From: Thomas Garnier <thgarnie@google.com>
To: Mark Rutland <mark.rutland@arm.com>
Cc: "David Howells" <dhowells@redhat.com>,
"Dave Hansen" <dave.hansen@intel.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"René Nyffenegger" <mail@renenyffenegger.ch>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Kees Cook" <keescook@chromium.org>,
"Paul E . McKenney" <paulmck@linux.vnet.ibm.com>,
"David S . Miller" <davem@davemloft.net>,
"Andy Lutomirski" <luto@kernel.org>,
"Ard Biesheuvel" <ard.biesheuvel@linaro.org>,
"Nicolas Pitre" <nicolas.pitre@linaro.org>,
"Petr Mladek" <pmladek@suse.com>,
"Sebastian Andrzej Siewior" <bigeasy@linutronix.de>,
"Sergey Senozhatsky" <sergey.senozhatsky@gmail.com>,
"Helge Deller" <deller@gmx.de>, "Rik van Riel" <riel@redhat.com>,
"Ingo Molnar" <mingo@kernel.org>,
"Oleg Nesterov" <oleg@redhat.com>,
"John Stultz" <john.stultz@linaro.org>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Pavel Tikhomirov" <ptikhomirov@virtuozzo.com>
Subject: Re: [PATCH v2 4/4] arm64/syscalls: Specific usage of verify_pre_usermode_state
Date: Thu, 9 Mar 2017 08:19:31 -0800 [thread overview]
Message-ID: <CAJcbSZFbcGrAEoV8KpYKH-6PgpFDQ-cBt_P7MqX2_hShAPjvvg@mail.gmail.com> (raw)
In-Reply-To: <20170309160551.GC11966@leverpostej>
On Thu, Mar 9, 2017 at 8:05 AM, Mark Rutland <mark.rutland@arm.com> wrote:
> On Thu, Mar 09, 2017 at 07:56:49AM -0800, Thomas Garnier wrote:
>> On Thu, Mar 9, 2017 at 4:23 AM, Mark Rutland <mark.rutland@arm.com> wrote:
>> > We generally stick to lower case for the arm64 assembly macros. If we
>> > need this, we should stick to the existing convention.
>> >
>> >> +/* Similar to set_fs(USER_DS) in verify_pre_usermode_state without a warning. */
>> >> +.macro VERIFY_PRE_USERMODE_STATE
>> >> + mov x1, #TASK_SIZE_64
>> >> + str x1, [tsk, #TSK_TI_ADDR_LIMIT]
>> >> +.endm
>> >
>> > We need arm64's set_fs() to configure UAO, too, so this is much weaker
>> > than set_fs(), and will leave __{get,put}_user and
>> > __copy_{to,from}_user() able to access kernel memory.
>> >
>> > We don't currently have an asm helper to clear UAO, and unconditionally
>> > poking that on exception return is liable to be somewhat expensive.
>> >
>> > Also, given we're only trying to catch this in syscalls, I'm afraid I
>> > don't see what we gain by doing this in the entry assembly.
>>
>> I optimized all architectures from the arm (32-bit) discussion. I will
>> come back to a simple bl to the verify function. Thanks!
>
> What I was trying to ask was do we need to touch the assembly at all
> here?
You don't but he generic solution add code to every single syscall.
> Are we trying to protect the non-syscall cases by doing this in
> assembly? If so, it'd be worth calling out in the commit message.
It is an added benefit but not required.
> If so, we could add the necessary helper to clear UAO.
I can look at set_fs and fix it on the next iteraiton.
> If not, doing this in the entry assembly only saves the small overhead
> of reading and comparing the addr_limit for in-kernel use of the
> syscalls (e.g. in the compat wrappers), and we may as well rely on the
> common !ARCH_NO_SYSCALL_VERIFY_PRE_USERMODE_STATE implementation.
You also don't have the code added for each syscall and a call.
>
> Thanks,
> Mark.
--
Thomas
WARNING: multiple messages have this Message-ID (diff)
From: thgarnie@google.com (Thomas Garnier)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v2 4/4] arm64/syscalls: Specific usage of verify_pre_usermode_state
Date: Thu, 9 Mar 2017 08:19:31 -0800 [thread overview]
Message-ID: <CAJcbSZFbcGrAEoV8KpYKH-6PgpFDQ-cBt_P7MqX2_hShAPjvvg@mail.gmail.com> (raw)
In-Reply-To: <20170309160551.GC11966@leverpostej>
On Thu, Mar 9, 2017 at 8:05 AM, Mark Rutland <mark.rutland@arm.com> wrote:
> On Thu, Mar 09, 2017 at 07:56:49AM -0800, Thomas Garnier wrote:
>> On Thu, Mar 9, 2017 at 4:23 AM, Mark Rutland <mark.rutland@arm.com> wrote:
>> > We generally stick to lower case for the arm64 assembly macros. If we
>> > need this, we should stick to the existing convention.
>> >
>> >> +/* Similar to set_fs(USER_DS) in verify_pre_usermode_state without a warning. */
>> >> +.macro VERIFY_PRE_USERMODE_STATE
>> >> + mov x1, #TASK_SIZE_64
>> >> + str x1, [tsk, #TSK_TI_ADDR_LIMIT]
>> >> +.endm
>> >
>> > We need arm64's set_fs() to configure UAO, too, so this is much weaker
>> > than set_fs(), and will leave __{get,put}_user and
>> > __copy_{to,from}_user() able to access kernel memory.
>> >
>> > We don't currently have an asm helper to clear UAO, and unconditionally
>> > poking that on exception return is liable to be somewhat expensive.
>> >
>> > Also, given we're only trying to catch this in syscalls, I'm afraid I
>> > don't see what we gain by doing this in the entry assembly.
>>
>> I optimized all architectures from the arm (32-bit) discussion. I will
>> come back to a simple bl to the verify function. Thanks!
>
> What I was trying to ask was do we need to touch the assembly at all
> here?
You don't but he generic solution add code to every single syscall.
> Are we trying to protect the non-syscall cases by doing this in
> assembly? If so, it'd be worth calling out in the commit message.
It is an added benefit but not required.
> If so, we could add the necessary helper to clear UAO.
I can look at set_fs and fix it on the next iteraiton.
> If not, doing this in the entry assembly only saves the small overhead
> of reading and comparing the addr_limit for in-kernel use of the
> syscalls (e.g. in the compat wrappers), and we may as well rely on the
> common !ARCH_NO_SYSCALL_VERIFY_PRE_USERMODE_STATE implementation.
You also don't have the code added for each syscall and a call.
>
> Thanks,
> Mark.
--
Thomas
WARNING: multiple messages have this Message-ID (diff)
From: Thomas Garnier <thgarnie@google.com>
To: Mark Rutland <mark.rutland@arm.com>
Cc: "David Howells" <dhowells@redhat.com>,
"Dave Hansen" <dave.hansen@intel.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"René Nyffenegger" <mail@renenyffenegger.ch>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Kees Cook" <keescook@chromium.org>,
"Paul E . McKenney" <paulmck@linux.vnet.ibm.com>,
"David S . Miller" <davem@davemloft.net>,
"Andy Lutomirski" <luto@kernel.org>,
"Ard Biesheuvel" <ard.biesheuvel@linaro.org>,
"Nicolas Pitre" <nicolas.pitre@linaro.org>,
"Petr Mladek" <pmladek@suse.com>,
"Sebastian Andrzej Siewior" <bigeasy@linutronix.de>,
"Sergey Senozhatsky" <sergey.senozhatsky@gmail.com>,
"Helge Deller" <deller@gmx.de>, "Rik van Riel" <riel@redhat.com>,
"Ingo Molnar" <mingo@kernel.org>,
"Oleg Nesterov" <oleg@redhat.com>,
"John Stultz" <john.stultz@linaro.org>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Pavel Tikhomirov" <ptikhomirov@virtuozzo.com>,
"Frederic Weisbecker" <fweisbec@gmail.com>,
"Stephen Smalley" <sds@tycho.nsa.gov>,
"Stanislav Kinsburskiy" <skinsbursky@virtuozzo.com>,
"Ingo Molnar" <mingo@redhat.com>,
"H . Peter Anvin" <hpa@zytor.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Borislav Petkov" <bp@alien8.de>,
"Josh Poimboeuf" <jpoimboe@redhat.com>,
"Brian Gerst" <brgerst@gmail.com>,
"Jan Beulich" <JBeulich@suse.com>,
"Christian Borntraeger" <borntraeger@de.ibm.com>,
"Luis R . Rodriguez" <mcgrof@kernel.org>,
"He Chen" <he.chen@linux.intel.com>,
"Russell King" <linux@armlinux.org.uk>,
"Will Deacon" <will.deacon@arm.com>,
"Catalin Marinas" <catalin.marinas@arm.com>,
"James Morse" <james.morse@arm.com>,
"Pratyush Anand" <panand@redhat.com>,
"Vladimir Murzin" <vladimir.murzin@arm.com>,
"Chris Metcalf" <cmetcalf@mellanox.com>,
"Andre Przywara" <andre.przywara@arm.com>,
"Linux API" <linux-api@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
"the arch/x86 maintainers" <x86@kernel.org>,
linux-arm-kernel@lists.infradead.org,
"Kernel Hardening" <kernel-hardening@lists.openwall.com>
Subject: [kernel-hardening] Re: [PATCH v2 4/4] arm64/syscalls: Specific usage of verify_pre_usermode_state
Date: Thu, 9 Mar 2017 08:19:31 -0800 [thread overview]
Message-ID: <CAJcbSZFbcGrAEoV8KpYKH-6PgpFDQ-cBt_P7MqX2_hShAPjvvg@mail.gmail.com> (raw)
In-Reply-To: <20170309160551.GC11966@leverpostej>
On Thu, Mar 9, 2017 at 8:05 AM, Mark Rutland <mark.rutland@arm.com> wrote:
> On Thu, Mar 09, 2017 at 07:56:49AM -0800, Thomas Garnier wrote:
>> On Thu, Mar 9, 2017 at 4:23 AM, Mark Rutland <mark.rutland@arm.com> wrote:
>> > We generally stick to lower case for the arm64 assembly macros. If we
>> > need this, we should stick to the existing convention.
>> >
>> >> +/* Similar to set_fs(USER_DS) in verify_pre_usermode_state without a warning. */
>> >> +.macro VERIFY_PRE_USERMODE_STATE
>> >> + mov x1, #TASK_SIZE_64
>> >> + str x1, [tsk, #TSK_TI_ADDR_LIMIT]
>> >> +.endm
>> >
>> > We need arm64's set_fs() to configure UAO, too, so this is much weaker
>> > than set_fs(), and will leave __{get,put}_user and
>> > __copy_{to,from}_user() able to access kernel memory.
>> >
>> > We don't currently have an asm helper to clear UAO, and unconditionally
>> > poking that on exception return is liable to be somewhat expensive.
>> >
>> > Also, given we're only trying to catch this in syscalls, I'm afraid I
>> > don't see what we gain by doing this in the entry assembly.
>>
>> I optimized all architectures from the arm (32-bit) discussion. I will
>> come back to a simple bl to the verify function. Thanks!
>
> What I was trying to ask was do we need to touch the assembly at all
> here?
You don't but he generic solution add code to every single syscall.
> Are we trying to protect the non-syscall cases by doing this in
> assembly? If so, it'd be worth calling out in the commit message.
It is an added benefit but not required.
> If so, we could add the necessary helper to clear UAO.
I can look at set_fs and fix it on the next iteraiton.
> If not, doing this in the entry assembly only saves the small overhead
> of reading and comparing the addr_limit for in-kernel use of the
> syscalls (e.g. in the compat wrappers), and we may as well rely on the
> common !ARCH_NO_SYSCALL_VERIFY_PRE_USERMODE_STATE implementation.
You also don't have the code added for each syscall and a call.
>
> Thanks,
> Mark.
--
Thomas
next prev parent reply other threads:[~2017-03-09 16:19 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-09 1:24 [PATCH v2 1/4] syscalls: Restore address limit after a syscall Thomas Garnier
2017-03-09 1:24 ` [kernel-hardening] " Thomas Garnier
2017-03-09 1:24 ` [PATCH v2 2/4] x86/syscalls: Specific usage of verify_pre_usermode_state Thomas Garnier
2017-03-09 1:24 ` [kernel-hardening] " Thomas Garnier
2017-03-09 1:24 ` [PATCH v2 3/4] arm/syscalls: " Thomas Garnier
2017-03-09 1:24 ` [kernel-hardening] " Thomas Garnier
2017-03-09 1:24 ` [PATCH v2 4/4] arm64/syscalls: " Thomas Garnier
2017-03-09 1:24 ` [kernel-hardening] " Thomas Garnier
2017-03-09 12:23 ` Mark Rutland
2017-03-09 12:23 ` [kernel-hardening] " Mark Rutland
2017-03-09 12:23 ` Mark Rutland
2017-03-09 15:56 ` Thomas Garnier
2017-03-09 15:56 ` [kernel-hardening] " Thomas Garnier
2017-03-09 15:56 ` Thomas Garnier
2017-03-09 16:05 ` Mark Rutland
2017-03-09 16:05 ` [kernel-hardening] " Mark Rutland
2017-03-09 16:05 ` Mark Rutland
2017-03-09 16:19 ` Thomas Garnier [this message]
2017-03-09 16:19 ` [kernel-hardening] " Thomas Garnier
2017-03-09 16:19 ` Thomas Garnier
2017-03-09 16:26 ` Russell King - ARM Linux
2017-03-09 16:26 ` [kernel-hardening] " Russell King - ARM Linux
2017-03-09 16:26 ` Russell King - ARM Linux
2017-03-09 16:35 ` Thomas Garnier
2017-03-09 16:35 ` [kernel-hardening] " Thomas Garnier
2017-03-09 16:35 ` Thomas Garnier
2017-03-09 17:05 ` Russell King - ARM Linux
2017-03-09 17:05 ` [kernel-hardening] " Russell King - ARM Linux
2017-03-09 17:05 ` Russell King - ARM Linux
2017-03-09 8:42 ` [PATCH v2 1/4] syscalls: Restore address limit after a syscall Borislav Petkov
2017-03-09 8:42 ` [kernel-hardening] " Borislav Petkov
2017-03-09 8:42 ` Borislav Petkov
2017-03-09 15:48 ` Thomas Garnier
2017-03-09 15:48 ` [kernel-hardening] " Thomas Garnier
2017-03-09 15:48 ` Thomas Garnier
2017-03-09 17:27 ` Andy Lutomirski
2017-03-09 17:27 ` [kernel-hardening] " Andy Lutomirski
2017-03-09 17:41 ` Thomas Garnier
2017-03-09 17:41 ` [kernel-hardening] " Thomas Garnier
2017-03-09 10:39 ` Sergey Senozhatsky
2017-03-09 10:39 ` [kernel-hardening] " Sergey Senozhatsky
2017-03-09 12:09 ` Mark Rutland
2017-03-09 12:09 ` [kernel-hardening] " Mark Rutland
2017-03-09 12:09 ` Mark Rutland
2017-03-09 13:44 ` Russell King - ARM Linux
2017-03-09 13:44 ` [kernel-hardening] " Russell King - ARM Linux
2017-03-09 13:44 ` Russell King - ARM Linux
2017-03-09 15:21 ` Mark Rutland
2017-03-09 15:21 ` [kernel-hardening] " Mark Rutland
2017-03-09 15:21 ` Mark Rutland
2017-03-09 15:54 ` Thomas Garnier
2017-03-09 15:54 ` [kernel-hardening] " Thomas Garnier
2017-03-09 15:54 ` Thomas Garnier
2017-03-09 15:52 ` Thomas Garnier
2017-03-09 15:52 ` [kernel-hardening] " Thomas Garnier
2017-03-09 15:52 ` Thomas Garnier
2017-03-09 12:32 ` Christian Borntraeger
2017-03-09 12:32 ` [kernel-hardening] " Christian Borntraeger
2017-03-09 15:53 ` Thomas Garnier
2017-03-09 15:53 ` [kernel-hardening] " Thomas Garnier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJcbSZFbcGrAEoV8KpYKH-6PgpFDQ-cBt_P7MqX2_hShAPjvvg@mail.gmail.com \
--to=thgarnie@google.com \
--cc=akpm@linux-foundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=arnd@arndb.de \
--cc=bigeasy@linutronix.de \
--cc=dave.hansen@intel.com \
--cc=davem@davemloft.net \
--cc=deller@gmx.de \
--cc=dhowells@redhat.com \
--cc=john.stultz@linaro.org \
--cc=keescook@chromium.org \
--cc=luto@kernel.org \
--cc=mail@renenyffenegger.ch \
--cc=mark.rutland@arm.com \
--cc=mingo@kernel.org \
--cc=nicolas.pitre@linaro.org \
--cc=oleg@redhat.com \
--cc=paulmck@linux.vnet.ibm.com \
--cc=pmladek@suse.com \
--cc=ptikhomirov@virtuozzo.com \
--cc=riel@redhat.com \
--cc=sergey.senozhatsky@gmail.com \
--cc=tglx@linutronix.de \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.