From: Kees Cook <keescook@chromium.org>
To: David Laight <David.Laight@aculab.com>
Cc: Matthew Wilcox <willy@infradead.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
Muhammad Usama Anjum <usama.anjum@collabora.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"x86@kernel.org" <x86@kernel.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>,
"linux-s390@vger.kernel.org" <linux-s390@vger.kernel.org>,
"linux-sh@vger.kernel.org" <linux-sh@vger.kernel.org>,
"linux-hardening@vger.kernel.org"
<linux-hardening@vger.kernel.org>
Subject: Re: [PATCH v2] usercopy: Check valid lifetime via stack depth
Date: Thu, 24 Feb 2022 20:47:02 -0800 [thread overview]
Message-ID: <202202242046.33FF8372@keescook> (raw)
In-Reply-To: <85d42900efaa4fdb8c20de2147d938c7@AcuMS.aculab.com>
On Thu, Feb 24, 2022 at 08:58:20AM +0000, David Laight wrote:
> From: Kees Cook
> > Sent: 24 February 2022 06:04
> >
> > Under CONFIG_HARDENED_USERCOPY=y, when exact stack frame boundary checking
> > is not available (i.e. everything except x86 with FRAME_POINTER), check
> > a stack object as being at least "current depth valid", in the sense
> > that any object within the stack region but not between start-of-stack
> > and current_stack_pointer should be considered unavailable (i.e. its
> > lifetime is from a call no longer present on the stack).
> >
> ...
> > diff --git a/mm/usercopy.c b/mm/usercopy.c
> > index d0d268135d96..5d28725af95f 100644
> > --- a/mm/usercopy.c
> > +++ b/mm/usercopy.c
> > @@ -22,6 +22,30 @@
> > #include <asm/sections.h>
> > #include "slab.h"
> >
> > +/*
> > + * Only called if obj is within stack/stackend bounds. Determine if within
> > + * current stack depth.
> > + */
> > +static inline int check_stack_object_depth(const void *obj,
> > + unsigned long len)
> > +{
> > +#ifdef CONFIG_ARCH_HAS_CURRENT_STACK_POINTER
> > +#ifndef CONFIG_STACK_GROWSUP
>
> Pointless negation
>
> > + const void * const high = stackend;
> > + const void * const low = (void *)current_stack_pointer;
> > +#else
> > + const void * const high = (void *)current_stack_pointer;
> > + const void * const low = stack;
> > +#endif
> > +
> > + /* Reject: object not within current stack depth. */
> > + if (obj < low || high < obj + len)
> > + return BAD_STACK;
> > +
> > +#endif
> > + return GOOD_STACK;
> > +}
>
> If the comment at the top of the function is correct then
> only a single test for the correct end of the buffer against
> the current stack pointer is needed.
> Something like:
> #ifdef CONFIG_STACK_GROWSUP
> if ((void *)current_stack_pointer < obj + len)
> return BAD_STACK;
> #else
> if (obj < (void *)current_stack_pointer)
> return BAD_STACK;
> #endif
> return GOOD_STACK;
Oh, yeah, excellent point. I suspect the compiler would probably
optimize it all away, but yes, this is, in fact, easier to read, and
short enough I should probably just not bother with a separate function.
Thanks!
-Kees
>
> Although it may depend on exactly where the stack pointer
> points to - especially for GROWSUP.
>
> David
>
> -
> Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
> Registration No: 1397386 (Wales)
>
--
Kees Cook
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: David Laight <David.Laight@aculab.com>
Cc: "linux-s390@vger.kernel.org" <linux-s390@vger.kernel.org>,
"linux-sh@vger.kernel.org" <linux-sh@vger.kernel.org>,
"x86@kernel.org" <x86@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Matthew Wilcox <willy@infradead.org>,
Muhammad Usama Anjum <usama.anjum@collabora.com>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"linux-hardening@vger.kernel.org"
<linux-hardening@vger.kernel.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
"linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>
Subject: Re: [PATCH v2] usercopy: Check valid lifetime via stack depth
Date: Thu, 24 Feb 2022 20:47:02 -0800 [thread overview]
Message-ID: <202202242046.33FF8372@keescook> (raw)
In-Reply-To: <85d42900efaa4fdb8c20de2147d938c7@AcuMS.aculab.com>
On Thu, Feb 24, 2022 at 08:58:20AM +0000, David Laight wrote:
> From: Kees Cook
> > Sent: 24 February 2022 06:04
> >
> > Under CONFIG_HARDENED_USERCOPY=y, when exact stack frame boundary checking
> > is not available (i.e. everything except x86 with FRAME_POINTER), check
> > a stack object as being at least "current depth valid", in the sense
> > that any object within the stack region but not between start-of-stack
> > and current_stack_pointer should be considered unavailable (i.e. its
> > lifetime is from a call no longer present on the stack).
> >
> ...
> > diff --git a/mm/usercopy.c b/mm/usercopy.c
> > index d0d268135d96..5d28725af95f 100644
> > --- a/mm/usercopy.c
> > +++ b/mm/usercopy.c
> > @@ -22,6 +22,30 @@
> > #include <asm/sections.h>
> > #include "slab.h"
> >
> > +/*
> > + * Only called if obj is within stack/stackend bounds. Determine if within
> > + * current stack depth.
> > + */
> > +static inline int check_stack_object_depth(const void *obj,
> > + unsigned long len)
> > +{
> > +#ifdef CONFIG_ARCH_HAS_CURRENT_STACK_POINTER
> > +#ifndef CONFIG_STACK_GROWSUP
>
> Pointless negation
>
> > + const void * const high = stackend;
> > + const void * const low = (void *)current_stack_pointer;
> > +#else
> > + const void * const high = (void *)current_stack_pointer;
> > + const void * const low = stack;
> > +#endif
> > +
> > + /* Reject: object not within current stack depth. */
> > + if (obj < low || high < obj + len)
> > + return BAD_STACK;
> > +
> > +#endif
> > + return GOOD_STACK;
> > +}
>
> If the comment at the top of the function is correct then
> only a single test for the correct end of the buffer against
> the current stack pointer is needed.
> Something like:
> #ifdef CONFIG_STACK_GROWSUP
> if ((void *)current_stack_pointer < obj + len)
> return BAD_STACK;
> #else
> if (obj < (void *)current_stack_pointer)
> return BAD_STACK;
> #endif
> return GOOD_STACK;
Oh, yeah, excellent point. I suspect the compiler would probably
optimize it all away, but yes, this is, in fact, easier to read, and
short enough I should probably just not bother with a separate function.
Thanks!
-Kees
>
> Although it may depend on exactly where the stack pointer
> points to - especially for GROWSUP.
>
> David
>
> -
> Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
> Registration No: 1397386 (Wales)
>
--
Kees Cook
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: David Laight <David.Laight@aculab.com>
Cc: Matthew Wilcox <willy@infradead.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
Muhammad Usama Anjum <usama.anjum@collabora.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"x86@kernel.org" <x86@kernel.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"linuxppc-dev@lists.ozlabs.org" <linuxppc-dev@lists.ozlabs.org>,
"linux-s390@vger.kernel.org" <linux-s390@vger.kernel.org>,
"linux-sh@vger.kernel.org" <linux-sh@vger.kernel.org>,
"linux-hardening@vger.kernel.org"
<linux-hardening@vger.kernel.org>
Subject: Re: [PATCH v2] usercopy: Check valid lifetime via stack depth
Date: Thu, 24 Feb 2022 20:47:02 -0800 [thread overview]
Message-ID: <202202242046.33FF8372@keescook> (raw)
In-Reply-To: <85d42900efaa4fdb8c20de2147d938c7@AcuMS.aculab.com>
On Thu, Feb 24, 2022 at 08:58:20AM +0000, David Laight wrote:
> From: Kees Cook
> > Sent: 24 February 2022 06:04
> >
> > Under CONFIG_HARDENED_USERCOPY=y, when exact stack frame boundary checking
> > is not available (i.e. everything except x86 with FRAME_POINTER), check
> > a stack object as being at least "current depth valid", in the sense
> > that any object within the stack region but not between start-of-stack
> > and current_stack_pointer should be considered unavailable (i.e. its
> > lifetime is from a call no longer present on the stack).
> >
> ...
> > diff --git a/mm/usercopy.c b/mm/usercopy.c
> > index d0d268135d96..5d28725af95f 100644
> > --- a/mm/usercopy.c
> > +++ b/mm/usercopy.c
> > @@ -22,6 +22,30 @@
> > #include <asm/sections.h>
> > #include "slab.h"
> >
> > +/*
> > + * Only called if obj is within stack/stackend bounds. Determine if within
> > + * current stack depth.
> > + */
> > +static inline int check_stack_object_depth(const void *obj,
> > + unsigned long len)
> > +{
> > +#ifdef CONFIG_ARCH_HAS_CURRENT_STACK_POINTER
> > +#ifndef CONFIG_STACK_GROWSUP
>
> Pointless negation
>
> > + const void * const high = stackend;
> > + const void * const low = (void *)current_stack_pointer;
> > +#else
> > + const void * const high = (void *)current_stack_pointer;
> > + const void * const low = stack;
> > +#endif
> > +
> > + /* Reject: object not within current stack depth. */
> > + if (obj < low || high < obj + len)
> > + return BAD_STACK;
> > +
> > +#endif
> > + return GOOD_STACK;
> > +}
>
> If the comment at the top of the function is correct then
> only a single test for the correct end of the buffer against
> the current stack pointer is needed.
> Something like:
> #ifdef CONFIG_STACK_GROWSUP
> if ((void *)current_stack_pointer < obj + len)
> return BAD_STACK;
> #else
> if (obj < (void *)current_stack_pointer)
> return BAD_STACK;
> #endif
> return GOOD_STACK;
Oh, yeah, excellent point. I suspect the compiler would probably
optimize it all away, but yes, this is, in fact, easier to read, and
short enough I should probably just not bother with a separate function.
Thanks!
-Kees
>
> Although it may depend on exactly where the stack pointer
> points to - especially for GROWSUP.
>
> David
>
> -
> Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
> Registration No: 1397386 (Wales)
>
--
Kees Cook
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2022-02-25 4:47 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-24 6:03 [PATCH v2] usercopy: Check valid lifetime via stack depth Kees Cook
2022-02-24 6:03 ` Kees Cook
2022-02-24 6:03 ` Kees Cook
2022-02-24 8:58 ` David Laight
2022-02-24 8:58 ` David Laight
2022-02-24 8:58 ` David Laight
2022-02-25 4:47 ` Kees Cook [this message]
2022-02-25 4:47 ` Kees Cook
2022-02-25 4:47 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202202242046.33FF8372@keescook \
--to=keescook@chromium.org \
--cc=David.Laight@aculab.com \
--cc=akpm@linux-foundation.org \
--cc=jpoimboe@redhat.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-sh@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=usama.anjum@collabora.com \
--cc=willy@infradead.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.