From: Al Viro <viro@ZenIV.linux.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org
Subject: [PATCH 1/6] uaccess: Add user_read_access_begin/end and user_write_access_begin/end
Date: Fri, 29 May 2020 00:49:29 +0100 [thread overview]
Message-ID: <20200528234931.4104686-1-viro@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20200528234025.GT23230@ZenIV.linux.org.uk>
From: Christophe Leroy <christophe.leroy@c-s.fr>
Some architectures like powerpc64 have the capability to separate
read access and write access protection.
For get_user() and copy_from_user(), powerpc64 only open read access.
For put_user() and copy_to_user(), powerpc64 only open write access.
But when using unsafe_get_user() or unsafe_put_user(),
user_access_begin open both read and write.
Other architectures like powerpc book3s 32 bits only allow write
access protection. And on this architecture protection is an heavy
operation as it requires locking/unlocking per segment of 256Mbytes.
On those architecture it is therefore desirable to do the unlocking
only for write access. (Note that book3s/32 ranges from very old
powermac from the 90's with powerpc 601 processor, till modern
ADSL boxes with PowerQuicc II processors for instance so it
is still worth considering.)
In order to avoid any risk based of hacking some variable parameters
passed to user_access_begin/end that would allow hacking and
leaving user access open or opening too much, it is preferable to
use dedicated static functions that can't be overridden.
Add a user_read_access_begin and user_read_access_end to only open
read access.
Add a user_write_access_begin and user_write_access_end to only open
write access.
By default, when undefined, those new access helpers default on the
existing user_access_begin and user_access_end.
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/36e43241c7f043a24b5069e78c6a7edd11043be5.1585898438.git.christophe.leroy@c-s.fr
---
include/linux/uaccess.h | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
index 67f016010aad..9861c89f93be 100644
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -378,6 +378,14 @@ extern long strnlen_unsafe_user(const void __user *unsafe_addr, long count);
static inline unsigned long user_access_save(void) { return 0UL; }
static inline void user_access_restore(unsigned long flags) { }
#endif
+#ifndef user_write_access_begin
+#define user_write_access_begin user_access_begin
+#define user_write_access_end user_access_end
+#endif
+#ifndef user_read_access_begin
+#define user_read_access_begin user_access_begin
+#define user_read_access_end user_access_end
+#endif
#ifdef CONFIG_HARDENED_USERCOPY
void usercopy_warn(const char *name, const char *detail, bool to_user,
--
2.11.0
next prev parent reply other threads:[~2020-05-28 23:50 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-28 23:40 [PATCHES] uaccess base Al Viro
2020-05-28 23:48 ` [PATCHES] uaccess readdir Al Viro
2020-05-28 23:49 ` [PATCH 4/6] switch readdir(2) to unsafe_copy_dirent_name() Al Viro
2020-05-28 23:49 ` [PATCH 5/6] readdir.c: get compat_filldir() more or less in sync with filldir() Al Viro
2020-05-28 23:49 ` [PATCH 6/6] readdir.c: get rid of the last __put_user(), drop now-useless access_ok() Al Viro
2020-05-28 23:49 ` Al Viro [this message]
2020-05-28 23:49 ` [PATCH 2/6] uaccess: Selectively open read or write user access Al Viro
2020-05-28 23:49 ` [PATCH 3/6] drm/i915/gem: Replace user_access_begin by user_write_access_begin Al Viro
2020-05-28 23:57 ` [PATCHES] uaccess __copy_from_user() Al Viro
2020-05-28 23:58 ` [PATCH 1/2] firewire: switch ioctl_queue_iso to use of copy_from_user() Al Viro
2020-05-28 23:58 ` [PATCH 2/2] pstore: switch to copy_from_user() Al Viro
2020-05-29 0:03 ` [PATCHES] uaccess __copy_to_user() Al Viro
2020-05-29 0:04 ` [PATCH 1/2] esas2r: don't bother with __copy_to_user() Al Viro
2020-05-29 0:04 ` [PATCH 2/2] dlmfs: convert dlmfs_file_read() to copy_to_user() Al Viro
2020-05-29 1:27 ` Linus Torvalds
2020-05-29 1:47 ` Al Viro
2020-05-29 1:54 ` Linus Torvalds
2020-05-29 3:10 ` Al Viro
2020-05-29 3:42 ` Linus Torvalds
2020-05-29 20:46 ` Al Viro
2020-05-29 20:57 ` Linus Torvalds
2020-05-29 21:06 ` Al Viro
2020-05-29 0:09 ` [PATCHES] uaccess __put_user() Al Viro
2020-05-29 0:10 ` [PATCH 1/3] compat sysinfo(2): don't bother with field-by-field copyout Al Viro
2020-05-29 0:10 ` [PATCH 2/3] scsi_ioctl.c: switch SCSI_IOCTL_GET_IDLUN to copy_to_user() Al Viro
2020-05-29 0:10 ` [PATCH 3/3] pcm_native: result of put_user() needs to be checked Al Viro
2020-05-29 0:34 ` [PATCHES] uaccess comedi compat Al Viro
2020-05-29 0:35 ` [PATCH 01/10] comedi: move compat ioctl handling to native fops Al Viro
2020-05-29 0:35 ` [PATCH 02/10] comedi: get rid of indirection via translated_ioctl() Al Viro
2020-05-29 10:34 ` Ian Abbott
2020-05-29 0:35 ` [PATCH 03/10] comedi: get rid of compat_alloc_user_space() mess in COMEDI_CHANINFO compat Al Viro
2020-05-29 10:35 ` Ian Abbott
2020-05-29 0:35 ` [PATCH 04/10] comedi: get rid of compat_alloc_user_space() mess in COMEDI_RANGEINFO compat Al Viro
2020-05-29 10:35 ` Ian Abbott
2020-05-29 0:35 ` [PATCH 05/10] comedi: get rid of compat_alloc_user_space() mess in COMEDI_INSN compat Al Viro
2020-05-29 10:05 ` Ian Abbott
2020-05-29 0:35 ` [PATCH 06/10] comedi: get rid of compat_alloc_user_space() mess in COMEDI_INSNLIST compat Al Viro
2020-05-29 10:36 ` Ian Abbott
2020-05-29 0:35 ` [PATCH 07/10] comedi: lift copy_from_user() into callers of __comedi_get_user_cmd() Al Viro
2020-05-29 10:37 ` Ian Abbott
2020-05-29 0:35 ` [PATCH 08/10] comedi: do_cmdtest_ioctl(): lift copyin/copyout into the caller Al Viro
2020-05-29 10:37 ` Ian Abbott
2020-05-29 0:35 ` [PATCH 09/10] comedi: do_cmd_ioctl(): " Al Viro
2020-05-29 10:38 ` Ian Abbott
2020-05-29 10:34 ` [PATCH 01/10] comedi: move compat ioctl handling to native fops Ian Abbott
2020-05-29 10:48 ` [PATCHES] uaccess comedi compat Ian Abbott
2020-05-29 14:15 ` Al Viro
2020-05-29 0:40 ` [PATCHES] uaccess i915 Al Viro
2020-05-29 5:06 ` Jani Nikula
2020-05-29 5:06 ` [Intel-gfx] " Jani Nikula
2020-05-29 14:17 ` Al Viro
2020-05-29 14:17 ` [Intel-gfx] " Al Viro
2020-05-29 0:41 ` [PATCH 1/5] i915: switch query_{topology,engine}_info() to copy_to_user() Al Viro
2020-05-29 0:41 ` [PATCH 2/5] i915: switch copy_perf_config_registers_or_number() to unsafe_put_user() Al Viro
2020-05-29 0:41 ` [PATCH 3/5] i915 compat ioctl(): just use drm_ioctl_kernel() Al Viro
2020-05-29 0:41 ` [PATCH 4/5] i915: alloc_oa_regs(): get rid of pointless access_ok() Al Viro
2020-05-29 0:41 ` [PATCH 5/5] i915:get_engines(): " Al Viro
2020-05-29 23:26 ` [PATCHES] uaccess misc Al Viro
2020-05-29 23:54 ` Linus Torvalds
2020-05-29 23:57 ` Linus Torvalds
2020-05-29 23:27 ` [PATCH 1/9] pselect6() and friends: take handling the combined 6th/7th args into helper Al Viro
2020-05-29 23:27 ` [PATCH 2/9] binfmt_elf: don't bother with __{put,copy_to}_user() Al Viro
2020-05-29 23:27 ` [PATCH 3/9] binfmt_elf_fdpic: don't use __... uaccess primitives Al Viro
2020-05-29 23:27 ` [PATCH 4/9] binfmt_flat: don't use __put_user() Al Viro
2020-05-29 23:27 ` [PATCH 5/9] x86: switch cp_stat64() to unsafe_put_user() Al Viro
2020-05-29 23:27 ` [PATCH 6/9] TEST_ACCESS_OK _never_ had been checked anywhere Al Viro
2020-05-29 23:27 ` [PATCH 7/9] user_regset_copyout_zero(): use clear_user() Al Viro
2020-05-29 23:27 ` [PATCH 8/9] x86: kvm_hv_set_msr(): use __put_user() instead of 32bit __clear_user() Al Viro
2020-05-29 23:52 ` Linus Torvalds
2020-05-30 14:31 ` Al Viro
2020-05-30 14:52 ` Al Viro
2020-05-30 16:20 ` Paolo Bonzini
2020-05-30 17:57 ` Linus Torvalds
2020-05-30 18:38 ` Al Viro
2020-05-30 18:52 ` Linus Torvalds
2020-05-30 19:14 ` Al Viro
2020-05-30 19:20 ` Linus Torvalds
2020-05-30 19:42 ` Al Viro
2020-05-30 20:43 ` Al Viro
2020-05-30 19:19 ` Al Viro
2020-05-30 19:27 ` Al Viro
2020-05-29 23:28 ` [PATCH 9/9] bpf: make bpf_check_uarg_tail_zero() use check_zeroed_user() Al Viro
2020-05-31 16:35 ` Alexei Starovoitov
2020-05-29 23:39 ` [PATCHES] uaccess hpsa Al Viro
2020-05-29 23:40 ` [PATCH 1/4] hpsa passthrough: lift {BIG_,}IOCTL_Command_struct copy{in,out} into hpsa_ioctl() Al Viro
2020-05-29 23:40 ` [PATCH 2/4] hpsa: don't bother with vmalloc for BIG_IOCTL_Command_struct Al Viro
2020-05-29 23:40 ` [PATCH 3/4] hpsa: get rid of compat_alloc_user_space() Al Viro
2020-05-29 23:40 ` [PATCH 4/4] hpsa_ioctl(): tidy up a bit Al Viro
2020-06-03 1:57 ` [PATCHES] uaccess hpsa Martin K. Petersen
2020-06-03 18:37 ` Don.Brace
2020-06-03 19:17 ` Al Viro
2020-06-03 20:53 ` Martin K. Petersen
2020-06-03 20:54 ` Al Viro
2020-06-04 14:18 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200528234931.4104686-1-viro@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.