From: Guenter Roeck <linux@roeck-us.net>
To: Christoph Hellwig <hch@lst.de>
Cc: Nick Hu <nickhu@andestech.com>, Greentime Hu <green.hu@gmail.com>,
Vincent Chen <deanbo422@gmail.com>,
Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-riscv@lists.infradead.org, linux-arch@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/6] syscalls: use uaccess_kernel in addr_limit_user_check
Date: Mon, 20 Jul 2020 22:30:30 -0700 [thread overview]
Message-ID: <7fc565fe-411e-6a0b-8aaf-0bf808f0d6a9@roeck-us.net> (raw)
In-Reply-To: <20200721052022.GA10011@lst.de>
On 7/20/20 10:20 PM, Christoph Hellwig wrote:
> On Mon, Jul 20, 2020 at 10:15:37PM -0700, Guenter Roeck wrote:
>>>> - if (CHECK_DATA_CORRUPTION(uaccess_kernel(),
>>>> + if (CHECK_DATA_CORRUPTION(!uaccess_kernel(),
>>>>
>>>> How does this work anywhere ?
>>>
>>> No, that is the wrong check - we want to make sure the address
>>> space override doesn't leak to userspace. The problem is that
>>> armnommu (and m68knommu, but that doesn't call the offending
>>> function) pretends to not have a kernel address space, which doesn't
>>> really work. Here is the fix I sent out yesterday, which I should
>>> have Cc'ed you on, sorry:
>>>
>>
>> The patch below makes sense, and it does work, but I still suspect
>> that something with your original patch is wrong, or at least suspicious.
>> Reason: My change above (Adding the "!") works for _all_ of my arm boot
>> tests. Or, in other words, it doesn't make a difference if true
>> or false is passed as first parameter of CHECK_DATA_CORRUPTION(), except
>> for nommu systems. Also, unless I am really missing something, your
>> original patch _does_ reverse the logic.
>
> Well. segment_eq is in current mainline used in two places:
>
> 1) to implement uaccess_kernel
> 2) in addr_limit_user_check to implement uaccess_kernel-like
> semantics using a strange reverse notation
>
> I think the explanation for your observation is how addr_limit_user_check
> is called on arm. The addr_limit_check_failed wrapper for it is called
> from assembly code, but only after already checking the addr_limit,
> basically duplicating the segment_eq check. So for mmu builds it won't
> get called unless we leak the kernel address space override, which
> is a pretty fatal error and won't show up in your boot tests. The
> only good way to test it is by explicit injecting it using the
> lkdtm module.
>
Guess I lost it somewhere. Are you saying the check was wrong all along
and your patch fixed it ?
Thanks,
Guenter
WARNING: multiple messages have this Message-ID (diff)
From: Guenter Roeck <linux@roeck-us.net>
To: Christoph Hellwig <hch@lst.de>
Cc: linux-arch@vger.kernel.org, Nick Hu <nickhu@andestech.com>,
linux-kernel@vger.kernel.org, Palmer Dabbelt <palmer@dabbelt.com>,
Greentime Hu <green.hu@gmail.com>,
Paul Walmsley <paul.walmsley@sifive.com>,
Andrew Morton <akpm@linux-foundation.org>,
Vincent Chen <deanbo422@gmail.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-riscv@lists.infradead.org
Subject: Re: [PATCH 1/6] syscalls: use uaccess_kernel in addr_limit_user_check
Date: Mon, 20 Jul 2020 22:30:30 -0700 [thread overview]
Message-ID: <7fc565fe-411e-6a0b-8aaf-0bf808f0d6a9@roeck-us.net> (raw)
In-Reply-To: <20200721052022.GA10011@lst.de>
On 7/20/20 10:20 PM, Christoph Hellwig wrote:
> On Mon, Jul 20, 2020 at 10:15:37PM -0700, Guenter Roeck wrote:
>>>> - if (CHECK_DATA_CORRUPTION(uaccess_kernel(),
>>>> + if (CHECK_DATA_CORRUPTION(!uaccess_kernel(),
>>>>
>>>> How does this work anywhere ?
>>>
>>> No, that is the wrong check - we want to make sure the address
>>> space override doesn't leak to userspace. The problem is that
>>> armnommu (and m68knommu, but that doesn't call the offending
>>> function) pretends to not have a kernel address space, which doesn't
>>> really work. Here is the fix I sent out yesterday, which I should
>>> have Cc'ed you on, sorry:
>>>
>>
>> The patch below makes sense, and it does work, but I still suspect
>> that something with your original patch is wrong, or at least suspicious.
>> Reason: My change above (Adding the "!") works for _all_ of my arm boot
>> tests. Or, in other words, it doesn't make a difference if true
>> or false is passed as first parameter of CHECK_DATA_CORRUPTION(), except
>> for nommu systems. Also, unless I am really missing something, your
>> original patch _does_ reverse the logic.
>
> Well. segment_eq is in current mainline used in two places:
>
> 1) to implement uaccess_kernel
> 2) in addr_limit_user_check to implement uaccess_kernel-like
> semantics using a strange reverse notation
>
> I think the explanation for your observation is how addr_limit_user_check
> is called on arm. The addr_limit_check_failed wrapper for it is called
> from assembly code, but only after already checking the addr_limit,
> basically duplicating the segment_eq check. So for mmu builds it won't
> get called unless we leak the kernel address space override, which
> is a pretty fatal error and won't show up in your boot tests. The
> only good way to test it is by explicit injecting it using the
> lkdtm module.
>
Guess I lost it somewhere. Are you saying the check was wrong all along
and your patch fixed it ?
Thanks,
Guenter
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2020-07-21 5:30 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-14 10:54 clean up address limit helpers v2 Christoph Hellwig
2020-07-14 10:54 ` Christoph Hellwig
2020-07-14 10:55 ` [PATCH 1/6] syscalls: use uaccess_kernel in addr_limit_user_check Christoph Hellwig
2020-07-14 10:55 ` Christoph Hellwig
2020-07-18 1:38 ` Guenter Roeck
2020-07-18 1:38 ` Guenter Roeck
2020-07-18 9:48 ` Christoph Hellwig
2020-07-18 9:48 ` Christoph Hellwig
2020-07-18 14:54 ` Guenter Roeck
2020-07-18 14:54 ` Guenter Roeck
2020-07-20 10:01 ` Christoph Hellwig
2020-07-20 10:01 ` Christoph Hellwig
2020-07-20 14:55 ` Guenter Roeck
2020-07-20 14:55 ` Guenter Roeck
2020-07-20 15:28 ` Peter Maydell
2020-07-20 15:28 ` Peter Maydell
2020-07-20 22:10 ` Guenter Roeck
2020-07-20 22:10 ` Guenter Roeck
2020-07-21 4:58 ` Christoph Hellwig
2020-07-21 4:58 ` Christoph Hellwig
2020-07-21 5:15 ` Guenter Roeck
2020-07-21 5:15 ` Guenter Roeck
2020-07-21 5:20 ` Christoph Hellwig
2020-07-21 5:20 ` Christoph Hellwig
2020-07-21 5:30 ` Guenter Roeck [this message]
2020-07-21 5:30 ` Guenter Roeck
2020-07-21 5:35 ` Christoph Hellwig
2020-07-21 5:35 ` Christoph Hellwig
2020-07-14 10:55 ` [PATCH 2/6] nds32: use uaccess_kernel in show_regs Christoph Hellwig
2020-07-14 10:55 ` Christoph Hellwig
2020-07-14 10:55 ` [PATCH 3/6] riscv: include <asm/pgtable.h> in <asm/uaccess.h> Christoph Hellwig
2020-07-14 10:55 ` Christoph Hellwig
2020-07-14 10:55 ` [PATCH 4/6] uaccess: remove segment_eq Christoph Hellwig
2020-07-14 10:55 ` Christoph Hellwig
2020-07-14 15:27 ` Linus Torvalds
2020-07-14 15:27 ` Linus Torvalds
2020-07-14 10:55 ` [PATCH 5/6] uaccess: add force_uaccess_{begin,end} helpers Christoph Hellwig
2020-07-14 10:55 ` Christoph Hellwig
2020-07-14 15:29 ` Linus Torvalds
2020-07-14 15:29 ` Linus Torvalds
2020-07-14 10:55 ` [PATCH 6/6] exec: use force_uaccess_begin during exec and exit Christoph Hellwig
2020-07-14 10:55 ` Christoph Hellwig
2020-07-15 3:33 ` Eric W. Biederman
2020-07-15 3:33 ` Eric W. Biederman
2020-07-15 6:06 ` Christoph Hellwig
2020-07-15 6:06 ` Christoph Hellwig
2020-07-16 23:49 ` clean up address limit helpers v2 Andrew Morton
2020-07-16 23:49 ` Andrew Morton
2020-07-17 6:06 ` Christoph Hellwig
2020-07-17 6:06 ` Christoph Hellwig
2020-07-20 15:54 ` [PATCH 0/6] arm: don't call addr_limit_user_check for nommu Christoph Hellwig
2020-07-20 15:54 ` Christoph Hellwig
-- strict thread matches above, loose matches on Subject: below --
2020-07-10 13:57 clean up address limit helpers Christoph Hellwig
2020-07-10 13:57 ` [PATCH 1/6] syscalls: use uaccess_kernel in addr_limit_user_check Christoph Hellwig
2020-07-10 13:57 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7fc565fe-411e-6a0b-8aaf-0bf808f0d6a9@roeck-us.net \
--to=linux@roeck-us.net \
--cc=akpm@linux-foundation.org \
--cc=deanbo422@gmail.com \
--cc=green.hu@gmail.com \
--cc=hch@lst.de \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=nickhu@andestech.com \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.