s: prepare prevent_user_access() for user_access_end() Christophe Leroy
2020-01-22 17:52 ` Christophe Leroy
2020-01-23 10:59 ` Michael Ellerman
2020-01-23 10:59 ` Michael Ellerman
2020-01-22 17:52 ` [PATCH v2 6/6] powerpc: Implement user_access_begin and friends Christophe Leroy
2020-01-22 17:52 ` Christophe Leroy
2020-01-23 12:05 ` Michael Ellerman
2020-01-23 12:05 ` Michael Ellerman
2020-01-23 12:31 ` Michael Ellerman
2020-01-23 12:31 ` Michael Ellerman
2020-01-24 11:40 ` Christophe Leroy [this message]
2020-01-24 11:40 ` Christophe Leroy
2020-01-22 18:24 ` [PATCH v2 1/6] fs/readdir: Fix filldir() and filldir64() use of user_access_begin() Linus Torvalds
2020-01-22 18:24 ` Linus Torvalds
2020-01-22 20:00 ` Linus Torvalds
2020-01-22 20:00 ` Linus Torvalds
2020-01-22 20:00 ` Linus Torvalds
2020-01-22 20:15 ` Linus Torvalds
2020-01-22 20:15 ` Linus Torvalds
2020-01-22 20:15 ` Linus Torvalds
2020-01-22 20:37 ` Linus Torvalds
2020-01-22 20:37 ` Linus Torvalds
2020-01-22 20:37 ` Linus Torvalds
2020-01-23 6:27 ` Christophe Leroy
2020-01-23 6:27 ` Christophe Leroy
2020-01-23 11:56 ` Michael Ellerman
2020-01-23 11:56 ` Michael Ellerman
2020-01-23 12:00 ` Michael Ellerman
2020-01-23 12:00 ` Michael Ellerman
2020-01-23 12:43 ` Christophe Leroy
2020-01-23 12:43 ` Christophe Leroy
2020-01-23 18:38 ` Linus Torvalds
2020-01-23 18:38 ` Linus Torvalds
2020-01-23 18:38 ` Linus Torvalds
2020-01-24 10:42 ` Michael Ellerman
2020-01-24 10:42 ` Michael Ellerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0c2855c2-a6d6-6b35-7f69-f55add58dfb8@c-s.fr \
--to=christophe.leroy@c-s.fr \
--cc=benh@kernel.crashing.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=paulus@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.