All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 0/4] Fix check address limit on user-mode
@ 2017-09-07 15:30 ` Kees Cook
  0 siblings, 0 replies; 22+ messages in thread
From: Kees Cook @ 2017-09-07 15:30 UTC (permalink / raw)
  To: Ingo Molnar
  Cc: Kees Cook, Thomas Garnier, Thomas Gleixner, Russell King,
	Catalin Marinas, Will Deacon, Andy Lutomirski, Will Drewry,
	Al Viro, Dave Martin, Pratyush Anand, Dave Hansen, Arnd Bergmann,
	David Howells, Yonghong Song, linux-arm-kernel, linux-api,
	linux-kernel

Fixes from Thomas Garnier: the new address limit check was causing
hangs on ARM. This solves the problem and takes proactive steps on
ARM64. Additionally removes the unconditional BUG_ON() on check failures.

-Kees

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH 0/4] Fix check address limit on user-mode
@ 2017-09-07 15:30 ` Kees Cook
  0 siblings, 0 replies; 22+ messages in thread
From: Kees Cook @ 2017-09-07 15:30 UTC (permalink / raw)
  To: linux-arm-kernel

Fixes from Thomas Garnier: the new address limit check was causing
hangs on ARM. This solves the problem and takes proactive steps on
ARM64. Additionally removes the unconditional BUG_ON() on check failures.

-Kees

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH 1/4] syscalls: Use CHECK_DATA_CORRUPTION for addr_limit_user_check
  2017-09-07 15:30 ` Kees Cook
@ 2017-09-07 15:30   ` Kees Cook
  -1 siblings, 0 replies; 22+ messages in thread
From: Kees Cook @ 2017-09-07 15:30 UTC (permalink / raw)
  To: Ingo Molnar
  Cc: Kees Cook, Thomas Garnier, Thomas Gleixner, Russell King,
	Catalin Marinas, Will Deacon, Andy Lutomirski, Will Drewry,
	Al Viro, Dave Martin, Pratyush Anand, Dave Hansen, Arnd Bergmann,
	David Howells, Yonghong Song, linux-arm-kernel, linux-api,
	linux-kernel

From: Thomas Garnier <thgarnie@google.com>

Use CHECK_DATA_CORRUPTION instead of BUG_ON to provide more flexibility
on address limit failures. By default, send a SIGKILL signal to kill the
current process preventing exploitation of a bad address limit.

Make the TIF_FSCHECK flag optional so ARM can use this function.

Signed-off-by: Thomas Garnier <thgarnie@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/linux/syscalls.h | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index 88951b795ee3..65e273aadada 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -219,21 +219,25 @@ static inline int is_syscall_trace_event(struct trace_event_call *tp_event)
 	}								\
 	static inline long SYSC##name(__MAP(x,__SC_DECL,__VA_ARGS__))
 
-#ifdef TIF_FSCHECK
 /*
  * Called before coming back to user-mode. Returning to user-mode with an
  * address limit different than USER_DS can allow to overwrite kernel memory.
  */
 static inline void addr_limit_user_check(void)
 {
-
+#ifdef TIF_FSCHECK
 	if (!test_thread_flag(TIF_FSCHECK))
 		return;
+#endif
 
-	BUG_ON(!segment_eq(get_fs(), USER_DS));
+	if (CHECK_DATA_CORRUPTION(!segment_eq(get_fs(), USER_DS),
+				  "Invalid address limit on user-mode return"))
+		force_sig(SIGKILL, current);
+
+#ifdef TIF_FSCHECK
 	clear_thread_flag(TIF_FSCHECK);
-}
 #endif
+}
 
 asmlinkage long sys32_quotactl(unsigned int cmd, const char __user *special,
 			       qid_t id, void __user *addr);
-- 
2.7.4

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH 1/4] syscalls: Use CHECK_DATA_CORRUPTION for addr_limit_user_check
@ 2017-09-07 15:30   ` Kees Cook
  0 siblings, 0 replies; 22+ messages in thread
From: Kees Cook @ 2017-09-07 15:30 UTC (permalink / raw)
  To: linux-arm-kernel

From: Thomas Garnier <thgarnie@google.com>

Use CHECK_DATA_CORRUPTION instead of BUG_ON to provide more flexibility
on address limit failures. By default, send a SIGKILL signal to kill the
current process preventing exploitation of a bad address limit.

Make the TIF_FSCHECK flag optional so ARM can use this function.

Signed-off-by: Thomas Garnier <thgarnie@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/linux/syscalls.h | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index 88951b795ee3..65e273aadada 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -219,21 +219,25 @@ static inline int is_syscall_trace_event(struct trace_event_call *tp_event)
 	}								\
 	static inline long SYSC##name(__MAP(x,__SC_DECL,__VA_ARGS__))
 
-#ifdef TIF_FSCHECK
 /*
  * Called before coming back to user-mode. Returning to user-mode with an
  * address limit different than USER_DS can allow to overwrite kernel memory.
  */
 static inline void addr_limit_user_check(void)
 {
-
+#ifdef TIF_FSCHECK
 	if (!test_thread_flag(TIF_FSCHECK))
 		return;
+#endif
 
-	BUG_ON(!segment_eq(get_fs(), USER_DS));
+	if (CHECK_DATA_CORRUPTION(!segment_eq(get_fs(), USER_DS),
+				  "Invalid address limit on user-mode return"))
+		force_sig(SIGKILL, current);
+
+#ifdef TIF_FSCHECK
 	clear_thread_flag(TIF_FSCHECK);
-}
 #endif
+}
 
 asmlinkage long sys32_quotactl(unsigned int cmd, const char __user *special,
 			       qid_t id, void __user *addr);
-- 
2.7.4

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH 2/4] Revert "arm/syscalls: Check address limit on user-mode return"
  2017-09-07 15:30 ` Kees Cook
@ 2017-09-07 15:30   ` Kees Cook
  -1 siblings, 0 replies; 22+ messages in thread
From: Kees Cook @ 2017-09-07 15:30 UTC (permalink / raw)
  To: Ingo Molnar
  Cc: Kees Cook, Thomas Garnier, Thomas Gleixner, Russell King,
	Catalin Marinas, Will Deacon, Andy Lutomirski, Will Drewry,
	Al Viro, Dave Martin, Pratyush Anand, Dave Hansen, Arnd Bergmann,
	David Howells, Yonghong Song, linux-arm-kernel, linux-api,
	linux-kernel

From: Thomas Garnier <thgarnie@google.com>

This reverts commit 73ac5d6a2b6ac3ae8d1e1818f3e9946f97489bc9.

The work pending loop can call set_fs after addr_limit_user_check
removed the _TIF_FSCHECK flag. This may happen at anytime based on how
ARM handles alignment exceptions. It leads to an infinite loop condition.

After discussion, it has been agreed that the generic approach is not
tailored to the ARM architecture and any fix might not be complete. This
patch will be replaced by an architecture specific implementation. The
work flag approach will be kept for other architectures.

Reported-by: Leonard Crestez <leonard.crestez@nxp.com>
Signed-off-by: Thomas Garnier <thgarnie@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/arm/include/asm/thread_info.h | 15 ++++++---------
 arch/arm/include/asm/uaccess.h     |  2 --
 arch/arm/kernel/entry-common.S     |  9 ++-------
 arch/arm/kernel/signal.c           |  5 -----
 4 files changed, 8 insertions(+), 23 deletions(-)

diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h
index 1d468b527b7b..776757d1604a 100644
--- a/arch/arm/include/asm/thread_info.h
+++ b/arch/arm/include/asm/thread_info.h
@@ -139,11 +139,10 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
 #define TIF_NEED_RESCHED	1	/* rescheduling necessary */
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_UPROBE		3	/* breakpointed or singlestepping */
-#define TIF_FSCHECK		4	/* Check FS is USER_DS on return */
-#define TIF_SYSCALL_TRACE	5	/* syscall trace active */
-#define TIF_SYSCALL_AUDIT	6	/* syscall auditing active */
-#define TIF_SYSCALL_TRACEPOINT	7	/* syscall tracepoint instrumentation */
-#define TIF_SECCOMP		8	/* seccomp syscall filtering active */
+#define TIF_SYSCALL_TRACE	4	/* syscall trace active */
+#define TIF_SYSCALL_AUDIT	5	/* syscall auditing active */
+#define TIF_SYSCALL_TRACEPOINT	6	/* syscall tracepoint instrumentation */
+#define TIF_SECCOMP		7	/* seccomp syscall filtering active */
 
 #define TIF_NOHZ		12	/* in adaptive nohz mode */
 #define TIF_USING_IWMMXT	17
@@ -154,7 +153,6 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
 #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
 #define _TIF_UPROBE		(1 << TIF_UPROBE)
-#define _TIF_FSCHECK		(1 << TIF_FSCHECK)
 #define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
 #define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
 #define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
@@ -168,9 +166,8 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
 /*
  * Change these and you break ASM code in entry-common.S
  */
-#define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING |	\
-				 _TIF_NOTIFY_RESUME | _TIF_UPROBE |	\
-				 _TIF_FSCHECK)
+#define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
+				 _TIF_NOTIFY_RESUME | _TIF_UPROBE)
 
 #endif /* __KERNEL__ */
 #endif /* __ASM_ARM_THREAD_INFO_H */
diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
index 87936dd5d151..0bf2347495f1 100644
--- a/arch/arm/include/asm/uaccess.h
+++ b/arch/arm/include/asm/uaccess.h
@@ -70,8 +70,6 @@ static inline void set_fs(mm_segment_t fs)
 {
 	current_thread_info()->addr_limit = fs;
 	modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_CLIENT : DOMAIN_MANAGER);
-	/* On user-mode return, check fs is correct */
-	set_thread_flag(TIF_FSCHECK);
 }
 
 #define segment_eq(a, b)	((a) == (b))
diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
index e33c32d56193..eb5cd77bf1d8 100644
--- a/arch/arm/kernel/entry-common.S
+++ b/arch/arm/kernel/entry-common.S
@@ -41,9 +41,7 @@ ret_fast_syscall:
  UNWIND(.cantunwind	)
 	disable_irq_notrace			@ disable interrupts
 	ldr	r1, [tsk, #TI_FLAGS]		@ re-check for syscall tracing
-	tst	r1, #_TIF_SYSCALL_WORK
-	bne	fast_work_pending
-	tst	r1, #_TIF_WORK_MASK
+	tst	r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK
 	bne	fast_work_pending
 
 	/* perform architecture specific actions before user return */
@@ -69,15 +67,12 @@ ret_fast_syscall:
 	str	r0, [sp, #S_R0 + S_OFF]!	@ save returned r0
 	disable_irq_notrace			@ disable interrupts
 	ldr	r1, [tsk, #TI_FLAGS]		@ re-check for syscall tracing
-	tst	r1, #_TIF_SYSCALL_WORK
-	bne	fast_work_pending
-	tst	r1, #_TIF_WORK_MASK
+	tst	r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK
 	beq	no_work_pending
  UNWIND(.fnend		)
 ENDPROC(ret_fast_syscall)
 
 	/* Slower path - fall through to work_pending */
-fast_work_pending:
 #endif
 
 	tst	r1, #_TIF_SYSCALL_WORK
diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
index e2de50bf8742..5814298ef0b7 100644
--- a/arch/arm/kernel/signal.c
+++ b/arch/arm/kernel/signal.c
@@ -14,7 +14,6 @@
 #include <linux/uaccess.h>
 #include <linux/tracehook.h>
 #include <linux/uprobes.h>
-#include <linux/syscalls.h>
 
 #include <asm/elf.h>
 #include <asm/cacheflush.h>
@@ -614,10 +613,6 @@ do_work_pending(struct pt_regs *regs, unsigned int thread_flags, int syscall)
 	 * Update the trace code with the current status.
 	 */
 	trace_hardirqs_off();
-
-	/* Check valid user FS if needed */
-	addr_limit_user_check();
-
 	do {
 		if (likely(thread_flags & _TIF_NEED_RESCHED)) {
 			schedule();
-- 
2.7.4

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH 2/4] Revert "arm/syscalls: Check address limit on user-mode return"
@ 2017-09-07 15:30   ` Kees Cook
  0 siblings, 0 replies; 22+ messages in thread
From: Kees Cook @ 2017-09-07 15:30 UTC (permalink / raw)
  To: linux-arm-kernel

From: Thomas Garnier <thgarnie@google.com>

This reverts commit 73ac5d6a2b6ac3ae8d1e1818f3e9946f97489bc9.

The work pending loop can call set_fs after addr_limit_user_check
removed the _TIF_FSCHECK flag. This may happen at anytime based on how
ARM handles alignment exceptions. It leads to an infinite loop condition.

After discussion, it has been agreed that the generic approach is not
tailored to the ARM architecture and any fix might not be complete. This
patch will be replaced by an architecture specific implementation. The
work flag approach will be kept for other architectures.

Reported-by: Leonard Crestez <leonard.crestez@nxp.com>
Signed-off-by: Thomas Garnier <thgarnie@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/arm/include/asm/thread_info.h | 15 ++++++---------
 arch/arm/include/asm/uaccess.h     |  2 --
 arch/arm/kernel/entry-common.S     |  9 ++-------
 arch/arm/kernel/signal.c           |  5 -----
 4 files changed, 8 insertions(+), 23 deletions(-)

diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h
index 1d468b527b7b..776757d1604a 100644
--- a/arch/arm/include/asm/thread_info.h
+++ b/arch/arm/include/asm/thread_info.h
@@ -139,11 +139,10 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
 #define TIF_NEED_RESCHED	1	/* rescheduling necessary */
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_UPROBE		3	/* breakpointed or singlestepping */
-#define TIF_FSCHECK		4	/* Check FS is USER_DS on return */
-#define TIF_SYSCALL_TRACE	5	/* syscall trace active */
-#define TIF_SYSCALL_AUDIT	6	/* syscall auditing active */
-#define TIF_SYSCALL_TRACEPOINT	7	/* syscall tracepoint instrumentation */
-#define TIF_SECCOMP		8	/* seccomp syscall filtering active */
+#define TIF_SYSCALL_TRACE	4	/* syscall trace active */
+#define TIF_SYSCALL_AUDIT	5	/* syscall auditing active */
+#define TIF_SYSCALL_TRACEPOINT	6	/* syscall tracepoint instrumentation */
+#define TIF_SECCOMP		7	/* seccomp syscall filtering active */
 
 #define TIF_NOHZ		12	/* in adaptive nohz mode */
 #define TIF_USING_IWMMXT	17
@@ -154,7 +153,6 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
 #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
 #define _TIF_UPROBE		(1 << TIF_UPROBE)
-#define _TIF_FSCHECK		(1 << TIF_FSCHECK)
 #define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
 #define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
 #define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
@@ -168,9 +166,8 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
 /*
  * Change these and you break ASM code in entry-common.S
  */
-#define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING |	\
-				 _TIF_NOTIFY_RESUME | _TIF_UPROBE |	\
-				 _TIF_FSCHECK)
+#define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
+				 _TIF_NOTIFY_RESUME | _TIF_UPROBE)
 
 #endif /* __KERNEL__ */
 #endif /* __ASM_ARM_THREAD_INFO_H */
diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
index 87936dd5d151..0bf2347495f1 100644
--- a/arch/arm/include/asm/uaccess.h
+++ b/arch/arm/include/asm/uaccess.h
@@ -70,8 +70,6 @@ static inline void set_fs(mm_segment_t fs)
 {
 	current_thread_info()->addr_limit = fs;
 	modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_CLIENT : DOMAIN_MANAGER);
-	/* On user-mode return, check fs is correct */
-	set_thread_flag(TIF_FSCHECK);
 }
 
 #define segment_eq(a, b)	((a) == (b))
diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
index e33c32d56193..eb5cd77bf1d8 100644
--- a/arch/arm/kernel/entry-common.S
+++ b/arch/arm/kernel/entry-common.S
@@ -41,9 +41,7 @@ ret_fast_syscall:
  UNWIND(.cantunwind	)
 	disable_irq_notrace			@ disable interrupts
 	ldr	r1, [tsk, #TI_FLAGS]		@ re-check for syscall tracing
-	tst	r1, #_TIF_SYSCALL_WORK
-	bne	fast_work_pending
-	tst	r1, #_TIF_WORK_MASK
+	tst	r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK
 	bne	fast_work_pending
 
 	/* perform architecture specific actions before user return */
@@ -69,15 +67,12 @@ ret_fast_syscall:
 	str	r0, [sp, #S_R0 + S_OFF]!	@ save returned r0
 	disable_irq_notrace			@ disable interrupts
 	ldr	r1, [tsk, #TI_FLAGS]		@ re-check for syscall tracing
-	tst	r1, #_TIF_SYSCALL_WORK
-	bne	fast_work_pending
-	tst	r1, #_TIF_WORK_MASK
+	tst	r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK
 	beq	no_work_pending
  UNWIND(.fnend		)
 ENDPROC(ret_fast_syscall)
 
 	/* Slower path - fall through to work_pending */
-fast_work_pending:
 #endif
 
 	tst	r1, #_TIF_SYSCALL_WORK
diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
index e2de50bf8742..5814298ef0b7 100644
--- a/arch/arm/kernel/signal.c
+++ b/arch/arm/kernel/signal.c
@@ -14,7 +14,6 @@
 #include <linux/uaccess.h>
 #include <linux/tracehook.h>
 #include <linux/uprobes.h>
-#include <linux/syscalls.h>
 
 #include <asm/elf.h>
 #include <asm/cacheflush.h>
@@ -614,10 +613,6 @@ do_work_pending(struct pt_regs *regs, unsigned int thread_flags, int syscall)
 	 * Update the trace code with the current status.
 	 */
 	trace_hardirqs_off();
-
-	/* Check valid user FS if needed */
-	addr_limit_user_check();
-
 	do {
 		if (likely(thread_flags & _TIF_NEED_RESCHED)) {
 			schedule();
-- 
2.7.4

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH 3/4] arm/syscalls: Optimize address limit check
  2017-09-07 15:30 ` Kees Cook
@ 2017-09-07 15:30   ` Kees Cook
  -1 siblings, 0 replies; 22+ messages in thread
From: Kees Cook @ 2017-09-07 15:30 UTC (permalink / raw)
  To: Ingo Molnar
  Cc: Kees Cook, Thomas Garnier, Thomas Gleixner, Russell King,
	Catalin Marinas, Will Deacon, Andy Lutomirski, Will Drewry,
	Al Viro, Dave Martin, Pratyush Anand, Dave Hansen, Arnd Bergmann,
	David Howells, Yonghong Song, linux-arm-kernel, linux-api,
	linux-kernel

From: Thomas Garnier <thgarnie@google.com>

Disable the generic address limit check in favor of an architecture
specific optimized implementation. The generic implementation using
pending work flags did not work well with ARM and alignment faults.

The address limit is checked on each syscall return path to user-mode
path as well as the irq user-mode return function. If the address limit
was changed, a function is called to report data corruption (stopping
the kernel or process based on configuration).

The address limit check has to be done before any pending work because
they can reset the address limit and the process is killed using a
SIGKILL signal. For example the lkdtm address limit check does not work
because the signal to kill the process will reset the user-mode address
limit.

Signed-off-by: Thomas Garnier <thgarnie@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Tested-by: Kees Cook <keescook@chromium.org>
Tested-by: Leonard Crestez <leonard.crestez@nxp.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/arm/kernel/entry-common.S | 11 +++++++++++
 arch/arm/kernel/signal.c       |  7 +++++++
 2 files changed, 18 insertions(+)

diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
index eb5cd77bf1d8..126fafc725bc 100644
--- a/arch/arm/kernel/entry-common.S
+++ b/arch/arm/kernel/entry-common.S
@@ -12,6 +12,7 @@
 #include <asm/unistd.h>
 #include <asm/ftrace.h>
 #include <asm/unwind.h>
+#include <asm/memory.h>
 #ifdef CONFIG_AEABI
 #include <asm/unistd-oabi.h>
 #endif
@@ -40,10 +41,14 @@ ret_fast_syscall:
  UNWIND(.fnstart	)
  UNWIND(.cantunwind	)
 	disable_irq_notrace			@ disable interrupts
+	ldr	r2, [tsk, #TI_ADDR_LIMIT]
+	cmp	r2, #TASK_SIZE
+	blne	addr_limit_check_failed
 	ldr	r1, [tsk, #TI_FLAGS]		@ re-check for syscall tracing
 	tst	r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK
 	bne	fast_work_pending
 
+
 	/* perform architecture specific actions before user return */
 	arch_ret_to_user r1, lr
 
@@ -66,6 +71,9 @@ ret_fast_syscall:
  UNWIND(.cantunwind	)
 	str	r0, [sp, #S_R0 + S_OFF]!	@ save returned r0
 	disable_irq_notrace			@ disable interrupts
+	ldr	r2, [tsk, #TI_ADDR_LIMIT]
+	cmp	r2, #TASK_SIZE
+	blne	addr_limit_check_failed
 	ldr	r1, [tsk, #TI_FLAGS]		@ re-check for syscall tracing
 	tst	r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK
 	beq	no_work_pending
@@ -98,6 +106,9 @@ ENTRY(ret_to_user)
 ret_slow_syscall:
 	disable_irq_notrace			@ disable interrupts
 ENTRY(ret_to_user_from_irq)
+	ldr	r2, [tsk, #TI_ADDR_LIMIT]
+	cmp	r2, #TASK_SIZE
+	blne	addr_limit_check_failed
 	ldr	r1, [tsk, #TI_FLAGS]
 	tst	r1, #_TIF_WORK_MASK
 	bne	slow_work_pending
diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
index 5814298ef0b7..b67ae12503f3 100644
--- a/arch/arm/kernel/signal.c
+++ b/arch/arm/kernel/signal.c
@@ -14,6 +14,7 @@
 #include <linux/uaccess.h>
 #include <linux/tracehook.h>
 #include <linux/uprobes.h>
+#include <linux/syscalls.h>
 
 #include <asm/elf.h>
 #include <asm/cacheflush.h>
@@ -673,3 +674,9 @@ struct page *get_signal_page(void)
 
 	return page;
 }
+
+/* Defer to generic check */
+asmlinkage void addr_limit_check_failed(void)
+{
+	addr_limit_user_check();
+}
-- 
2.7.4

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH 3/4] arm/syscalls: Optimize address limit check
@ 2017-09-07 15:30   ` Kees Cook
  0 siblings, 0 replies; 22+ messages in thread
From: Kees Cook @ 2017-09-07 15:30 UTC (permalink / raw)
  To: linux-arm-kernel

From: Thomas Garnier <thgarnie@google.com>

Disable the generic address limit check in favor of an architecture
specific optimized implementation. The generic implementation using
pending work flags did not work well with ARM and alignment faults.

The address limit is checked on each syscall return path to user-mode
path as well as the irq user-mode return function. If the address limit
was changed, a function is called to report data corruption (stopping
the kernel or process based on configuration).

The address limit check has to be done before any pending work because
they can reset the address limit and the process is killed using a
SIGKILL signal. For example the lkdtm address limit check does not work
because the signal to kill the process will reset the user-mode address
limit.

Signed-off-by: Thomas Garnier <thgarnie@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Tested-by: Kees Cook <keescook@chromium.org>
Tested-by: Leonard Crestez <leonard.crestez@nxp.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/arm/kernel/entry-common.S | 11 +++++++++++
 arch/arm/kernel/signal.c       |  7 +++++++
 2 files changed, 18 insertions(+)

diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
index eb5cd77bf1d8..126fafc725bc 100644
--- a/arch/arm/kernel/entry-common.S
+++ b/arch/arm/kernel/entry-common.S
@@ -12,6 +12,7 @@
 #include <asm/unistd.h>
 #include <asm/ftrace.h>
 #include <asm/unwind.h>
+#include <asm/memory.h>
 #ifdef CONFIG_AEABI
 #include <asm/unistd-oabi.h>
 #endif
@@ -40,10 +41,14 @@ ret_fast_syscall:
  UNWIND(.fnstart	)
  UNWIND(.cantunwind	)
 	disable_irq_notrace			@ disable interrupts
+	ldr	r2, [tsk, #TI_ADDR_LIMIT]
+	cmp	r2, #TASK_SIZE
+	blne	addr_limit_check_failed
 	ldr	r1, [tsk, #TI_FLAGS]		@ re-check for syscall tracing
 	tst	r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK
 	bne	fast_work_pending
 
+
 	/* perform architecture specific actions before user return */
 	arch_ret_to_user r1, lr
 
@@ -66,6 +71,9 @@ ret_fast_syscall:
  UNWIND(.cantunwind	)
 	str	r0, [sp, #S_R0 + S_OFF]!	@ save returned r0
 	disable_irq_notrace			@ disable interrupts
+	ldr	r2, [tsk, #TI_ADDR_LIMIT]
+	cmp	r2, #TASK_SIZE
+	blne	addr_limit_check_failed
 	ldr	r1, [tsk, #TI_FLAGS]		@ re-check for syscall tracing
 	tst	r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK
 	beq	no_work_pending
@@ -98,6 +106,9 @@ ENTRY(ret_to_user)
 ret_slow_syscall:
 	disable_irq_notrace			@ disable interrupts
 ENTRY(ret_to_user_from_irq)
+	ldr	r2, [tsk, #TI_ADDR_LIMIT]
+	cmp	r2, #TASK_SIZE
+	blne	addr_limit_check_failed
 	ldr	r1, [tsk, #TI_FLAGS]
 	tst	r1, #_TIF_WORK_MASK
 	bne	slow_work_pending
diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
index 5814298ef0b7..b67ae12503f3 100644
--- a/arch/arm/kernel/signal.c
+++ b/arch/arm/kernel/signal.c
@@ -14,6 +14,7 @@
 #include <linux/uaccess.h>
 #include <linux/tracehook.h>
 #include <linux/uprobes.h>
+#include <linux/syscalls.h>
 
 #include <asm/elf.h>
 #include <asm/cacheflush.h>
@@ -673,3 +674,9 @@ struct page *get_signal_page(void)
 
 	return page;
 }
+
+/* Defer to generic check */
+asmlinkage void addr_limit_check_failed(void)
+{
+	addr_limit_user_check();
+}
-- 
2.7.4

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH 4/4] arm64/syscalls: Move address limit check in loop
  2017-09-07 15:30 ` Kees Cook
@ 2017-09-07 15:30   ` Kees Cook
  -1 siblings, 0 replies; 22+ messages in thread
From: Kees Cook @ 2017-09-07 15:30 UTC (permalink / raw)
  To: Ingo Molnar
  Cc: Kees Cook, Thomas Garnier, Thomas Gleixner, Russell King,
	Catalin Marinas, Will Deacon, Andy Lutomirski, Will Drewry,
	Al Viro, Dave Martin, Pratyush Anand, Dave Hansen, Arnd Bergmann,
	David Howells, Yonghong Song, linux-arm-kernel, linux-api,
	linux-kernel

From: Thomas Garnier <thgarnie@google.com>

A bug was reported on ARM where set_fs might be called after it was
checked on the work pending function. ARM64 is not affected by this bug
but has a similar construct. In order to avoid any similar problems in
the future, the addr_limit_user_check function is moved at the beginning
of the loop.

Fixes: cf7de27ab351 ("arm64/syscalls: Check address limit on user-mode return")
Reported-by: Leonard Crestez <leonard.crestez@nxp.com>
Signed-off-by: Thomas Garnier <thgarnie@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/arm64/kernel/signal.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index c45214f8fb54..0bdc96c61bc0 100644
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -751,10 +751,10 @@ asmlinkage void do_notify_resume(struct pt_regs *regs,
 	 */
 	trace_hardirqs_off();
 
-	/* Check valid user FS if needed */
-	addr_limit_user_check();
-
 	do {
+		/* Check valid user FS if needed */
+		addr_limit_user_check();
+
 		if (thread_flags & _TIF_NEED_RESCHED) {
 			schedule();
 		} else {
-- 
2.7.4

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH 4/4] arm64/syscalls: Move address limit check in loop
@ 2017-09-07 15:30   ` Kees Cook
  0 siblings, 0 replies; 22+ messages in thread
From: Kees Cook @ 2017-09-07 15:30 UTC (permalink / raw)
  To: linux-arm-kernel

From: Thomas Garnier <thgarnie@google.com>

A bug was reported on ARM where set_fs might be called after it was
checked on the work pending function. ARM64 is not affected by this bug
but has a similar construct. In order to avoid any similar problems in
the future, the addr_limit_user_check function is moved at the beginning
of the loop.

Fixes: cf7de27ab351 ("arm64/syscalls: Check address limit on user-mode return")
Reported-by: Leonard Crestez <leonard.crestez@nxp.com>
Signed-off-by: Thomas Garnier <thgarnie@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/arm64/kernel/signal.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index c45214f8fb54..0bdc96c61bc0 100644
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -751,10 +751,10 @@ asmlinkage void do_notify_resume(struct pt_regs *regs,
 	 */
 	trace_hardirqs_off();
 
-	/* Check valid user FS if needed */
-	addr_limit_user_check();
-
 	do {
+		/* Check valid user FS if needed */
+		addr_limit_user_check();
+
 		if (thread_flags & _TIF_NEED_RESCHED) {
 			schedule();
 		} else {
-- 
2.7.4

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH 4/4] arm64/syscalls: Move address limit check in loop
  2017-09-07 15:30   ` Kees Cook
@ 2017-09-12 18:27     ` Will Deacon
  -1 siblings, 0 replies; 22+ messages in thread
From: Will Deacon @ 2017-09-12 18:27 UTC (permalink / raw)
  To: Kees Cook
  Cc: Ingo Molnar, Thomas Garnier, Thomas Gleixner, Russell King,
	Catalin Marinas, Andy Lutomirski, Will Drewry, Al Viro,
	Dave Martin, Pratyush Anand, Dave Hansen, Arnd Bergmann,
	David Howells, Yonghong Song, linux-arm-kernel, linux-api,
	linux-kernel

Hi Kees,

On Thu, Sep 07, 2017 at 08:30:47AM -0700, Kees Cook wrote:
> From: Thomas Garnier <thgarnie@google.com>
> 
> A bug was reported on ARM where set_fs might be called after it was
> checked on the work pending function. ARM64 is not affected by this bug
> but has a similar construct. In order to avoid any similar problems in
> the future, the addr_limit_user_check function is moved at the beginning
> of the loop.
> 
> Fixes: cf7de27ab351 ("arm64/syscalls: Check address limit on user-mode return")
> Reported-by: Leonard Crestez <leonard.crestez@nxp.com>
> Signed-off-by: Thomas Garnier <thgarnie@google.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>  arch/arm64/kernel/signal.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)

What's the plan for this series? It looks like somehow an old v2 of the
original series made it into mainline, so I'd like to see these fixes get
in ASAP. I'm still slightly nervous about pathological setting of the
FSCHECK flag due to e.g. a PMU IRQ causing a livelock in do_notify_resume,
but that's at least less likely with this fix :/

Will

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH 4/4] arm64/syscalls: Move address limit check in loop
@ 2017-09-12 18:27     ` Will Deacon
  0 siblings, 0 replies; 22+ messages in thread
From: Will Deacon @ 2017-09-12 18:27 UTC (permalink / raw)
  To: linux-arm-kernel

Hi Kees,

On Thu, Sep 07, 2017 at 08:30:47AM -0700, Kees Cook wrote:
> From: Thomas Garnier <thgarnie@google.com>
> 
> A bug was reported on ARM where set_fs might be called after it was
> checked on the work pending function. ARM64 is not affected by this bug
> but has a similar construct. In order to avoid any similar problems in
> the future, the addr_limit_user_check function is moved at the beginning
> of the loop.
> 
> Fixes: cf7de27ab351 ("arm64/syscalls: Check address limit on user-mode return")
> Reported-by: Leonard Crestez <leonard.crestez@nxp.com>
> Signed-off-by: Thomas Garnier <thgarnie@google.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>  arch/arm64/kernel/signal.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)

What's the plan for this series? It looks like somehow an old v2 of the
original series made it into mainline, so I'd like to see these fixes get
in ASAP. I'm still slightly nervous about pathological setting of the
FSCHECK flag due to e.g. a PMU IRQ causing a livelock in do_notify_resume,
but that's at least less likely with this fix :/

Will

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH 4/4] arm64/syscalls: Move address limit check in loop
@ 2017-09-12 18:28       ` Kees Cook
  0 siblings, 0 replies; 22+ messages in thread
From: Kees Cook @ 2017-09-12 18:28 UTC (permalink / raw)
  To: Will Deacon, Ingo Molnar
  Cc: Thomas Garnier, Thomas Gleixner, Russell King, Catalin Marinas,
	Andy Lutomirski, Will Drewry, Al Viro, Dave Martin,
	Pratyush Anand, Dave Hansen, Arnd Bergmann, David Howells,
	Yonghong Song, linux-arm-kernel, Linux API, LKML

On Tue, Sep 12, 2017 at 11:27 AM, Will Deacon <will.deacon@arm.com> wrote:
> Hi Kees,
>
> On Thu, Sep 07, 2017 at 08:30:47AM -0700, Kees Cook wrote:
>> From: Thomas Garnier <thgarnie@google.com>
>>
>> A bug was reported on ARM where set_fs might be called after it was
>> checked on the work pending function. ARM64 is not affected by this bug
>> but has a similar construct. In order to avoid any similar problems in
>> the future, the addr_limit_user_check function is moved at the beginning
>> of the loop.
>>
>> Fixes: cf7de27ab351 ("arm64/syscalls: Check address limit on user-mode return")
>> Reported-by: Leonard Crestez <leonard.crestez@nxp.com>
>> Signed-off-by: Thomas Garnier <thgarnie@google.com>
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>> ---
>>  arch/arm64/kernel/signal.c | 6 +++---
>>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> What's the plan for this series? It looks like somehow an old v2 of the
> original series made it into mainline, so I'd like to see these fixes get
> in ASAP. I'm still slightly nervous about pathological setting of the
> FSCHECK flag due to e.g. a PMU IRQ causing a livelock in do_notify_resume,
> but that's at least less likely with this fix :/

Hi! I resent this to Ingo to pick up for -tip. I think he's waiting
for -rc1, IIUC. Ingo, can you comment on timing for this getting sent
to Linus?

-Kees

-- 
Kees Cook
Pixel Security

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH 4/4] arm64/syscalls: Move address limit check in loop
@ 2017-09-12 18:28       ` Kees Cook
  0 siblings, 0 replies; 22+ messages in thread
From: Kees Cook @ 2017-09-12 18:28 UTC (permalink / raw)
  To: Will Deacon, Ingo Molnar
  Cc: Thomas Garnier, Thomas Gleixner, Russell King, Catalin Marinas,
	Andy Lutomirski, Will Drewry, Al Viro, Dave Martin,
	Pratyush Anand, Dave Hansen, Arnd Bergmann, David Howells,
	Yonghong Song, linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r,
	Linux API, LKML

On Tue, Sep 12, 2017 at 11:27 AM, Will Deacon <will.deacon-5wv7dgnIgG8@public.gmane.org> wrote:
> Hi Kees,
>
> On Thu, Sep 07, 2017 at 08:30:47AM -0700, Kees Cook wrote:
>> From: Thomas Garnier <thgarnie-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
>>
>> A bug was reported on ARM where set_fs might be called after it was
>> checked on the work pending function. ARM64 is not affected by this bug
>> but has a similar construct. In order to avoid any similar problems in
>> the future, the addr_limit_user_check function is moved at the beginning
>> of the loop.
>>
>> Fixes: cf7de27ab351 ("arm64/syscalls: Check address limit on user-mode return")
>> Reported-by: Leonard Crestez <leonard.crestez-3arQi8VN3Tc@public.gmane.org>
>> Signed-off-by: Thomas Garnier <thgarnie-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
>> Signed-off-by: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
>> ---
>>  arch/arm64/kernel/signal.c | 6 +++---
>>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> What's the plan for this series? It looks like somehow an old v2 of the
> original series made it into mainline, so I'd like to see these fixes get
> in ASAP. I'm still slightly nervous about pathological setting of the
> FSCHECK flag due to e.g. a PMU IRQ causing a livelock in do_notify_resume,
> but that's at least less likely with this fix :/

Hi! I resent this to Ingo to pick up for -tip. I think he's waiting
for -rc1, IIUC. Ingo, can you comment on timing for this getting sent
to Linus?

-Kees

-- 
Kees Cook
Pixel Security

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH 4/4] arm64/syscalls: Move address limit check in loop
@ 2017-09-12 18:28       ` Kees Cook
  0 siblings, 0 replies; 22+ messages in thread
From: Kees Cook @ 2017-09-12 18:28 UTC (permalink / raw)
  To: linux-arm-kernel

On Tue, Sep 12, 2017 at 11:27 AM, Will Deacon <will.deacon@arm.com> wrote:
> Hi Kees,
>
> On Thu, Sep 07, 2017 at 08:30:47AM -0700, Kees Cook wrote:
>> From: Thomas Garnier <thgarnie@google.com>
>>
>> A bug was reported on ARM where set_fs might be called after it was
>> checked on the work pending function. ARM64 is not affected by this bug
>> but has a similar construct. In order to avoid any similar problems in
>> the future, the addr_limit_user_check function is moved at the beginning
>> of the loop.
>>
>> Fixes: cf7de27ab351 ("arm64/syscalls: Check address limit on user-mode return")
>> Reported-by: Leonard Crestez <leonard.crestez@nxp.com>
>> Signed-off-by: Thomas Garnier <thgarnie@google.com>
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>> ---
>>  arch/arm64/kernel/signal.c | 6 +++---
>>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> What's the plan for this series? It looks like somehow an old v2 of the
> original series made it into mainline, so I'd like to see these fixes get
> in ASAP. I'm still slightly nervous about pathological setting of the
> FSCHECK flag due to e.g. a PMU IRQ causing a livelock in do_notify_resume,
> but that's at least less likely with this fix :/

Hi! I resent this to Ingo to pick up for -tip. I think he's waiting
for -rc1, IIUC. Ingo, can you comment on timing for this getting sent
to Linus?

-Kees

-- 
Kees Cook
Pixel Security

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH 4/4] arm64/syscalls: Move address limit check in loop
  2017-09-12 18:28       ` Kees Cook
  (?)
@ 2017-09-13  8:00         ` Ingo Molnar
  -1 siblings, 0 replies; 22+ messages in thread
From: Ingo Molnar @ 2017-09-13  8:00 UTC (permalink / raw)
  To: Kees Cook
  Cc: Will Deacon, Thomas Garnier, Thomas Gleixner, Russell King,
	Catalin Marinas, Andy Lutomirski, Will Drewry, Al Viro,
	Dave Martin, Pratyush Anand, Dave Hansen, Arnd Bergmann,
	David Howells, Yonghong Song, linux-arm-kernel, Linux API, LKML


* Kees Cook <keescook@chromium.org> wrote:

> On Tue, Sep 12, 2017 at 11:27 AM, Will Deacon <will.deacon@arm.com> wrote:
> > Hi Kees,
> >
> > On Thu, Sep 07, 2017 at 08:30:47AM -0700, Kees Cook wrote:
> >> From: Thomas Garnier <thgarnie@google.com>
> >>
> >> A bug was reported on ARM where set_fs might be called after it was
> >> checked on the work pending function. ARM64 is not affected by this bug
> >> but has a similar construct. In order to avoid any similar problems in
> >> the future, the addr_limit_user_check function is moved at the beginning
> >> of the loop.
> >>
> >> Fixes: cf7de27ab351 ("arm64/syscalls: Check address limit on user-mode return")
> >> Reported-by: Leonard Crestez <leonard.crestez@nxp.com>
> >> Signed-off-by: Thomas Garnier <thgarnie@google.com>
> >> Signed-off-by: Kees Cook <keescook@chromium.org>
> >> ---
> >>  arch/arm64/kernel/signal.c | 6 +++---
> >>  1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > What's the plan for this series? It looks like somehow an old v2 of the
> > original series made it into mainline, so I'd like to see these fixes get
> > in ASAP. I'm still slightly nervous about pathological setting of the
> > FSCHECK flag due to e.g. a PMU IRQ causing a livelock in do_notify_resume,
> > but that's at least less likely with this fix :/
> 
> Hi! I resent this to Ingo to pick up for -tip. I think he's waiting
> for -rc1, IIUC. Ingo, can you comment on timing for this getting sent
> to Linus?

Will accelerate them - didn't realize the urgency.

Thanks,

	Ingo

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PATCH 4/4] arm64/syscalls: Move address limit check in loop
@ 2017-09-13  8:00         ` Ingo Molnar
  0 siblings, 0 replies; 22+ messages in thread
From: Ingo Molnar @ 2017-09-13  8:00 UTC (permalink / raw)
  To: Kees Cook
  Cc: Will Deacon, Thomas Garnier, Thomas Gleixner, Russell King,
	Catalin Marinas, Andy Lutomirski, Will Drewry, Al Viro,
	Dave Martin, Pratyush Anand, Dave Hansen, Arnd Bergmann,
	David Howells, Yonghong Song, linux-arm-kernel, Linux API, LKML


* Kees Cook <keescook@chromium.org> wrote:

> On Tue, Sep 12, 2017 at 11:27 AM, Will Deacon <will.deacon@arm.com> wrote:
> > Hi Kees,
> >
> > On Thu, Sep 07, 2017 at 08:30:47AM -0700, Kees Cook wrote:
> >> From: Thomas Garnier <thgarnie@google.com>
> >>
> >> A bug was reported on ARM where set_fs might be called after it was
> >> checked on the work pending function. ARM64 is not affected by this bug
> >> but has a similar construct. In order to avoid any similar problems in
> >> the future, the addr_limit_user_check function is moved at the beginning
> >> of the loop.
> >>
> >> Fixes: cf7de27ab351 ("arm64/syscalls: Check address limit on user-mode return")
> >> Reported-by: Leonard Crestez <leonard.crestez@nxp.com>
> >> Signed-off-by: Thomas Garnier <thgarnie@google.com>
> >> Signed-off-by: Kees Cook <keescook@chromium.org>
> >> ---
> >>  arch/arm64/kernel/signal.c | 6 +++---
> >>  1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > What's the plan for this series? It looks like somehow an old v2 of the
> > original series made it into mainline, so I'd like to see these fixes get
> > in ASAP. I'm still slightly nervous about pathological setting of the
> > FSCHECK flag due to e.g. a PMU IRQ causing a livelock in do_notify_resume,
> > but that's at least less likely with this fix :/
> 
> Hi! I resent this to Ingo to pick up for -tip. I think he's waiting
> for -rc1, IIUC. Ingo, can you comment on timing for this getting sent
> to Linus?

Will accelerate them - didn't realize the urgency.

Thanks,

	Ingo

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [PATCH 4/4] arm64/syscalls: Move address limit check in loop
@ 2017-09-13  8:00         ` Ingo Molnar
  0 siblings, 0 replies; 22+ messages in thread
From: Ingo Molnar @ 2017-09-13  8:00 UTC (permalink / raw)
  To: linux-arm-kernel


* Kees Cook <keescook@chromium.org> wrote:

> On Tue, Sep 12, 2017 at 11:27 AM, Will Deacon <will.deacon@arm.com> wrote:
> > Hi Kees,
> >
> > On Thu, Sep 07, 2017 at 08:30:47AM -0700, Kees Cook wrote:
> >> From: Thomas Garnier <thgarnie@google.com>
> >>
> >> A bug was reported on ARM where set_fs might be called after it was
> >> checked on the work pending function. ARM64 is not affected by this bug
> >> but has a similar construct. In order to avoid any similar problems in
> >> the future, the addr_limit_user_check function is moved at the beginning
> >> of the loop.
> >>
> >> Fixes: cf7de27ab351 ("arm64/syscalls: Check address limit on user-mode return")
> >> Reported-by: Leonard Crestez <leonard.crestez@nxp.com>
> >> Signed-off-by: Thomas Garnier <thgarnie@google.com>
> >> Signed-off-by: Kees Cook <keescook@chromium.org>
> >> ---
> >>  arch/arm64/kernel/signal.c | 6 +++---
> >>  1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > What's the plan for this series? It looks like somehow an old v2 of the
> > original series made it into mainline, so I'd like to see these fixes get
> > in ASAP. I'm still slightly nervous about pathological setting of the
> > FSCHECK flag due to e.g. a PMU IRQ causing a livelock in do_notify_resume,
> > but that's at least less likely with this fix :/
> 
> Hi! I resent this to Ingo to pick up for -tip. I think he's waiting
> for -rc1, IIUC. Ingo, can you comment on timing for this getting sent
> to Linus?

Will accelerate them - didn't realize the urgency.

Thanks,

	Ingo

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [tip:core/urgent] syscalls: Use CHECK_DATA_CORRUPTION for addr_limit_user_check
  2017-09-07 15:30   ` Kees Cook
  (?)
@ 2017-09-17 17:53   ` tip-bot for Thomas Garnier
  -1 siblings, 0 replies; 22+ messages in thread
From: tip-bot for Thomas Garnier @ 2017-09-17 17:53 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: hpa, linux, arnd, luto, panand, wad, catalin.marinas,
	linux-kernel, viro, Dave.Martin, thgarnie, will.deacon,
	dave.hansen, dhowells, tglx, mingo, yhs, keescook

Commit-ID:  bf29ed1567b67854dc13504f685c45a2ea9b2081
Gitweb:     http://git.kernel.org/tip/bf29ed1567b67854dc13504f685c45a2ea9b2081
Author:     Thomas Garnier <thgarnie@google.com>
AuthorDate: Thu, 7 Sep 2017 08:30:44 -0700
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Sun, 17 Sep 2017 19:45:32 +0200

syscalls: Use CHECK_DATA_CORRUPTION for addr_limit_user_check

Use CHECK_DATA_CORRUPTION instead of BUG_ON to provide more flexibility
on address limit failures. By default, send a SIGKILL signal to kill the
current process preventing exploitation of a bad address limit.

Make the TIF_FSCHECK flag optional so ARM can use this function.

Signed-off-by: Thomas Garnier <thgarnie@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Pratyush Anand <panand@redhat.com>
Cc: Dave Martin <Dave.Martin@arm.com>
Cc: Will Drewry <wad@chromium.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: David Howells <dhowells@redhat.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-api@vger.kernel.org
Cc: Yonghong Song <yhs@fb.com>
Cc: linux-arm-kernel@lists.infradead.org
Link: http://lkml.kernel.org/r/1504798247-48833-2-git-send-email-keescook@chromium.org

---
 include/linux/syscalls.h | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index 95606a2..a78186d 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -221,21 +221,25 @@ static inline int is_syscall_trace_event(struct trace_event_call *tp_event)
 	}								\
 	static inline long SYSC##name(__MAP(x,__SC_DECL,__VA_ARGS__))
 
-#ifdef TIF_FSCHECK
 /*
  * Called before coming back to user-mode. Returning to user-mode with an
  * address limit different than USER_DS can allow to overwrite kernel memory.
  */
 static inline void addr_limit_user_check(void)
 {
-
+#ifdef TIF_FSCHECK
 	if (!test_thread_flag(TIF_FSCHECK))
 		return;
+#endif
 
-	BUG_ON(!segment_eq(get_fs(), USER_DS));
+	if (CHECK_DATA_CORRUPTION(!segment_eq(get_fs(), USER_DS),
+				  "Invalid address limit on user-mode return"))
+		force_sig(SIGKILL, current);
+
+#ifdef TIF_FSCHECK
 	clear_thread_flag(TIF_FSCHECK);
-}
 #endif
+}
 
 asmlinkage long sys32_quotactl(unsigned int cmd, const char __user *special,
 			       qid_t id, void __user *addr);

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [tip:core/urgent] Revert "arm/syscalls: Check address limit on user-mode return"
  2017-09-07 15:30   ` Kees Cook
  (?)
@ 2017-09-17 17:54   ` tip-bot for Thomas Garnier
  -1 siblings, 0 replies; 22+ messages in thread
From: tip-bot for Thomas Garnier @ 2017-09-17 17:54 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: panand, wad, luto, Dave.Martin, tglx, catalin.marinas, keescook,
	hpa, will.deacon, thgarnie, mingo, dave.hansen, viro,
	leonard.crestez, yhs, linux-kernel, arnd, linux, dhowells

Commit-ID:  2404269bc4e77a67875c8db6667be34c9913c96e
Gitweb:     http://git.kernel.org/tip/2404269bc4e77a67875c8db6667be34c9913c96e
Author:     Thomas Garnier <thgarnie@google.com>
AuthorDate: Thu, 7 Sep 2017 08:30:45 -0700
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Sun, 17 Sep 2017 19:45:33 +0200

Revert "arm/syscalls: Check address limit on user-mode return"

This reverts commit 73ac5d6a2b6ac3ae8d1e1818f3e9946f97489bc9.

The work pending loop can call set_fs after addr_limit_user_check
removed the _TIF_FSCHECK flag. This may happen at anytime based on how
ARM handles alignment exceptions. It leads to an infinite loop condition.

After discussion, it has been agreed that the generic approach is not
tailored to the ARM architecture and any fix might not be complete. This
patch will be replaced by an architecture specific implementation. The
work flag approach will be kept for other architectures.

Reported-by: Leonard Crestez <leonard.crestez@nxp.com>
Signed-off-by: Thomas Garnier <thgarnie@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Pratyush Anand <panand@redhat.com>
Cc: Dave Martin <Dave.Martin@arm.com>
Cc: Will Drewry <wad@chromium.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: David Howells <dhowells@redhat.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-api@vger.kernel.org
Cc: Yonghong Song <yhs@fb.com>
Cc: linux-arm-kernel@lists.infradead.org
Link: http://lkml.kernel.org/r/1504798247-48833-3-git-send-email-keescook@chromium.org

---
 arch/arm/include/asm/thread_info.h | 15 ++++++---------
 arch/arm/include/asm/uaccess.h     |  2 --
 arch/arm/kernel/entry-common.S     |  9 ++-------
 arch/arm/kernel/signal.c           |  5 -----
 4 files changed, 8 insertions(+), 23 deletions(-)

diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h
index 1d468b5..776757d 100644
--- a/arch/arm/include/asm/thread_info.h
+++ b/arch/arm/include/asm/thread_info.h
@@ -139,11 +139,10 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
 #define TIF_NEED_RESCHED	1	/* rescheduling necessary */
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_UPROBE		3	/* breakpointed or singlestepping */
-#define TIF_FSCHECK		4	/* Check FS is USER_DS on return */
-#define TIF_SYSCALL_TRACE	5	/* syscall trace active */
-#define TIF_SYSCALL_AUDIT	6	/* syscall auditing active */
-#define TIF_SYSCALL_TRACEPOINT	7	/* syscall tracepoint instrumentation */
-#define TIF_SECCOMP		8	/* seccomp syscall filtering active */
+#define TIF_SYSCALL_TRACE	4	/* syscall trace active */
+#define TIF_SYSCALL_AUDIT	5	/* syscall auditing active */
+#define TIF_SYSCALL_TRACEPOINT	6	/* syscall tracepoint instrumentation */
+#define TIF_SECCOMP		7	/* seccomp syscall filtering active */
 
 #define TIF_NOHZ		12	/* in adaptive nohz mode */
 #define TIF_USING_IWMMXT	17
@@ -154,7 +153,6 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
 #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
 #define _TIF_UPROBE		(1 << TIF_UPROBE)
-#define _TIF_FSCHECK		(1 << TIF_FSCHECK)
 #define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
 #define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
 #define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
@@ -168,9 +166,8 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
 /*
  * Change these and you break ASM code in entry-common.S
  */
-#define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING |	\
-				 _TIF_NOTIFY_RESUME | _TIF_UPROBE |	\
-				 _TIF_FSCHECK)
+#define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
+				 _TIF_NOTIFY_RESUME | _TIF_UPROBE)
 
 #endif /* __KERNEL__ */
 #endif /* __ASM_ARM_THREAD_INFO_H */
diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
index 87936dd..0bf2347 100644
--- a/arch/arm/include/asm/uaccess.h
+++ b/arch/arm/include/asm/uaccess.h
@@ -70,8 +70,6 @@ static inline void set_fs(mm_segment_t fs)
 {
 	current_thread_info()->addr_limit = fs;
 	modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_CLIENT : DOMAIN_MANAGER);
-	/* On user-mode return, check fs is correct */
-	set_thread_flag(TIF_FSCHECK);
 }
 
 #define segment_eq(a, b)	((a) == (b))
diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
index ca3614d..0b60adf 100644
--- a/arch/arm/kernel/entry-common.S
+++ b/arch/arm/kernel/entry-common.S
@@ -49,9 +49,7 @@ ret_fast_syscall:
  UNWIND(.cantunwind	)
 	disable_irq_notrace			@ disable interrupts
 	ldr	r1, [tsk, #TI_FLAGS]		@ re-check for syscall tracing
-	tst	r1, #_TIF_SYSCALL_WORK
-	bne	fast_work_pending
-	tst	r1, #_TIF_WORK_MASK
+	tst	r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK
 	bne	fast_work_pending
 
 	/* perform architecture specific actions before user return */
@@ -77,15 +75,12 @@ ret_fast_syscall:
 	str	r0, [sp, #S_R0 + S_OFF]!	@ save returned r0
 	disable_irq_notrace			@ disable interrupts
 	ldr	r1, [tsk, #TI_FLAGS]		@ re-check for syscall tracing
-	tst	r1, #_TIF_SYSCALL_WORK
-	bne	fast_work_pending
-	tst	r1, #_TIF_WORK_MASK
+	tst	r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK
 	beq	no_work_pending
  UNWIND(.fnend		)
 ENDPROC(ret_fast_syscall)
 
 	/* Slower path - fall through to work_pending */
-fast_work_pending:
 #endif
 
 	tst	r1, #_TIF_SYSCALL_WORK
diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
index e2de50b..5814298 100644
--- a/arch/arm/kernel/signal.c
+++ b/arch/arm/kernel/signal.c
@@ -14,7 +14,6 @@
 #include <linux/uaccess.h>
 #include <linux/tracehook.h>
 #include <linux/uprobes.h>
-#include <linux/syscalls.h>
 
 #include <asm/elf.h>
 #include <asm/cacheflush.h>
@@ -614,10 +613,6 @@ do_work_pending(struct pt_regs *regs, unsigned int thread_flags, int syscall)
 	 * Update the trace code with the current status.
 	 */
 	trace_hardirqs_off();
-
-	/* Check valid user FS if needed */
-	addr_limit_user_check();
-
 	do {
 		if (likely(thread_flags & _TIF_NEED_RESCHED)) {
 			schedule();

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [tip:core/urgent] arm/syscalls: Optimize address limit check
  2017-09-07 15:30   ` Kees Cook
  (?)
@ 2017-09-17 17:54   ` tip-bot for Thomas Garnier
  -1 siblings, 0 replies; 22+ messages in thread
From: tip-bot for Thomas Garnier @ 2017-09-17 17:54 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: dhowells, dave.hansen, thgarnie, linux-kernel, panand,
	will.deacon, luto, arnd, wad, leonard.crestez, viro, Dave.Martin,
	keescook, yhs, linux, hpa, tglx, mingo, catalin.marinas

Commit-ID:  e33f8d32677fa4f4f8996ef46748f86aac81ccff
Gitweb:     http://git.kernel.org/tip/e33f8d32677fa4f4f8996ef46748f86aac81ccff
Author:     Thomas Garnier <thgarnie@google.com>
AuthorDate: Thu, 7 Sep 2017 08:30:46 -0700
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Sun, 17 Sep 2017 19:45:33 +0200

arm/syscalls: Optimize address limit check

Disable the generic address limit check in favor of an architecture
specific optimized implementation. The generic implementation using
pending work flags did not work well with ARM and alignment faults.

The address limit is checked on each syscall return path to user-mode
path as well as the irq user-mode return function. If the address limit
was changed, a function is called to report data corruption (stopping
the kernel or process based on configuration).

The address limit check has to be done before any pending work because
they can reset the address limit and the process is killed using a
SIGKILL signal. For example the lkdtm address limit check does not work
because the signal to kill the process will reset the user-mode address
limit.

Signed-off-by: Thomas Garnier <thgarnie@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Tested-by: Kees Cook <keescook@chromium.org>
Tested-by: Leonard Crestez <leonard.crestez@nxp.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Pratyush Anand <panand@redhat.com>
Cc: Dave Martin <Dave.Martin@arm.com>
Cc: Will Drewry <wad@chromium.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: David Howells <dhowells@redhat.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-api@vger.kernel.org
Cc: Yonghong Song <yhs@fb.com>
Cc: linux-arm-kernel@lists.infradead.org
Link: http://lkml.kernel.org/r/1504798247-48833-4-git-send-email-keescook@chromium.org

---
 arch/arm/kernel/entry-common.S | 11 +++++++++++
 arch/arm/kernel/signal.c       |  7 +++++++
 2 files changed, 18 insertions(+)

diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
index 0b60adf..99c9082 100644
--- a/arch/arm/kernel/entry-common.S
+++ b/arch/arm/kernel/entry-common.S
@@ -12,6 +12,7 @@
 #include <asm/unistd.h>
 #include <asm/ftrace.h>
 #include <asm/unwind.h>
+#include <asm/memory.h>
 #ifdef CONFIG_AEABI
 #include <asm/unistd-oabi.h>
 #endif
@@ -48,10 +49,14 @@ ret_fast_syscall:
  UNWIND(.fnstart	)
  UNWIND(.cantunwind	)
 	disable_irq_notrace			@ disable interrupts
+	ldr	r2, [tsk, #TI_ADDR_LIMIT]
+	cmp	r2, #TASK_SIZE
+	blne	addr_limit_check_failed
 	ldr	r1, [tsk, #TI_FLAGS]		@ re-check for syscall tracing
 	tst	r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK
 	bne	fast_work_pending
 
+
 	/* perform architecture specific actions before user return */
 	arch_ret_to_user r1, lr
 
@@ -74,6 +79,9 @@ ret_fast_syscall:
  UNWIND(.cantunwind	)
 	str	r0, [sp, #S_R0 + S_OFF]!	@ save returned r0
 	disable_irq_notrace			@ disable interrupts
+	ldr	r2, [tsk, #TI_ADDR_LIMIT]
+	cmp	r2, #TASK_SIZE
+	blne	addr_limit_check_failed
 	ldr	r1, [tsk, #TI_FLAGS]		@ re-check for syscall tracing
 	tst	r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK
 	beq	no_work_pending
@@ -106,6 +114,9 @@ ENTRY(ret_to_user)
 ret_slow_syscall:
 	disable_irq_notrace			@ disable interrupts
 ENTRY(ret_to_user_from_irq)
+	ldr	r2, [tsk, #TI_ADDR_LIMIT]
+	cmp	r2, #TASK_SIZE
+	blne	addr_limit_check_failed
 	ldr	r1, [tsk, #TI_FLAGS]
 	tst	r1, #_TIF_WORK_MASK
 	bne	slow_work_pending
diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
index 5814298..b67ae12 100644
--- a/arch/arm/kernel/signal.c
+++ b/arch/arm/kernel/signal.c
@@ -14,6 +14,7 @@
 #include <linux/uaccess.h>
 #include <linux/tracehook.h>
 #include <linux/uprobes.h>
+#include <linux/syscalls.h>
 
 #include <asm/elf.h>
 #include <asm/cacheflush.h>
@@ -673,3 +674,9 @@ struct page *get_signal_page(void)
 
 	return page;
 }
+
+/* Defer to generic check */
+asmlinkage void addr_limit_check_failed(void)
+{
+	addr_limit_user_check();
+}

^ permalink raw reply	[flat|nested] 22+ messages in thread

* [tip:core/urgent] arm64/syscalls: Move address limit check in loop
  2017-09-07 15:30   ` Kees Cook
  (?)
  (?)
@ 2017-09-17 17:54   ` tip-bot for Thomas Garnier
  -1 siblings, 0 replies; 22+ messages in thread
From: tip-bot for Thomas Garnier @ 2017-09-17 17:54 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: catalin.marinas, dhowells, wad, will.deacon, tglx, panand, hpa,
	dave.hansen, linux-kernel, leonard.crestez, arnd, keescook,
	Dave.Martin, mingo, luto, yhs, thgarnie, viro, linux

Commit-ID:  a2048e34d4655c06d31400646ae495bbfeb16b27
Gitweb:     http://git.kernel.org/tip/a2048e34d4655c06d31400646ae495bbfeb16b27
Author:     Thomas Garnier <thgarnie@google.com>
AuthorDate: Thu, 7 Sep 2017 08:30:47 -0700
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Sun, 17 Sep 2017 19:45:33 +0200

arm64/syscalls: Move address limit check in loop

A bug was reported on ARM where set_fs might be called after it was
checked on the work pending function. ARM64 is not affected by this bug
but has a similar construct. In order to avoid any similar problems in
the future, the addr_limit_user_check function is moved at the beginning
of the loop.

Fixes: cf7de27ab351 ("arm64/syscalls: Check address limit on user-mode return")
Reported-by: Leonard Crestez <leonard.crestez@nxp.com>
Signed-off-by: Thomas Garnier <thgarnie@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Pratyush Anand <panand@redhat.com>
Cc: Dave Martin <Dave.Martin@arm.com>
Cc: Will Drewry <wad@chromium.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: David Howells <dhowells@redhat.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-api@vger.kernel.org
Cc: Yonghong Song <yhs@fb.com>
Cc: linux-arm-kernel@lists.infradead.org
Link: http://lkml.kernel.org/r/1504798247-48833-5-git-send-email-keescook@chromium.org

---
 arch/arm64/kernel/signal.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index c45214f..0bdc96c 100644
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -751,10 +751,10 @@ asmlinkage void do_notify_resume(struct pt_regs *regs,
 	 */
 	trace_hardirqs_off();
 
-	/* Check valid user FS if needed */
-	addr_limit_user_check();
-
 	do {
+		/* Check valid user FS if needed */
+		addr_limit_user_check();
+
 		if (thread_flags & _TIF_NEED_RESCHED) {
 			schedule();
 		} else {

^ permalink raw reply	[flat|nested] 22+ messages in thread

end of thread, other threads:[~2017-09-17 18:00 UTC | newest]

Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-07 15:30 [PATCH 0/4] Fix check address limit on user-mode Kees Cook
2017-09-07 15:30 ` Kees Cook
2017-09-07 15:30 ` [PATCH 1/4] syscalls: Use CHECK_DATA_CORRUPTION for addr_limit_user_check Kees Cook
2017-09-07 15:30   ` Kees Cook
2017-09-17 17:53   ` [tip:core/urgent] " tip-bot for Thomas Garnier
2017-09-07 15:30 ` [PATCH 2/4] Revert "arm/syscalls: Check address limit on user-mode return" Kees Cook
2017-09-07 15:30   ` Kees Cook
2017-09-17 17:54   ` [tip:core/urgent] " tip-bot for Thomas Garnier
2017-09-07 15:30 ` [PATCH 3/4] arm/syscalls: Optimize address limit check Kees Cook
2017-09-07 15:30   ` Kees Cook
2017-09-17 17:54   ` [tip:core/urgent] " tip-bot for Thomas Garnier
2017-09-07 15:30 ` [PATCH 4/4] arm64/syscalls: Move address limit check in loop Kees Cook
2017-09-07 15:30   ` Kees Cook
2017-09-12 18:27   ` Will Deacon
2017-09-12 18:27     ` Will Deacon
2017-09-12 18:28     ` Kees Cook
2017-09-12 18:28       ` Kees Cook
2017-09-12 18:28       ` Kees Cook
2017-09-13  8:00       ` Ingo Molnar
2017-09-13  8:00         ` Ingo Molnar
2017-09-13  8:00         ` Ingo Molnar
2017-09-17 17:54   ` [tip:core/urgent] " tip-bot for Thomas Garnier

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.