* [PATCH v4] riscv: evaluate put_user() arg before enabling user access
@ 2021-03-29 9:57 Ben Dooks
2021-03-30 5:47 ` Palmer Dabbelt
0 siblings, 1 reply; 3+ messages in thread
From: Ben Dooks @ 2021-03-29 9:57 UTC (permalink / raw)
To: linux-riscv, Javier Jardon
Cc: Terry Hu, Ben Dooks, syzbot+e74b94fe601ab9552d69, Arnd Bergman,
schwab, dvyukov, paul.walmsley, palmer, alex, linux-kernel
The <asm/uaccess.h> header has a problem with put_user(a, ptr) if
the 'a' is not a simple variable, such as a function. This can lead
to the compiler producing code as so:
1: enable_user_access()
2: evaluate 'a' into register 'r'
3: put 'r' to 'ptr'
4: disable_user_acess()
The issue is that 'a' is now being evaluated with the user memory
protections disabled. So we try and force the evaulation by assigning
'x' to __val at the start, and hoping the compiler barriers in
enable_user_access() do the job of ordering step 2 before step 1.
This has shown up in a bug where 'a' sleeps and thus schedules out
and loses the SR_SUM flag. This isn't sufficient to fully fix, but
should reduce the window of opportunity. The first instance of this
we found is in scheudle_tail() where the code does:
$ less -N kernel/sched/core.c
4263 if (current->set_child_tid)
4264 put_user(task_pid_vnr(current), current->set_child_tid);
Here, the task_pid_vnr(current) is called within the block that has
enabled the user memory access. This can be made worse with KASAN
which makes task_pid_vnr() a rather large call with plenty of
opportunity to sleep.
Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
Reported-by: syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com
Suggested-by: Arnd Bergman <arnd@arndb.de>
--
Changes since v1:
- fixed formatting and updated the patch description with more info
Changes since v2:
- fixed commenting on __put_user() (schwab@linux-m68k.org)
Change since v3:
- fixed RFC in patch title. Should be ready to merge.
Cc: schwab@linux-m68k.org
Cc: dvyukov@google.com
Cc: linux-riscv@lists.infradead.org
Cc: paul.walmsley@sifive.com
Cc: palmer@dabbelt.com
Cc: alex@ghiti.fr
Cc: linux-kernel@lists.codethink.co.uk
---
arch/riscv/include/asm/uaccess.h | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/arch/riscv/include/asm/uaccess.h b/arch/riscv/include/asm/uaccess.h
index 824b2c9da75b..f944062c9d99 100644
--- a/arch/riscv/include/asm/uaccess.h
+++ b/arch/riscv/include/asm/uaccess.h
@@ -306,7 +306,9 @@ do { \
* data types like structures or arrays.
*
* @ptr must have pointer-to-simple-variable type, and @x must be assignable
- * to the result of dereferencing @ptr.
+ * to the result of dereferencing @ptr. The value of @x is copied to avoid
+ * re-ordering where @x is evaluated inside the block that enables user-space
+ * access (thus bypassing user space protection if @x is a function).
*
* Caller must check the pointer with access_ok() before calling this
* function.
@@ -316,12 +318,13 @@ do { \
#define __put_user(x, ptr) \
({ \
__typeof__(*(ptr)) __user *__gu_ptr = (ptr); \
+ __typeof__(*__gu_ptr) __val = (x); \
long __pu_err = 0; \
\
__chk_user_ptr(__gu_ptr); \
\
__enable_user_access(); \
- __put_user_nocheck(x, __gu_ptr, __pu_err); \
+ __put_user_nocheck(__val, __gu_ptr, __pu_err); \
__disable_user_access(); \
\
__pu_err; \
--
2.30.2
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v4] riscv: evaluate put_user() arg before enabling user access
2021-03-29 9:57 [PATCH v4] riscv: evaluate put_user() arg before enabling user access Ben Dooks
@ 2021-03-30 5:47 ` Palmer Dabbelt
2021-03-30 11:41 ` Ben Dooks
0 siblings, 1 reply; 3+ messages in thread
From: Palmer Dabbelt @ 2021-03-30 5:47 UTC (permalink / raw)
To: ben.dooks
Cc: linux-riscv, javier.jardon, kejia.hu, ben.dooks,
syzbot+e74b94fe601ab9552d69, Arnd Bergmann, schwab, dvyukov,
Paul Walmsley, alex, linux-kernel
On Mon, 29 Mar 2021 02:57:49 PDT (-0700), ben.dooks@codethink.co.uk wrote:
> The <asm/uaccess.h> header has a problem with put_user(a, ptr) if
> the 'a' is not a simple variable, such as a function. This can lead
> to the compiler producing code as so:
>
> 1: enable_user_access()
> 2: evaluate 'a' into register 'r'
> 3: put 'r' to 'ptr'
> 4: disable_user_acess()
>
> The issue is that 'a' is now being evaluated with the user memory
> protections disabled. So we try and force the evaulation by assigning
> 'x' to __val at the start, and hoping the compiler barriers in
> enable_user_access() do the job of ordering step 2 before step 1.
>
> This has shown up in a bug where 'a' sleeps and thus schedules out
> and loses the SR_SUM flag. This isn't sufficient to fully fix, but
> should reduce the window of opportunity. The first instance of this
> we found is in scheudle_tail() where the code does:
>
> $ less -N kernel/sched/core.c
>
> 4263 if (current->set_child_tid)
> 4264 put_user(task_pid_vnr(current), current->set_child_tid);
>
> Here, the task_pid_vnr(current) is called within the block that has
> enabled the user memory access. This can be made worse with KASAN
> which makes task_pid_vnr() a rather large call with plenty of
> opportunity to sleep.
>
> Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
> Reported-by: syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com
> Suggested-by: Arnd Bergman <arnd@arndb.de>
Thanks, this is on fixes.
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v4] riscv: evaluate put_user() arg before enabling user access
2021-03-30 5:47 ` Palmer Dabbelt
@ 2021-03-30 11:41 ` Ben Dooks
0 siblings, 0 replies; 3+ messages in thread
From: Ben Dooks @ 2021-03-30 11:41 UTC (permalink / raw)
To: Palmer Dabbelt
Cc: linux-riscv, javier.jardon, kejia.hu,
syzbot+e74b94fe601ab9552d69, Arnd Bergmann, schwab, dvyukov,
Paul Walmsley, alex, linux-kernel
On 30/03/2021 06:47, Palmer Dabbelt wrote:
> On Mon, 29 Mar 2021 02:57:49 PDT (-0700), ben.dooks@codethink.co.uk wrote:
>> The <asm/uaccess.h> header has a problem with put_user(a, ptr) if
>> the 'a' is not a simple variable, such as a function. This can lead
>> to the compiler producing code as so:
>>
>> 1: enable_user_access()
>> 2: evaluate 'a' into register 'r'
>> 3: put 'r' to 'ptr'
>> 4: disable_user_acess()
>>
>> The issue is that 'a' is now being evaluated with the user memory
>> protections disabled. So we try and force the evaulation by assigning
>> 'x' to __val at the start, and hoping the compiler barriers in
>> enable_user_access() do the job of ordering step 2 before step 1.
>>
>> This has shown up in a bug where 'a' sleeps and thus schedules out
>> and loses the SR_SUM flag. This isn't sufficient to fully fix, but
>> should reduce the window of opportunity. The first instance of this
>> we found is in scheudle_tail() where the code does:
>>
>> $ less -N kernel/sched/core.c
>>
>> 4263 if (current->set_child_tid)
>> 4264 put_user(task_pid_vnr(current), current->set_child_tid);
>>
>> Here, the task_pid_vnr(current) is called within the block that has
>> enabled the user memory access. This can be made worse with KASAN
>> which makes task_pid_vnr() a rather large call with plenty of
>> opportunity to sleep.
>>
>> Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
>> Reported-by: syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com
>> Suggested-by: Arnd Bergman <arnd@arndb.de>
>
> Thanks, this is on fixes.
Great. I still think we need a discussion on whether __switch_to()
also needs to save some of the flags from sstatus. I did some basic
tests and so far I think the SR_SUM is the only thing that should be
saved.
I'll try and finish writing this bug-trail up and seeing what else
needs to be done. I expect there may be other architectures that
have similar issues with put_user() and friends
At least the riscv stress testing can move forward with this in
place.
--
Ben Dooks http://www.codethink.co.uk/
Senior Engineer Codethink - Providing Genius
https://www.codethink.co.uk/privacy.html
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-30 11:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-29 9:57 [PATCH v4] riscv: evaluate put_user() arg before enabling user access Ben Dooks
2021-03-30 5:47 ` Palmer Dabbelt
2021-03-30 11:41 ` Ben Dooks
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.