From: "Christopher M. Riedl" <cmr@linux.ibm.com>
To: "Christophe Leroy" <christophe.leroy@csgroup.eu>,
<linuxppc-dev@lists.ozlabs.org>
Cc: <keescook@chromium.org>, <peterz@infradead.org>, <x86@kernel.org>,
<npiggin@gmail.com>, <linux-hardening@vger.kernel.org>,
<tglx@linutronix.de>, <dja@axtens.net>
Subject: Re: [PATCH v5 8/8] lkdtm/powerpc: Fix code patching hijack test
Date: Wed, 11 Aug 2021 12:57:40 -0500 [thread overview]
Message-ID: <CDGVM7T0W0T1.3E0IJ78ONUZ0R@oc8246131445.ibm.com> (raw)
In-Reply-To: <7a6c97ed-815b-49fc-5568-ab4420f53122@csgroup.eu>
On Thu Aug 5, 2021 at 4:18 AM CDT, Christophe Leroy wrote:
>
>
> Le 13/07/2021 à 07:31, Christopher M. Riedl a écrit :
> > Code patching on powerpc with a STRICT_KERNEL_RWX uses a userspace
> > address in a temporary mm on Radix now. Use __put_user() to avoid write
> > failures due to KUAP when attempting a "hijack" on the patching address.
> > __put_user() also works with the non-userspace, vmalloc-based patching
> > address on non-Radix MMUs.
>
> It is not really clean to use __put_user() on non user address,
> allthought it works by change.
>
> I think it would be better to do something like
>
> if (is_kernel_addr(addr))
> copy_to_kernel_nofault(...);
> else
> copy_to_user_nofault(...);
>
Yes that looks much better. I'll pick this up and try it for the next
spin. Thanks!
>
>
> >
> > Signed-off-by: Christopher M. Riedl <cmr@linux.ibm.com>
> > ---
> > drivers/misc/lkdtm/perms.c | 9 ---------
> > 1 file changed, 9 deletions(-)
> >
> > diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
> > index 41e87e5f9cc86..da6a34a0a49fb 100644
> > --- a/drivers/misc/lkdtm/perms.c
> > +++ b/drivers/misc/lkdtm/perms.c
> > @@ -262,16 +262,7 @@ static inline u32 lkdtm_read_patch_site(void)
> > /* Returns True if the write succeeds */
> > static inline bool lkdtm_try_write(u32 data, u32 *addr)
> > {
> > -#ifdef CONFIG_PPC
> > - __put_kernel_nofault(addr, &data, u32, err);
> > - return true;
> > -
> > -err:
> > - return false;
> > -#endif
> > -#ifdef CONFIG_X86_64
> > return !__put_user(data, addr);
> > -#endif
> > }
> >
> > static int lkdtm_patching_cpu(void *data)
> >
WARNING: multiple messages have this Message-ID (diff)
From: "Christopher M. Riedl" <cmr@linux.ibm.com>
To: "Christophe Leroy" <christophe.leroy@csgroup.eu>,
<linuxppc-dev@lists.ozlabs.org>
Cc: keescook@chromium.org, peterz@infradead.org, x86@kernel.org,
npiggin@gmail.com, linux-hardening@vger.kernel.org,
tglx@linutronix.de, dja@axtens.net
Subject: Re: [PATCH v5 8/8] lkdtm/powerpc: Fix code patching hijack test
Date: Wed, 11 Aug 2021 12:57:40 -0500 [thread overview]
Message-ID: <CDGVM7T0W0T1.3E0IJ78ONUZ0R@oc8246131445.ibm.com> (raw)
In-Reply-To: <7a6c97ed-815b-49fc-5568-ab4420f53122@csgroup.eu>
On Thu Aug 5, 2021 at 4:18 AM CDT, Christophe Leroy wrote:
>
>
> Le 13/07/2021 à 07:31, Christopher M. Riedl a écrit :
> > Code patching on powerpc with a STRICT_KERNEL_RWX uses a userspace
> > address in a temporary mm on Radix now. Use __put_user() to avoid write
> > failures due to KUAP when attempting a "hijack" on the patching address.
> > __put_user() also works with the non-userspace, vmalloc-based patching
> > address on non-Radix MMUs.
>
> It is not really clean to use __put_user() on non user address,
> allthought it works by change.
>
> I think it would be better to do something like
>
> if (is_kernel_addr(addr))
> copy_to_kernel_nofault(...);
> else
> copy_to_user_nofault(...);
>
Yes that looks much better. I'll pick this up and try it for the next
spin. Thanks!
>
>
> >
> > Signed-off-by: Christopher M. Riedl <cmr@linux.ibm.com>
> > ---
> > drivers/misc/lkdtm/perms.c | 9 ---------
> > 1 file changed, 9 deletions(-)
> >
> > diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
> > index 41e87e5f9cc86..da6a34a0a49fb 100644
> > --- a/drivers/misc/lkdtm/perms.c
> > +++ b/drivers/misc/lkdtm/perms.c
> > @@ -262,16 +262,7 @@ static inline u32 lkdtm_read_patch_site(void)
> > /* Returns True if the write succeeds */
> > static inline bool lkdtm_try_write(u32 data, u32 *addr)
> > {
> > -#ifdef CONFIG_PPC
> > - __put_kernel_nofault(addr, &data, u32, err);
> > - return true;
> > -
> > -err:
> > - return false;
> > -#endif
> > -#ifdef CONFIG_X86_64
> > return !__put_user(data, addr);
> > -#endif
> > }
> >
> > static int lkdtm_patching_cpu(void *data)
> >
next prev parent reply other threads:[~2021-08-11 17:58 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-13 5:31 [PATCH v5 0/8] Use per-CPU temporary mappings for patching on Radix MMU Christopher M. Riedl
2021-07-13 5:31 ` Christopher M. Riedl
2021-07-13 5:31 ` [PATCH v5 1/8] powerpc: Add LKDTM accessor for patching addr Christopher M. Riedl
2021-07-13 5:31 ` Christopher M. Riedl
2021-07-13 5:31 ` [PATCH v5 2/8] lkdtm/powerpc: Add test to hijack a patch mapping Christopher M. Riedl
2021-07-13 5:31 ` Christopher M. Riedl
2021-08-05 9:13 ` Christophe Leroy
2021-08-11 17:57 ` Christopher M. Riedl
2021-08-11 17:57 ` Christopher M. Riedl
2021-08-11 18:07 ` Kees Cook
2021-08-11 18:07 ` Kees Cook
2021-07-13 5:31 ` [PATCH v5 3/8] x86_64: Add LKDTM accessor for patching addr Christopher M. Riedl
2021-07-13 5:31 ` Christopher M. Riedl
2021-07-13 5:31 ` [PATCH v5 4/8] lkdtm/x86_64: Add test to hijack a patch mapping Christopher M. Riedl
2021-07-13 5:31 ` Christopher M. Riedl
2021-08-05 9:09 ` Christophe Leroy
2021-08-11 17:53 ` Christopher M. Riedl
2021-08-11 17:53 ` Christopher M. Riedl
2021-07-13 5:31 ` [PATCH v5 5/8] powerpc/64s: Introduce temporary mm for Radix MMU Christopher M. Riedl
2021-07-13 5:31 ` Christopher M. Riedl
2021-08-05 9:27 ` Christophe Leroy
2021-08-11 18:02 ` Christopher M. Riedl
2021-08-11 18:02 ` Christopher M. Riedl
2021-07-13 5:31 ` [PATCH v5 6/8] powerpc: Rework and improve STRICT_KERNEL_RWX patching Christopher M. Riedl
2021-07-13 5:31 ` Christopher M. Riedl
2021-08-05 9:34 ` Christophe Leroy
2021-08-11 18:10 ` Christopher M. Riedl
2021-08-11 18:10 ` Christopher M. Riedl
2021-07-13 5:31 ` [PATCH v5 7/8] powerpc/64s: Initialize and use a temporary mm for patching on Radix Christopher M. Riedl
2021-07-13 5:31 ` Christopher M. Riedl
2021-08-05 9:48 ` Christophe Leroy
2021-08-11 18:28 ` Christopher M. Riedl
2021-08-11 18:28 ` Christopher M. Riedl
2021-07-13 5:31 ` [PATCH v5 8/8] lkdtm/powerpc: Fix code patching hijack test Christopher M. Riedl
2021-07-13 5:31 ` Christopher M. Riedl
2021-08-05 9:18 ` Christophe Leroy
2021-08-11 17:57 ` Christopher M. Riedl [this message]
2021-08-11 17:57 ` Christopher M. Riedl
2021-08-05 9:03 ` [PATCH v5 0/8] Use per-CPU temporary mappings for patching on Radix MMU Christophe Leroy
2021-08-11 17:49 ` Christopher M. Riedl
2021-08-11 17:49 ` Christopher M. Riedl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CDGVM7T0W0T1.3E0IJ78ONUZ0R@oc8246131445.ibm.com \
--to=cmr@linux.ibm.com \
--cc=christophe.leroy@csgroup.eu \
--cc=dja@axtens.net \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=npiggin@gmail.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.