From: ebiederm@xmission.com (Eric W. Biederman) To: Christophe Leroy <christophe.leroy@c-s.fr> Cc: Christoph Hellwig <hch@lst.de>, Arnd Bergmann <arnd@arndb.de>, x86@kernel.org, linux-kernel@vger.kernel.org, Alexander Viro <viro@zeniv.linux.org.uk>, linux-fsdevel@vger.kernel.org, Andrew Morton <akpm@linux-foundation.org>, linuxppc-dev@lists.ozlabs.org, Jeremy Kerr <jk@ozlabs.org> Subject: Re: [PATCH 1/2] signal: Factor copy_siginfo_to_external32 from copy_siginfo_to_user32 Date: Sat, 18 Apr 2020 06:55:56 -0500 [thread overview] Message-ID: <87v9lx3t4j.fsf@x220.int.ebiederm.org> (raw) In-Reply-To: <c51c6192-2ea4-62d8-dd22-305f7a1e0dd3@c-s.fr> (Christophe Leroy's message of "Sat, 18 Apr 2020 10:05:19 +0200") Christophe Leroy <christophe.leroy@c-s.fr> writes: > Le 17/04/2020 à 23:09, Eric W. Biederman a écrit : >> >> To remove the use of set_fs in the coredump code there needs to be a >> way to convert a kernel siginfo to a userspace compat siginfo. >> >> Call that function copy_siginfo_to_compat and factor it out of >> copy_siginfo_to_user32. > > I find it a pitty to do that. > > The existing function could have been easily converted to using > user_access_begin() + user_access_end() and use unsafe_put_user() to copy to > userspace to avoid copying through a temporary structure on the stack. > > With your change, it becomes impossible to do that. I don't follow. You don't like temporary structures in the coredump code or temporary structures in copy_siginfo_to_user32? A temporary structure in copy_siginfo_to_user is pretty much required so that it can be zeroed to guarantee we don't pass a structure with holes to userspace. The implementation of copy_siginfo_to_user32 used to use the equivalent of user_access_begin() and user_access_end() and the code was a mess that was very difficult to reason about. I recall their being holes in the structure that were being copied to userspace. Meanwhile if you are going to set all of the bytes a cache hot temporary structure is quite cheap. > Is that really an issue to use that set_fs() in the coredump code ? Using set_fs() is pretty bad and something that we would like to remove from the kernel entirely. The fewer instances of set_fs() we have the better. I forget all of the details but set_fs() is both a type violation and an attack point when people are attacking the kernel. The existence of set_fs() requires somethings that should be constants to be variables. Something about that means that our current code is difficult to protect from spectre style vulnerabilities. There was a very good thread about it all in I think 2018 but unfortunately I can't find it now. Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman) To: Christophe Leroy <christophe.leroy@c-s.fr> Cc: Arnd Bergmann <arnd@arndb.de>, x86@kernel.org, linux-kernel@vger.kernel.org, Alexander Viro <viro@zeniv.linux.org.uk>, linux-fsdevel@vger.kernel.org, Andrew Morton <akpm@linux-foundation.org>, linuxppc-dev@lists.ozlabs.org, Christoph Hellwig <hch@lst.de>, Jeremy Kerr <jk@ozlabs.org> Subject: Re: [PATCH 1/2] signal: Factor copy_siginfo_to_external32 from copy_siginfo_to_user32 Date: Sat, 18 Apr 2020 06:55:56 -0500 [thread overview] Message-ID: <87v9lx3t4j.fsf@x220.int.ebiederm.org> (raw) In-Reply-To: <c51c6192-2ea4-62d8-dd22-305f7a1e0dd3@c-s.fr> (Christophe Leroy's message of "Sat, 18 Apr 2020 10:05:19 +0200") Christophe Leroy <christophe.leroy@c-s.fr> writes: > Le 17/04/2020 à 23:09, Eric W. Biederman a écrit : >> >> To remove the use of set_fs in the coredump code there needs to be a >> way to convert a kernel siginfo to a userspace compat siginfo. >> >> Call that function copy_siginfo_to_compat and factor it out of >> copy_siginfo_to_user32. > > I find it a pitty to do that. > > The existing function could have been easily converted to using > user_access_begin() + user_access_end() and use unsafe_put_user() to copy to > userspace to avoid copying through a temporary structure on the stack. > > With your change, it becomes impossible to do that. I don't follow. You don't like temporary structures in the coredump code or temporary structures in copy_siginfo_to_user32? A temporary structure in copy_siginfo_to_user is pretty much required so that it can be zeroed to guarantee we don't pass a structure with holes to userspace. The implementation of copy_siginfo_to_user32 used to use the equivalent of user_access_begin() and user_access_end() and the code was a mess that was very difficult to reason about. I recall their being holes in the structure that were being copied to userspace. Meanwhile if you are going to set all of the bytes a cache hot temporary structure is quite cheap. > Is that really an issue to use that set_fs() in the coredump code ? Using set_fs() is pretty bad and something that we would like to remove from the kernel entirely. The fewer instances of set_fs() we have the better. I forget all of the details but set_fs() is both a type violation and an attack point when people are attacking the kernel. The existence of set_fs() requires somethings that should be constants to be variables. Something about that means that our current code is difficult to protect from spectre style vulnerabilities. There was a very good thread about it all in I think 2018 but unfortunately I can't find it now. Eric
next prev parent reply other threads:[~2020-04-18 11:59 UTC|newest] Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-04-14 7:01 remove set_fs calls from the exec and coredump code v2 Christoph Hellwig 2020-04-14 7:01 ` Christoph Hellwig 2020-04-14 7:01 ` [PATCH 1/8] powerpc/spufs: simplify spufs core dumping Christoph Hellwig 2020-04-14 7:01 ` Christoph Hellwig 2020-04-14 7:01 ` [PATCH 2/8] signal: clean up __copy_siginfo_to_user32 Christoph Hellwig 2020-04-14 7:01 ` Christoph Hellwig 2020-04-17 21:08 ` Eric W. Biederman 2020-04-17 21:08 ` Eric W. Biederman 2020-04-17 21:09 ` [PATCH 1/2] signal: Factor copy_siginfo_to_external32 from copy_siginfo_to_user32 Eric W. Biederman 2020-04-17 21:09 ` Eric W. Biederman 2020-04-18 8:05 ` Christophe Leroy 2020-04-18 11:55 ` Eric W. Biederman [this message] 2020-04-18 11:55 ` Eric W. Biederman 2020-04-19 8:13 ` Christoph Hellwig 2020-04-19 8:13 ` Christoph Hellwig 2020-04-19 9:46 ` Christophe Leroy 2020-04-19 9:54 ` Christophe Leroy 2020-04-19 8:05 ` Christoph Hellwig 2020-04-19 8:05 ` Christoph Hellwig 2020-04-17 21:09 ` [PATCH 2/2] signal: Remove the set_fs in binfmt_elf.c:fill_siginfo_note Eric W. Biederman 2020-04-17 21:09 ` Eric W. Biederman 2020-04-19 8:03 ` [PATCH 2/8] signal: clean up __copy_siginfo_to_user32 Christoph Hellwig 2020-04-19 8:03 ` Christoph Hellwig 2020-04-14 7:01 ` [PATCH 3/8] signal: replace __copy_siginfo_to_user32 with to_compat_siginfo Christoph Hellwig 2020-04-14 7:01 ` Christoph Hellwig 2020-04-14 14:00 ` Arnd Bergmann 2020-04-14 14:00 ` Arnd Bergmann 2020-04-14 7:01 ` [PATCH 4/8] binfmt_elf: open code copy_siginfo_to_user to kernelspace buffer Christoph Hellwig 2020-04-14 7:01 ` Christoph Hellwig 2020-04-14 13:15 ` Arnd Bergmann 2020-04-14 13:15 ` Arnd Bergmann 2020-04-15 7:45 ` Christoph Hellwig 2020-04-15 7:45 ` Christoph Hellwig 2020-04-15 8:20 ` Arnd Bergmann 2020-04-15 8:20 ` Arnd Bergmann 2020-04-17 13:27 ` Christoph Hellwig 2020-04-17 13:27 ` Christoph Hellwig 2020-04-17 18:10 ` Eric W. Biederman 2020-04-17 18:10 ` Eric W. Biederman 2020-04-17 20:06 ` Arnd Bergmann 2020-04-17 20:06 ` Arnd Bergmann 2020-04-15 3:01 ` Michael Ellerman 2020-04-15 3:01 ` Michael Ellerman 2020-04-15 6:19 ` Christoph Hellwig 2020-04-15 6:19 ` Christoph Hellwig 2020-04-14 7:01 ` [PATCH 5/8] binfmt_elf: remove the set_fs(KERNEL_DS) in elf_core_dump Christoph Hellwig 2020-04-14 7:01 ` Christoph Hellwig 2020-04-14 7:01 ` [PATCH 6/8] binfmt_elf_fdpic: remove the set_fs(KERNEL_DS) in elf_fdpic_core_dump Christoph Hellwig 2020-04-14 7:01 ` Christoph Hellwig 2020-04-14 7:01 ` [PATCH 7/8] exec: simplify the copy_strings_kernel calling convention Christoph Hellwig 2020-04-14 7:01 ` Christoph Hellwig 2020-04-14 7:01 ` [PATCH 8/8] exec: open code copy_string_kernel Christoph Hellwig 2020-04-14 7:01 ` Christoph Hellwig 2020-04-18 8:15 ` Christophe Leroy 2020-04-18 8:15 ` Christophe Leroy 2020-04-19 8:06 ` Christoph Hellwig 2020-04-19 8:06 ` Christoph Hellwig 2020-04-19 9:44 ` Christophe Leroy 2020-04-19 9:44 ` Christophe Leroy 2020-04-17 22:41 ` remove set_fs calls from the exec and coredump code v2 Eric W. Biederman 2020-04-17 22:41 ` Eric W. Biederman 2020-04-19 8:19 ` Christoph Hellwig 2020-04-19 8:19 ` Christoph Hellwig 2020-04-19 11:50 ` Eric W. Biederman 2020-04-19 11:50 ` Eric W. Biederman
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=87v9lx3t4j.fsf@x220.int.ebiederm.org \ --to=ebiederm@xmission.com \ --cc=akpm@linux-foundation.org \ --cc=arnd@arndb.de \ --cc=christophe.leroy@c-s.fr \ --cc=hch@lst.de \ --cc=jk@ozlabs.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linuxppc-dev@lists.ozlabs.org \ --cc=viro@zeniv.linux.org.uk \ --cc=x86@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.