From: ebiederm@xmission.com (Eric W. Biederman)
To: Christophe Leroy <christophe.leroy@c-s.fr>
Cc: Christoph Hellwig <hch@lst.de>, Arnd Bergmann <arnd@arndb.de>,
x86@kernel.org, linux-kernel@vger.kernel.org,
Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
linuxppc-dev@lists.ozlabs.org, Jeremy Kerr <jk@ozlabs.org>
Subject: Re: [PATCH 1/2] signal: Factor copy_siginfo_to_external32 from copy_siginfo_to_user32
Date: Sat, 18 Apr 2020 06:55:56 -0500 [thread overview]
Message-ID: <87v9lx3t4j.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <c51c6192-2ea4-62d8-dd22-305f7a1e0dd3@c-s.fr> (Christophe Leroy's message of "Sat, 18 Apr 2020 10:05:19 +0200")
Christophe Leroy <christophe.leroy@c-s.fr> writes:
> Le 17/04/2020 à 23:09, Eric W. Biederman a écrit :
>>
>> To remove the use of set_fs in the coredump code there needs to be a
>> way to convert a kernel siginfo to a userspace compat siginfo.
>>
>> Call that function copy_siginfo_to_compat and factor it out of
>> copy_siginfo_to_user32.
>
> I find it a pitty to do that.
>
> The existing function could have been easily converted to using
> user_access_begin() + user_access_end() and use unsafe_put_user() to copy to
> userspace to avoid copying through a temporary structure on the stack.
>
> With your change, it becomes impossible to do that.
I don't follow. You don't like temporary structures in the coredump
code or temporary structures in copy_siginfo_to_user32?
A temporary structure in copy_siginfo_to_user is pretty much required
so that it can be zeroed to guarantee we don't pass a structure with
holes to userspace.
The implementation of copy_siginfo_to_user32 used to use the equivalent
of user_access_begin() and user_access_end() and the code was a mess
that was very difficult to reason about. I recall their being holes
in the structure that were being copied to userspace.
Meanwhile if you are going to set all of the bytes a cache hot temporary
structure is quite cheap.
> Is that really an issue to use that set_fs() in the coredump code ?
Using set_fs() is pretty bad and something that we would like to remove
from the kernel entirely. The fewer instances of set_fs() we have the
better.
I forget all of the details but set_fs() is both a type violation and an
attack point when people are attacking the kernel. The existence of
set_fs() requires somethings that should be constants to be variables.
Something about that means that our current code is difficult to protect
from spectre style vulnerabilities.
There was a very good thread about it all in I think 2018 but
unfortunately I can't find it now.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Christophe Leroy <christophe.leroy@c-s.fr>
Cc: Arnd Bergmann <arnd@arndb.de>,
x86@kernel.org, linux-kernel@vger.kernel.org,
Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
linuxppc-dev@lists.ozlabs.org, Christoph Hellwig <hch@lst.de>,
Jeremy Kerr <jk@ozlabs.org>
Subject: Re: [PATCH 1/2] signal: Factor copy_siginfo_to_external32 from copy_siginfo_to_user32
Date: Sat, 18 Apr 2020 06:55:56 -0500 [thread overview]
Message-ID: <87v9lx3t4j.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <c51c6192-2ea4-62d8-dd22-305f7a1e0dd3@c-s.fr> (Christophe Leroy's message of "Sat, 18 Apr 2020 10:05:19 +0200")
Christophe Leroy <christophe.leroy@c-s.fr> writes:
> Le 17/04/2020 à 23:09, Eric W. Biederman a écrit :
>>
>> To remove the use of set_fs in the coredump code there needs to be a
>> way to convert a kernel siginfo to a userspace compat siginfo.
>>
>> Call that function copy_siginfo_to_compat and factor it out of
>> copy_siginfo_to_user32.
>
> I find it a pitty to do that.
>
> The existing function could have been easily converted to using
> user_access_begin() + user_access_end() and use unsafe_put_user() to copy to
> userspace to avoid copying through a temporary structure on the stack.
>
> With your change, it becomes impossible to do that.
I don't follow. You don't like temporary structures in the coredump
code or temporary structures in copy_siginfo_to_user32?
A temporary structure in copy_siginfo_to_user is pretty much required
so that it can be zeroed to guarantee we don't pass a structure with
holes to userspace.
The implementation of copy_siginfo_to_user32 used to use the equivalent
of user_access_begin() and user_access_end() and the code was a mess
that was very difficult to reason about. I recall their being holes
in the structure that were being copied to userspace.
Meanwhile if you are going to set all of the bytes a cache hot temporary
structure is quite cheap.
> Is that really an issue to use that set_fs() in the coredump code ?
Using set_fs() is pretty bad and something that we would like to remove
from the kernel entirely. The fewer instances of set_fs() we have the
better.
I forget all of the details but set_fs() is both a type violation and an
attack point when people are attacking the kernel. The existence of
set_fs() requires somethings that should be constants to be variables.
Something about that means that our current code is difficult to protect
from spectre style vulnerabilities.
There was a very good thread about it all in I think 2018 but
unfortunately I can't find it now.
Eric
next prev parent reply other threads:[~2020-04-18 11:59 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-14 7:01 remove set_fs calls from the exec and coredump code v2 Christoph Hellwig
2020-04-14 7:01 ` Christoph Hellwig
2020-04-14 7:01 ` [PATCH 1/8] powerpc/spufs: simplify spufs core dumping Christoph Hellwig
2020-04-14 7:01 ` Christoph Hellwig
2020-04-14 7:01 ` [PATCH 2/8] signal: clean up __copy_siginfo_to_user32 Christoph Hellwig
2020-04-14 7:01 ` Christoph Hellwig
2020-04-17 21:08 ` Eric W. Biederman
2020-04-17 21:08 ` Eric W. Biederman
2020-04-17 21:09 ` [PATCH 1/2] signal: Factor copy_siginfo_to_external32 from copy_siginfo_to_user32 Eric W. Biederman
2020-04-17 21:09 ` Eric W. Biederman
2020-04-18 8:05 ` Christophe Leroy
2020-04-18 11:55 ` Eric W. Biederman [this message]
2020-04-18 11:55 ` Eric W. Biederman
2020-04-19 8:13 ` Christoph Hellwig
2020-04-19 8:13 ` Christoph Hellwig
2020-04-19 9:46 ` Christophe Leroy
2020-04-19 9:54 ` Christophe Leroy
2020-04-19 8:05 ` Christoph Hellwig
2020-04-19 8:05 ` Christoph Hellwig
2020-04-17 21:09 ` [PATCH 2/2] signal: Remove the set_fs in binfmt_elf.c:fill_siginfo_note Eric W. Biederman
2020-04-17 21:09 ` Eric W. Biederman
2020-04-19 8:03 ` [PATCH 2/8] signal: clean up __copy_siginfo_to_user32 Christoph Hellwig
2020-04-19 8:03 ` Christoph Hellwig
2020-04-14 7:01 ` [PATCH 3/8] signal: replace __copy_siginfo_to_user32 with to_compat_siginfo Christoph Hellwig
2020-04-14 7:01 ` Christoph Hellwig
2020-04-14 14:00 ` Arnd Bergmann
2020-04-14 14:00 ` Arnd Bergmann
2020-04-14 7:01 ` [PATCH 4/8] binfmt_elf: open code copy_siginfo_to_user to kernelspace buffer Christoph Hellwig
2020-04-14 7:01 ` Christoph Hellwig
2020-04-14 13:15 ` Arnd Bergmann
2020-04-14 13:15 ` Arnd Bergmann
2020-04-15 7:45 ` Christoph Hellwig
2020-04-15 7:45 ` Christoph Hellwig
2020-04-15 8:20 ` Arnd Bergmann
2020-04-15 8:20 ` Arnd Bergmann
2020-04-17 13:27 ` Christoph Hellwig
2020-04-17 13:27 ` Christoph Hellwig
2020-04-17 18:10 ` Eric W. Biederman
2020-04-17 18:10 ` Eric W. Biederman
2020-04-17 20:06 ` Arnd Bergmann
2020-04-17 20:06 ` Arnd Bergmann
2020-04-15 3:01 ` Michael Ellerman
2020-04-15 3:01 ` Michael Ellerman
2020-04-15 6:19 ` Christoph Hellwig
2020-04-15 6:19 ` Christoph Hellwig
2020-04-14 7:01 ` [PATCH 5/8] binfmt_elf: remove the set_fs(KERNEL_DS) in elf_core_dump Christoph Hellwig
2020-04-14 7:01 ` Christoph Hellwig
2020-04-14 7:01 ` [PATCH 6/8] binfmt_elf_fdpic: remove the set_fs(KERNEL_DS) in elf_fdpic_core_dump Christoph Hellwig
2020-04-14 7:01 ` Christoph Hellwig
2020-04-14 7:01 ` [PATCH 7/8] exec: simplify the copy_strings_kernel calling convention Christoph Hellwig
2020-04-14 7:01 ` Christoph Hellwig
2020-04-14 7:01 ` [PATCH 8/8] exec: open code copy_string_kernel Christoph Hellwig
2020-04-14 7:01 ` Christoph Hellwig
2020-04-18 8:15 ` Christophe Leroy
2020-04-18 8:15 ` Christophe Leroy
2020-04-19 8:06 ` Christoph Hellwig
2020-04-19 8:06 ` Christoph Hellwig
2020-04-19 9:44 ` Christophe Leroy
2020-04-19 9:44 ` Christophe Leroy
2020-04-17 22:41 ` remove set_fs calls from the exec and coredump code v2 Eric W. Biederman
2020-04-17 22:41 ` Eric W. Biederman
2020-04-19 8:19 ` Christoph Hellwig
2020-04-19 8:19 ` Christoph Hellwig
2020-04-19 11:50 ` Eric W. Biederman
2020-04-19 11:50 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87v9lx3t4j.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=christophe.leroy@c-s.fr \
--cc=hch@lst.de \
--cc=jk@ozlabs.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=viro@zeniv.linux.org.uk \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.