From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: ARC-Seal: i=1; a=rsa-sha256; t=1522169872; cv=none; d=google.com; s=arc-20160816; b=dT3eanY81FgDPWo64hUS/Vg2JEx7DxeKIabZlWl22gjCoOobsboWsLQI3htc+ck6TN fXO6PMjbaIPPJHGGAZ8a4Z1oC3CBYT0ukY1Rf4n6PjDlwzW2P1wqDDV1dNip0kaxbu3k lOARFXqYjIYB43PH9OoGkXUo2jeXRc84C4Dj9LlJs0dfoyUgOlgZAS3Q4nuc0cQFculK +w34OOizzNwghr+cblnCAmpkSilSnJC9qoEGunBC0Hrqxt5ALXsFD3BmjNP7WKNqr/zB 4R6k3O3geB4YA8pZYSJtS20pyR48kEKJIb78n8lYN2m3XBa7TnlN4eIE98Mf7ZXgff3k fHfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=PQDvPwpCCj++tEzmkEClg/xNExzGMoMf+mTY7ONA9sM=; b=qSOc0OH5sN7gMvAZHZbOALBg754qN1bBm3u3cvau3/FhV2ZgBb2KcClE0lbvJkQpuf /ty1Z0U97UzJaToe1olo10Nl12RGe1i1FoK8RMj3D/XSEFoQVT6vzBU/HR3uYtOQ6rZz 4Ol/bLem8MCNtKANt5uobCe+FQSbSBGWM+NknOH85PBrySkc1DZlaw9nsmuc3VeRqwzg FRR/g2vJ1bLYGbNyvYdxnsrA/cjbYCxj/NmfKep1CeQYygLFQkymL3Quj+QLbzSlVDeT W7++dSSTDjWhsLu6TOe7hb9pW6IA5jiaHtfSFlD44x8gLROLM2FDkB3Z6PqsnkNQvww8 2y+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ADn0rmiu; spf=pass (google.com: domain of andreyknvl@google.com designates 209.85.220.65 as permitted sender) smtp.mailfrom=andreyknvl@google.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ADn0rmiu; spf=pass (google.com: domain of andreyknvl@google.com designates 209.85.220.65 as permitted sender) smtp.mailfrom=andreyknvl@google.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com X-Google-Smtp-Source: AIpwx4/r7QqaBNv+zh63HY6pUE+6nXfgV70QA44S2r+rRUeb7OeXVCpu+eEC5+uPaXYYZWHThL86gA== From: Andrey Konovalov To: Catalin Marinas , Will Deacon , Jonathan Corbet , Mark Rutland , Robin Murphy , Al Viro , Andrey Konovalov , James Morse , Kees Cook , Bart Van Assche , Kate Stewart , Greg Kroah-Hartman , Thomas Gleixner , Philippe Ombredanne , Andrew Morton , Ingo Molnar , "Kirill A . Shutemov" , Dan Williams , "Aneesh Kumar K . V" , Zi Yan , linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org Cc: Dmitry Vyukov , Kostya Serebryany , Evgeniy Stepanov , Lee Smith , Ramana Radhakrishnan , Jacob Bramley , Ruben Ayrapetyan Subject: [RFC PATCH v2 3/6] arm64: untag user addresses in copy_from_user and others Date: Tue, 27 Mar 2018 18:57:39 +0200 Message-Id: <22d41e0e1439ed0d13b2a2ca4b7c8317131f7ea9.1522169685.git.andreyknvl@google.com> X-Mailer: git-send-email 2.17.0.rc0.231.g781580f067-goog In-Reply-To: References: In-Reply-To: References: X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: =?utf-8?q?1596110796097198401?= X-GMAIL-MSGID: =?utf-8?q?1596110796097198401?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: copy_from_user (and a few other similar functions) are used to copy data from user memory into the kernel memory or vice versa. Since a user can provided a tagged pointer to one of the syscalls that use copy_from_user, we need to correctly handle such pointers. Do this by untagging user pointers in access_ok and in __uaccess_mask_ptr. Signed-off-by: Andrey Konovalov --- arch/arm64/include/asm/uaccess.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index 2d6451cbaa86..24a221678fe3 100644 --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -105,7 +105,8 @@ static inline unsigned long __range_ok(const void __user *addr, unsigned long si #define untagged_addr(addr) \ ((__typeof__(addr))sign_extend64((__u64)(addr), 55)) -#define access_ok(type, addr, size) __range_ok(addr, size) +#define access_ok(type, addr, size) \ + __range_ok(untagged_addr(addr), size) #define user_addr_max get_fs #define _ASM_EXTABLE(from, to) \ @@ -238,12 +239,15 @@ static inline void uaccess_enable_not_uao(void) /* * Sanitise a uaccess pointer such that it becomes NULL if above the * current addr_limit. + * Also untag user pointers that have the top byte tag set. */ #define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr) static inline void __user *__uaccess_mask_ptr(const void __user *ptr) { void __user *safe_ptr; + ptr = untagged_addr(ptr); + asm volatile( " bics xzr, %1, %2\n" " csel %0, %1, xzr, eq\n" -- 2.17.0.rc0.231.g781580f067-goog From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on archive.lwn.net X-Spam-Level: X-Spam-Status: No, score=-4.6 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,T_DKIM_INVALID, T_RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by archive.lwn.net (Postfix) with ESMTP id 343BE7DD31 for ; Tue, 27 Mar 2018 16:59:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755477AbeC0Q54 (ORCPT ); Tue, 27 Mar 2018 12:57:56 -0400 Received: from mail-wm0-f65.google.com ([74.125.82.65]:36335 "EHLO mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754200AbeC0Q5x (ORCPT ); Tue, 27 Mar 2018 12:57:53 -0400 Received: by mail-wm0-f65.google.com with SMTP id x82so160263wmg.1 for ; Tue, 27 Mar 2018 09:57:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :in-reply-to:references; bh=PQDvPwpCCj++tEzmkEClg/xNExzGMoMf+mTY7ONA9sM=; b=ADn0rmiuJ9XMM6PYDzfTZVuW5CPYnKWZBN/2cGETCgpoqcygh9M5u3blB9njWr8Re+ Ut+uFZmTsK60HI1Jcl6sLhzGhaTNCal3v1v31Uw1yLenf4qO1bduAucD9HAo+XI1WVpp vvATKMr+BXh3qUgY2ja3gImPbJpWvsf9XdLPep6eVNyEOD4VehwyH0vASDitWzdKi8jI RYMrKQyKpgHfH0xnORC4RZwf7UU2E3EN5wwujgEijY0vzEHO3O4sXAXYaZy/eK730CKW uc7VAhsT1Lt5vkZkYhfWdXjnNDJaVfTSyR10wD1nqo+XpLmTmgfOy8db9Rjpe69AnI6K vSCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:in-reply-to:references; bh=PQDvPwpCCj++tEzmkEClg/xNExzGMoMf+mTY7ONA9sM=; b=g0/MfZ7U9uIK/yuUGo6+NqdicTkk9CIhsSaEgNS9148o0XUJ9CGxA+ithX3CurXv6q vWnxQ/8q51b0l0APnfeU9wDDzv8MMf+TOXokbpp0ytEhAePW0DtN4P9QHPGzOvPtud2n 6/q5DR3G2lbLGINt9JoKle8I7IcgG995AQnvZjMaEqIVbLGKpXrdSSrLNkTW6iiSzvFr ZK0L3vQeQ8ryAuxr4ey4knM/07ZqSasvNyPv4SufUihJgoNoT0Gun/t/YUmzEpyWykb2 jEdSVPA0NFU2q8iAVbNZkzHx9IvaAq9pDOxdcwI1hudv1DrecG2YpMNboB8eN4tsuGDT gIWg== X-Gm-Message-State: AElRT7F2eJXNOYmrds9g4hDa03S2EKoHEtkpUB0V8/x7dtNiU7VpKj0H 2nMDnrNXJ+5zi2MZ7zIE3PMd4g== X-Google-Smtp-Source: AIpwx4/r7QqaBNv+zh63HY6pUE+6nXfgV70QA44S2r+rRUeb7OeXVCpu+eEC5+uPaXYYZWHThL86gA== X-Received: by 10.28.5.145 with SMTP id 139mr35642wmf.31.1522169871428; Tue, 27 Mar 2018 09:57:51 -0700 (PDT) Received: from andreyknvl0.muc.corp.google.com ([2a00:79e0:15:10:84be:a42a:826d:c530]) by smtp.gmail.com with ESMTPSA id 93sm1622992wrh.46.2018.03.27.09.57.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 27 Mar 2018 09:57:50 -0700 (PDT) From: Andrey Konovalov To: Catalin Marinas , Will Deacon , Jonathan Corbet , Mark Rutland , Robin Murphy , Al Viro , Andrey Konovalov , James Morse , Kees Cook , Bart Van Assche , Kate Stewart , Greg Kroah-Hartman , Thomas Gleixner , Philippe Ombredanne , Andrew Morton , Ingo Molnar , "Kirill A . Shutemov" , Dan Williams , "Aneesh Kumar K . V" , Zi Yan , linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org Cc: Dmitry Vyukov , Kostya Serebryany , Evgeniy Stepanov , Lee Smith , Ramana Radhakrishnan , Jacob Bramley , Ruben Ayrapetyan Subject: [RFC PATCH v2 3/6] arm64: untag user addresses in copy_from_user and others Date: Tue, 27 Mar 2018 18:57:39 +0200 Message-Id: <22d41e0e1439ed0d13b2a2ca4b7c8317131f7ea9.1522169685.git.andreyknvl@google.com> X-Mailer: git-send-email 2.17.0.rc0.231.g781580f067-goog In-Reply-To: References: In-Reply-To: References: Sender: linux-doc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-doc@vger.kernel.org copy_from_user (and a few other similar functions) are used to copy data from user memory into the kernel memory or vice versa. Since a user can provided a tagged pointer to one of the syscalls that use copy_from_user, we need to correctly handle such pointers. Do this by untagging user pointers in access_ok and in __uaccess_mask_ptr. Signed-off-by: Andrey Konovalov --- arch/arm64/include/asm/uaccess.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index 2d6451cbaa86..24a221678fe3 100644 --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -105,7 +105,8 @@ static inline unsigned long __range_ok(const void __user *addr, unsigned long si #define untagged_addr(addr) \ ((__typeof__(addr))sign_extend64((__u64)(addr), 55)) -#define access_ok(type, addr, size) __range_ok(addr, size) +#define access_ok(type, addr, size) \ + __range_ok(untagged_addr(addr), size) #define user_addr_max get_fs #define _ASM_EXTABLE(from, to) \ @@ -238,12 +239,15 @@ static inline void uaccess_enable_not_uao(void) /* * Sanitise a uaccess pointer such that it becomes NULL if above the * current addr_limit. + * Also untag user pointers that have the top byte tag set. */ #define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr) static inline void __user *__uaccess_mask_ptr(const void __user *ptr) { void __user *safe_ptr; + ptr = untagged_addr(ptr); + asm volatile( " bics xzr, %1, %2\n" " csel %0, %1, xzr, eq\n" -- 2.17.0.rc0.231.g781580f067-goog -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 From: andreyknvl@google.com (Andrey Konovalov) Date: Tue, 27 Mar 2018 18:57:39 +0200 Subject: [RFC PATCH v2 3/6] arm64: untag user addresses in copy_from_user and others In-Reply-To: References: Message-ID: <22d41e0e1439ed0d13b2a2ca4b7c8317131f7ea9.1522169685.git.andreyknvl@google.com> To: linux-arm-kernel@lists.infradead.org List-Id: linux-arm-kernel.lists.infradead.org copy_from_user (and a few other similar functions) are used to copy data from user memory into the kernel memory or vice versa. Since a user can provided a tagged pointer to one of the syscalls that use copy_from_user, we need to correctly handle such pointers. Do this by untagging user pointers in access_ok and in __uaccess_mask_ptr. Signed-off-by: Andrey Konovalov --- arch/arm64/include/asm/uaccess.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index 2d6451cbaa86..24a221678fe3 100644 --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -105,7 +105,8 @@ static inline unsigned long __range_ok(const void __user *addr, unsigned long si #define untagged_addr(addr) \ ((__typeof__(addr))sign_extend64((__u64)(addr), 55)) -#define access_ok(type, addr, size) __range_ok(addr, size) +#define access_ok(type, addr, size) \ + __range_ok(untagged_addr(addr), size) #define user_addr_max get_fs #define _ASM_EXTABLE(from, to) \ @@ -238,12 +239,15 @@ static inline void uaccess_enable_not_uao(void) /* * Sanitise a uaccess pointer such that it becomes NULL if above the * current addr_limit. + * Also untag user pointers that have the top byte tag set. */ #define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr) static inline void __user *__uaccess_mask_ptr(const void __user *ptr) { void __user *safe_ptr; + ptr = untagged_addr(ptr); + asm volatile( " bics xzr, %1, %2\n" " csel %0, %1, xzr, eq\n" -- 2.17.0.rc0.231.g781580f067-goog