From: Al Viro <viro@zeniv.linux.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
KVM list <kvm@vger.kernel.org>
Subject: Re: [PATCH 8/9] x86: kvm_hv_set_msr(): use __put_user() instead of 32bit __clear_user()
Date: Sat, 30 May 2020 21:43:06 +0100 [thread overview]
Message-ID: <20200530204306.GV23230@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20200530194232.GU23230@ZenIV.linux.org.uk>
On Sat, May 30, 2020 at 08:42:32PM +0100, Al Viro wrote:
> On Sat, May 30, 2020 at 12:20:54PM -0700, Linus Torvalds wrote:
> > On Sat, May 30, 2020 at 12:14 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
> > >
> > > > And none of that code verifies that the end result is a user address.
> > >
> > > kvm_is_error_hva() is
> > > return addr >= PAGE_OFFSET;
> >
> > Ahh, that's what I missed. It won't work on other architectures, but
> > within x86 it's fine.
>
> FWIW, we use virt/kvm on x86, powerpc, mips, s390 and arm64.
>
> For x86 and powerpc the check is, AFAICS, OK (ppc kernel might start
> higher than PAGE_OFFSET, but not lower than it). For arm64... not
> sure - I'm not familiar with the virtual address space layout we use
> there. mips does *NOT* get that protection at all - there kvm_is_error_hva()
> is IS_ERR_VALUE() (thus the "at least on non-mips" upthread). And
> for s390 it's also IS_ERR_VALUE(), but that's an separate can of worms -
> there access_ok() is constant true; if we ever hit any of that code in
> virt/kvm while under KERNEL_DS, we are well and truly fucked there.
Anyway, I really think it's too big to handle this cycle, what with the
amount of other stuff already in queue. If anything, that __put_user()
is a useful marker of the things that will need attention. That's arch/x86
and the test excluding the kernel space is just upstream of that call,
so IMO that's robust enough for now. Crossing the limit just into the
beginning of kernel space is theoretically possible, but that would
depend upon slot->userspace_addr not being page-aligned (and would attempt
to zero up to 3 bytes past the PAGE_OFFSET in any case). If we get
memory corruption going on, we have much worse problems than that.
And it would have to be memory corruption - ->userspace_addr is assign-once,
there's only one place doing the assignments and alignment check is
shortly upstream of it, so all instances must have that field page-aligned
all the time.
We'll need to sort the kvm-related issues out, but let's leave it for the
next cycle.
next prev parent reply other threads:[~2020-05-30 20:43 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-28 23:40 [PATCHES] uaccess base Al Viro
2020-05-28 23:48 ` [PATCHES] uaccess readdir Al Viro
2020-05-28 23:49 ` [PATCH 4/6] switch readdir(2) to unsafe_copy_dirent_name() Al Viro
2020-05-28 23:49 ` [PATCH 5/6] readdir.c: get compat_filldir() more or less in sync with filldir() Al Viro
2020-05-28 23:49 ` [PATCH 6/6] readdir.c: get rid of the last __put_user(), drop now-useless access_ok() Al Viro
2020-05-28 23:49 ` [PATCH 1/6] uaccess: Add user_read_access_begin/end and user_write_access_begin/end Al Viro
2020-05-28 23:49 ` [PATCH 2/6] uaccess: Selectively open read or write user access Al Viro
2020-05-28 23:49 ` [PATCH 3/6] drm/i915/gem: Replace user_access_begin by user_write_access_begin Al Viro
2020-05-28 23:57 ` [PATCHES] uaccess __copy_from_user() Al Viro
2020-05-28 23:58 ` [PATCH 1/2] firewire: switch ioctl_queue_iso to use of copy_from_user() Al Viro
2020-05-28 23:58 ` [PATCH 2/2] pstore: switch to copy_from_user() Al Viro
2020-05-29 0:03 ` [PATCHES] uaccess __copy_to_user() Al Viro
2020-05-29 0:04 ` [PATCH 1/2] esas2r: don't bother with __copy_to_user() Al Viro
2020-05-29 0:04 ` [PATCH 2/2] dlmfs: convert dlmfs_file_read() to copy_to_user() Al Viro
2020-05-29 1:27 ` Linus Torvalds
2020-05-29 1:47 ` Al Viro
2020-05-29 1:54 ` Linus Torvalds
2020-05-29 3:10 ` Al Viro
2020-05-29 3:42 ` Linus Torvalds
2020-05-29 20:46 ` Al Viro
2020-05-29 20:57 ` Linus Torvalds
2020-05-29 21:06 ` Al Viro
2020-05-29 0:09 ` [PATCHES] uaccess __put_user() Al Viro
2020-05-29 0:10 ` [PATCH 1/3] compat sysinfo(2): don't bother with field-by-field copyout Al Viro
2020-05-29 0:10 ` [PATCH 2/3] scsi_ioctl.c: switch SCSI_IOCTL_GET_IDLUN to copy_to_user() Al Viro
2020-05-29 0:10 ` [PATCH 3/3] pcm_native: result of put_user() needs to be checked Al Viro
2020-05-29 0:34 ` [PATCHES] uaccess comedi compat Al Viro
2020-05-29 0:35 ` [PATCH 01/10] comedi: move compat ioctl handling to native fops Al Viro
2020-05-29 0:35 ` [PATCH 02/10] comedi: get rid of indirection via translated_ioctl() Al Viro
2020-05-29 10:34 ` Ian Abbott
2020-05-29 0:35 ` [PATCH 03/10] comedi: get rid of compat_alloc_user_space() mess in COMEDI_CHANINFO compat Al Viro
2020-05-29 10:35 ` Ian Abbott
2020-05-29 0:35 ` [PATCH 04/10] comedi: get rid of compat_alloc_user_space() mess in COMEDI_RANGEINFO compat Al Viro
2020-05-29 10:35 ` Ian Abbott
2020-05-29 0:35 ` [PATCH 05/10] comedi: get rid of compat_alloc_user_space() mess in COMEDI_INSN compat Al Viro
2020-05-29 10:05 ` Ian Abbott
2020-05-29 0:35 ` [PATCH 06/10] comedi: get rid of compat_alloc_user_space() mess in COMEDI_INSNLIST compat Al Viro
2020-05-29 10:36 ` Ian Abbott
2020-05-29 0:35 ` [PATCH 07/10] comedi: lift copy_from_user() into callers of __comedi_get_user_cmd() Al Viro
2020-05-29 10:37 ` Ian Abbott
2020-05-29 0:35 ` [PATCH 08/10] comedi: do_cmdtest_ioctl(): lift copyin/copyout into the caller Al Viro
2020-05-29 10:37 ` Ian Abbott
2020-05-29 0:35 ` [PATCH 09/10] comedi: do_cmd_ioctl(): " Al Viro
2020-05-29 10:38 ` Ian Abbott
2020-05-29 10:34 ` [PATCH 01/10] comedi: move compat ioctl handling to native fops Ian Abbott
2020-05-29 10:48 ` [PATCHES] uaccess comedi compat Ian Abbott
2020-05-29 14:15 ` Al Viro
2020-05-29 0:40 ` [PATCHES] uaccess i915 Al Viro
2020-05-29 5:06 ` Jani Nikula
2020-05-29 5:06 ` [Intel-gfx] " Jani Nikula
2020-05-29 14:17 ` Al Viro
2020-05-29 14:17 ` [Intel-gfx] " Al Viro
2020-05-29 0:41 ` [PATCH 1/5] i915: switch query_{topology,engine}_info() to copy_to_user() Al Viro
2020-05-29 0:41 ` [PATCH 2/5] i915: switch copy_perf_config_registers_or_number() to unsafe_put_user() Al Viro
2020-05-29 0:41 ` [PATCH 3/5] i915 compat ioctl(): just use drm_ioctl_kernel() Al Viro
2020-05-29 0:41 ` [PATCH 4/5] i915: alloc_oa_regs(): get rid of pointless access_ok() Al Viro
2020-05-29 0:41 ` [PATCH 5/5] i915:get_engines(): " Al Viro
2020-05-29 23:26 ` [PATCHES] uaccess misc Al Viro
2020-05-29 23:54 ` Linus Torvalds
2020-05-29 23:57 ` Linus Torvalds
2020-05-29 23:27 ` [PATCH 1/9] pselect6() and friends: take handling the combined 6th/7th args into helper Al Viro
2020-05-29 23:27 ` [PATCH 2/9] binfmt_elf: don't bother with __{put,copy_to}_user() Al Viro
2020-05-29 23:27 ` [PATCH 3/9] binfmt_elf_fdpic: don't use __... uaccess primitives Al Viro
2020-05-29 23:27 ` [PATCH 4/9] binfmt_flat: don't use __put_user() Al Viro
2020-05-29 23:27 ` [PATCH 5/9] x86: switch cp_stat64() to unsafe_put_user() Al Viro
2020-05-29 23:27 ` [PATCH 6/9] TEST_ACCESS_OK _never_ had been checked anywhere Al Viro
2020-05-29 23:27 ` [PATCH 7/9] user_regset_copyout_zero(): use clear_user() Al Viro
2020-05-29 23:27 ` [PATCH 8/9] x86: kvm_hv_set_msr(): use __put_user() instead of 32bit __clear_user() Al Viro
2020-05-29 23:52 ` Linus Torvalds
2020-05-30 14:31 ` Al Viro
2020-05-30 14:52 ` Al Viro
2020-05-30 16:20 ` Paolo Bonzini
2020-05-30 17:57 ` Linus Torvalds
2020-05-30 18:38 ` Al Viro
2020-05-30 18:52 ` Linus Torvalds
2020-05-30 19:14 ` Al Viro
2020-05-30 19:20 ` Linus Torvalds
2020-05-30 19:42 ` Al Viro
2020-05-30 20:43 ` Al Viro [this message]
2020-05-30 19:19 ` Al Viro
2020-05-30 19:27 ` Al Viro
2020-05-29 23:28 ` [PATCH 9/9] bpf: make bpf_check_uarg_tail_zero() use check_zeroed_user() Al Viro
2020-05-31 16:35 ` Alexei Starovoitov
2020-05-29 23:39 ` [PATCHES] uaccess hpsa Al Viro
2020-05-29 23:40 ` [PATCH 1/4] hpsa passthrough: lift {BIG_,}IOCTL_Command_struct copy{in,out} into hpsa_ioctl() Al Viro
2020-05-29 23:40 ` [PATCH 2/4] hpsa: don't bother with vmalloc for BIG_IOCTL_Command_struct Al Viro
2020-05-29 23:40 ` [PATCH 3/4] hpsa: get rid of compat_alloc_user_space() Al Viro
2020-05-29 23:40 ` [PATCH 4/4] hpsa_ioctl(): tidy up a bit Al Viro
2020-06-03 1:57 ` [PATCHES] uaccess hpsa Martin K. Petersen
2020-06-03 18:37 ` Don.Brace
2020-06-03 19:17 ` Al Viro
2020-06-03 20:53 ` Martin K. Petersen
2020-06-03 20:54 ` Al Viro
2020-06-04 14:18 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200530204306.GV23230@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=kvm@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.