All of lore.kernel.org
 help / color / mirror / Atom feed
From: Josh Poimboeuf <jpoimboe@redhat.com>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Randy Dunlap <rdunlap@infradead.org>,
	akpm@linux-foundation.org, broonie@kernel.org,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-mm@kvack.org, linux-next@vger.kernel.org, mhocko@suse.cz,
	mm-commits@vger.kernel.org, sfr@canb.auug.org.au
Subject: Re: mmotm 2019-08-27-20-39 uploaded (objtool: xen)
Date: Thu, 29 Aug 2019 18:37:35 -0500	[thread overview]
Message-ID: <20190829233735.yp3mwhg6er353qw5@treble> (raw)
In-Reply-To: <20190829082445.GM2369@hirez.programming.kicks-ass.net>

On Thu, Aug 29, 2019 at 10:24:45AM +0200, Peter Zijlstra wrote:
> On Wed, Aug 28, 2019 at 03:01:34PM -0500, Josh Poimboeuf wrote:
> > On Wed, Aug 28, 2019 at 10:56:25AM -0700, Randy Dunlap wrote:
> > > >> drivers/xen/gntdev.o: warning: objtool: gntdev_copy()+0x229: call to __ubsan_handle_out_of_bounds() with UACCESS enabled
> > > > 
> > > > Easy one :-)
> > > > 
> > > > diff --git a/tools/objtool/check.c b/tools/objtool/check.c
> > > > index 0c8e17f946cd..6a935ab93149 100644
> > > > --- a/tools/objtool/check.c
> > > > +++ b/tools/objtool/check.c
> > > > @@ -483,6 +483,7 @@ static const char *uaccess_safe_builtin[] = {
> > > >  	"ubsan_type_mismatch_common",
> > > >  	"__ubsan_handle_type_mismatch",
> > > >  	"__ubsan_handle_type_mismatch_v1",
> > > > +	"__ubsan_handle_out_of_bounds",
> > > >  	/* misc */
> > > >  	"csum_partial_copy_generic",
> > > >  	"__memcpy_mcsafe",
> > > > 
> > > 
> > > 
> > > then I get this one:
> > > 
> > > lib/ubsan.o: warning: objtool: __ubsan_handle_out_of_bounds()+0x5d: call to ubsan_prologue() with UACCESS enabled
> > 
> > And of course I jinxed it by calling it easy.
> > 
> > Peter, how do you want to handle this?
> > 
> > Should we just disable UACCESS checking in lib/ubsan.c?
> 
> No, that is actually unsafe and could break things (as would you patch
> above).

Oops.  -EFIXINGTOOMANYOBJTOOLISSUESATONCE

> I'm thinking the below patch ought to cure things:
> 
> ---
> Subject: x86/uaccess: Don't leak the AC flags into __get_user() argument evalidation

s/evalidation/evaluation

> Identical to __put_user(); the __get_user() argument evalution will too
> leak UBSAN crud into the __uaccess_begin() / __uaccess_end() region.
> While uncommon this was observed to happen for:
> 
>   drivers/xen/gntdev.c: if (__get_user(old_status, batch->status[i]))
> 
> where UBSAN added array bound checking.
> 
> This complements commit:
> 
>   6ae865615fc4 ("x86/uaccess: Dont leak the AC flag into __put_user() argument evaluation")
> 
> Reported-by: Randy Dunlap <rdunlap@infradead.org>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
> Cc: luto@kernel.org
> ---
>  arch/x86/include/asm/uaccess.h | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
> index 9c4435307ff8..35c225ede0e4 100644
> --- a/arch/x86/include/asm/uaccess.h
> +++ b/arch/x86/include/asm/uaccess.h
> @@ -444,8 +444,10 @@ __pu_label:							\
>  ({									\
>  	int __gu_err;							\
>  	__inttype(*(ptr)) __gu_val;					\
> +	__typeof__(ptr) __gu_ptr = (ptr);				\
> +	__typeof__(size) __gu_size = (size);				\
>  	__uaccess_begin_nospec();					\
> -	__get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT);	\
> +	__get_user_size(__gu_val, __gu_ptr, __gu_size, __gu_err, -EFAULT);	\
>  	__uaccess_end();						\
>  	(x) = (__force __typeof__(*(ptr)))__gu_val;			\
>  	__builtin_expect(__gu_err, 0);					\

Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>

-- 
Josh

  reply	other threads:[~2019-08-29 23:37 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-28  3:40 mmotm 2019-08-27-20-39 uploaded akpm
2019-08-28 16:58 ` mmotm 2019-08-27-20-39 uploaded (objtool: xen) Randy Dunlap
2019-08-28 17:19   ` Josh Poimboeuf
2019-08-28 17:56     ` Randy Dunlap
2019-08-28 20:01       ` Josh Poimboeuf
2019-08-29  8:24         ` Peter Zijlstra
2019-08-29 23:37           ` Josh Poimboeuf [this message]
2019-08-30  4:10             ` Sedat Dilek
2019-08-30  4:10               ` Sedat Dilek
2019-09-02 12:34           ` [tip: x86/urgent] x86/uaccess: Don't leak the AC flags into __get_user() argument evaluation tip-bot2 for Peter Zijlstra
2019-08-28 17:59 ` mmotm 2019-08-27-20-39 uploaded (gpu/drm/amd/display/) Randy Dunlap
2019-08-28 18:53   ` Alex Deucher
2019-08-28 18:53     ` Alex Deucher
2019-08-28 18:30 ` mmotm 2019-08-27-20-39 uploaded (sound/hda/intel-nhlt.c) Randy Dunlap
2019-08-28 19:28   ` Pierre-Louis Bossart
2019-08-28 21:06     ` Randy Dunlap
2019-08-28 22:20       ` Pierre-Louis Bossart
2019-08-28 22:45         ` Pierre-Louis Bossart
2019-08-28 22:59           ` Randy Dunlap
2019-08-29  2:26             ` Randy Dunlap
2019-08-29 15:08           ` [alsa-devel] " Takashi Iwai
2019-08-29 15:08             ` Takashi Iwai
2019-08-29 16:22             ` Pierre-Louis Bossart

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190829233735.yp3mwhg6er353qw5@treble \
    --to=jpoimboe@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=broonie@kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=linux-next@vger.kernel.org \
    --cc=mhocko@suse.cz \
    --cc=mm-commits@vger.kernel.org \
    --cc=peterz@infradead.org \
    --cc=rdunlap@infradead.org \
    --cc=sfr@canb.auug.org.au \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.