From mboxrd@z Thu Jan 1 00:00:00 1970 From: Catalin Marinas Subject: Re: [PATCH v5 03/30] arm64: signal: Verify extra data is user-readable in sys_rt_sigreturn Date: Wed, 1 Nov 2017 11:43:29 +0000 Message-ID: <20171101114329.5eaejnxwojvadbex@armageddon.cambridge.arm.com> References: <1509465082-30427-1-git-send-email-Dave.Martin@arm.com> <1509465082-30427-4-git-send-email-Dave.Martin@arm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:46272 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754089AbdKALne (ORCPT ); Wed, 1 Nov 2017 07:43:34 -0400 Content-Disposition: inline In-Reply-To: <1509465082-30427-4-git-send-email-Dave.Martin@arm.com> Sender: linux-arch-owner@vger.kernel.org List-ID: To: Dave Martin Cc: linux-arm-kernel@lists.infradead.org, linux-arch@vger.kernel.org, Okamoto Takayuki , libc-alpha@sourceware.org, Ard Biesheuvel , Szabolcs Nagy , Will Deacon , Alex =?iso-8859-1?Q?Benn=E9e?= , kvmarm@lists.cs.columbia.edu On Tue, Oct 31, 2017 at 03:50:55PM +0000, Dave P Martin wrote: > Currently sys_rt_sigreturn() verifies that the base sigframe is > readable, but no similar check is performed on the extra data to > which an extra_context record points. > > This matters because the extra data will be read with the > unprotected user accessors. However, this is not a problem at > present because the extra data base address is required to be > exactly at the end of the base sigframe. So, there would need to > be a non-user-readable kernel address within about 59K > (SIGFRAME_MAXSZ - sizeof(struct rt_sigframe)) of some address for > which access_ok(VERIFY_READ) returns true, in order for sigreturn > to be able to read kernel memory that should be inaccessible to the > user task. This is currently impossible due to the untranslatable > address hole between the TTBR0 and TTBR1 address ranges. > > Disappearance of the hole between the TTBR0 and TTBR1 mapping > ranges would require the VA size for TTBR0 and TTBR1 to grow to at > least 55 bits, and either the disabling of tagged pointers for > userspace or enabling of tagged pointers for kernel space; none of > which is currently envisaged. > > Even so, it is wrong to use the unprotected user accessors without > an accompanying access_ok() check. > > To avoid the potential for future surprises, this patch does an > explicit access_ok() check on the extra data space when parsing an > extra_context record. > > Fixes: 33f082614c34 ("arm64: signal: Allow expansion of the signal frame") > Signed-off-by: Dave Martin Acked-by: Catalin Marinas From mboxrd@z Thu Jan 1 00:00:00 1970 From: catalin.marinas@arm.com (Catalin Marinas) Date: Wed, 1 Nov 2017 11:43:29 +0000 Subject: [PATCH v5 03/30] arm64: signal: Verify extra data is user-readable in sys_rt_sigreturn In-Reply-To: <1509465082-30427-4-git-send-email-Dave.Martin@arm.com> References: <1509465082-30427-1-git-send-email-Dave.Martin@arm.com> <1509465082-30427-4-git-send-email-Dave.Martin@arm.com> Message-ID: <20171101114329.5eaejnxwojvadbex@armageddon.cambridge.arm.com> To: linux-arm-kernel@lists.infradead.org List-Id: linux-arm-kernel.lists.infradead.org On Tue, Oct 31, 2017 at 03:50:55PM +0000, Dave P Martin wrote: > Currently sys_rt_sigreturn() verifies that the base sigframe is > readable, but no similar check is performed on the extra data to > which an extra_context record points. > > This matters because the extra data will be read with the > unprotected user accessors. However, this is not a problem at > present because the extra data base address is required to be > exactly at the end of the base sigframe. So, there would need to > be a non-user-readable kernel address within about 59K > (SIGFRAME_MAXSZ - sizeof(struct rt_sigframe)) of some address for > which access_ok(VERIFY_READ) returns true, in order for sigreturn > to be able to read kernel memory that should be inaccessible to the > user task. This is currently impossible due to the untranslatable > address hole between the TTBR0 and TTBR1 address ranges. > > Disappearance of the hole between the TTBR0 and TTBR1 mapping > ranges would require the VA size for TTBR0 and TTBR1 to grow to at > least 55 bits, and either the disabling of tagged pointers for > userspace or enabling of tagged pointers for kernel space; none of > which is currently envisaged. > > Even so, it is wrong to use the unprotected user accessors without > an accompanying access_ok() check. > > To avoid the potential for future surprises, this patch does an > explicit access_ok() check on the extra data space when parsing an > extra_context record. > > Fixes: 33f082614c34 ("arm64: signal: Allow expansion of the signal frame") > Signed-off-by: Dave Martin Acked-by: Catalin Marinas