[PATCH 1/2] cpumask: Introduce possible_cpu_safe()

[PATCH 1/2] cpumask: Introduce possible_cpu_safe()

[Dan Carpenter]

There have been two cases recently where we pass user a controlled "cpu"
to possible_cpus().  That's not allowed.  If it's invalid, it will
trigger a WARN_ONCE() and an out of bounds read which could result in an
Oops.

This patch introduces possible_cpu_safe() which first checks to see if
the cpu is valid, turns off speculation and then checks if the cpu is
possible.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 include/linux/cpumask.h | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h
index 147bdec42215..515179760c54 100644
--- a/include/linux/cpumask.h
+++ b/include/linux/cpumask.h
@@ -11,6 +11,7 @@
 #include <linux/threads.h>
 #include <linux/bitmap.h>
 #include <linux/bug.h>
+#include <linux/nospec.h>
 
 /* Don't assign or return these: may not be this big! */
 typedef struct cpumask { DECLARE_BITMAP(bits, NR_CPUS); } cpumask_t;
@@ -102,6 +103,7 @@ extern struct cpumask __cpu_active_mask;
 #define num_active_cpus()	cpumask_weight(cpu_active_mask)
 #define cpu_online(cpu)		cpumask_test_cpu((cpu), cpu_online_mask)
 #define cpu_possible(cpu)	cpumask_test_cpu((cpu), cpu_possible_mask)
+#define cpu_possible_safe(cpu)	cpumask_test_cpu_safe((cpu), cpu_possible_mask)
 #define cpu_present(cpu)	cpumask_test_cpu((cpu), cpu_present_mask)
 #define cpu_active(cpu)		cpumask_test_cpu((cpu), cpu_active_mask)
 #else
@@ -111,6 +113,7 @@ extern struct cpumask __cpu_active_mask;
 #define num_active_cpus()	1U
 #define cpu_online(cpu)		((cpu) = 0)
 #define cpu_possible(cpu)	((cpu) = 0)
+#define cpu_possible_safe(cpu)  ((cpu) = 0)
 #define cpu_present(cpu)	((cpu) = 0)
 #define cpu_active(cpu)		((cpu) = 0)
 #endif
@@ -344,6 +347,21 @@ static inline int cpumask_test_cpu(int cpu, const struct cpumask *cpumask)
 	return test_bit(cpumask_check(cpu), cpumask_bits((cpumask)));
 }
 
+/**
+ * cpumask_test_cpu_safe - test for a cpu in a cpumask
+ * @cpu: cpu number
+ * @cpumask: the cpumask pointer
+ *
+ * Returns 1 if @cpu is valid and set in @cpumask, else returns 0
+ */
+static inline int cpumask_test_cpu_safe(int cpu, const struct cpumask *cpumask)
+{
+	if ((unsigned int)cpu >= nr_cpu_ids)
+		return 0;
+	cpu = array_index_nospec(cpu, NR_CPUS);
+	return test_bit(cpu, cpumask_bits(cpumask));
+}
+
 /**
  * cpumask_test_and_set_cpu - atomically test and set a cpu in a cpumask
  * @cpu: cpu number (< nr_cpu_ids)
-- 
2.17.1

[PATCH 2/2] io_uring: Potential Oops in io_sq_offload_start()

[Dan Carpenter]

The "p->sq_thread_cpu" variable is an integer which comes from the user.
We can't pass values greater than NR_CPUS to cpu_possible() or it could
lead to an out of bound read and possibly an Oops.

The recently added cpu_possible_safe() function can handle unfiltered
input so lets use that instead.  This patch also removes the call to
array_index_nospec() since that is handled in cpu_possible_safe().

Fixes: 6c271ce2f1d5 ("io_uring: add submission polling")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 fs/io_uring.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index c0fecb9d889f..9789887b0d36 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2240,16 +2240,13 @@ static int io_sq_offload_start(struct io_ring_ctx *ctx,
 		ctx->sq_thread_idle = HZ;
 
 	ret = -EINVAL;
-	if (!cpu_possible(p->sq_thread_cpu))
+	if (!cpu_possible_safe(p->sq_thread_cpu))
 		goto err;
 
 	if (ctx->flags & IORING_SETUP_SQPOLL) {
 		if (p->flags & IORING_SETUP_SQ_AFF) {
-			int cpu;
-
-			cpu = array_index_nospec(p->sq_thread_cpu, NR_CPUS);
 			ctx->sqo_thread = kthread_create_on_cpu(io_sq_thread,
-							ctx, cpu,
+							ctx, p->sq_thread_cpu,
 							"io_uring-sq");
 		} else {
 			ctx->sqo_thread = kthread_create(io_sq_thread, ctx,
-- 
2.17.1

Re: [PATCH 1/2] cpumask: Introduce possible_cpu_safe()

[Michal Hocko]

On Thu 04-04-19 13:02:19, Dan Carpenter wrote:
> There have been two cases recently where we pass user a controlled "cpu"
> to possible_cpus().  That's not allowed.  If it's invalid, it will
> trigger a WARN_ONCE() and an out of bounds read which could result in an
> Oops.
> 
> This patch introduces possible_cpu_safe() which first checks to see if
> the cpu is valid, turns off speculation and then checks if the cpu is
> possible.

Why cannot we do the check in possible_cpu directly? Is it used from any
hot path? I am quite skeptical people will use the new helper
consistently.
-- 
Michal Hocko
SUSE Labs

Re: [PATCH 1/2] cpumask: Introduce possible_cpu_safe()

[Peter Zijlstra]

On Thu, Apr 04, 2019 at 12:35:28PM +0200, Michal Hocko wrote:
> On Thu 04-04-19 13:02:19, Dan Carpenter wrote:
> > There have been two cases recently where we pass user a controlled "cpu"
> > to possible_cpus().  That's not allowed.  If it's invalid, it will
> > trigger a WARN_ONCE() and an out of bounds read which could result in an
> > Oops.
> > 
> > This patch introduces possible_cpu_safe() which first checks to see if
> > the cpu is valid, turns off speculation and then checks if the cpu is
> > possible.
> 
> Why cannot we do the check in possible_cpu directly? Is it used from any
> hot path? I am quite skeptical people will use the new helper
> consistently.

Why only possible? What is to say stop anyone from using garbage (aka.
user input) in any other of the cpumask APIs.

I'd much rather have the explicit validate call and keep assuming @cpu
as used in the rest of the API is sane.

Re: [PATCH 1/2] cpumask: Introduce possible_cpu_safe()

[Peter Zijlstra]

On Thu, Apr 04, 2019 at 01:02:19PM +0300, Dan Carpenter wrote:
> There have been two cases recently where we pass user a controlled "cpu"
> to possible_cpus().  That's not allowed.  If it's invalid, it will
> trigger a WARN_ONCE() and an out of bounds read which could result in an
> Oops.

> +/**
> + * cpumask_test_cpu_safe - test for a cpu in a cpumask
> + * @cpu: cpu number
> + * @cpumask: the cpumask pointer
> + *
> + * Returns 1 if @cpu is valid and set in @cpumask, else returns 0
> + */
> +static inline int cpumask_test_cpu_safe(int cpu, const struct cpumask *cpumask)
> +{
> +	if ((unsigned int)cpu >= nr_cpu_ids)
> +		return 0;
> +	cpu = array_index_nospec(cpu, NR_CPUS);

That should be:

	cpu = array_index_nospec(cpu, nr_cpu_ids);

NR_CPUS might still be out-of-bounds for dynamically allocated cpumasks.

> +	return test_bit(cpu, cpumask_bits(cpumask));
> +}

That said; I don't particularly like this interface not its naming, how
about something like:

static inline unsigned int cpumask_validate_cpu(unsigned int cpu)
{
	if (cpu >= nr_cpumask_bits)
		return nr_cpumask_bits;
	return array_index_nospec(cpu, nr_cpumask_bits);
}

Which you can then use like:

	cpu = cpumask_validate_cpu(user_cpu);
	if (cpu >= nr_cpu_ids)
		return -ENORANGE;

	/* @cpu is valid, do what needs doing */

[PATCH v2 1/2] cpumask: Introduce possible_cpu_safe()

[Dan Carpenter]

There have been two cases recently where we pass user a controlled "cpu"
to possible_cpus().  That's not allowed.  If it's invalid, it will
trigger a WARN_ONCE() and an out of bounds read which could result in an
Oops.

This patch introduces possible_cpu_safe() which first checks to see if
the cpu is valid, turns off speculation and then checks if the cpu is
possible.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: Use nr_cpumask_bits instead of NR_CPUS.
    Split cpumask_validate_cpu() into a separate function.

I still left cpumask_test_cpu_safe() return 0 for invalid cpus, instead
of returning -ERANGE I feel it's simpler to stay consistent with the
normal possible_cpu() function.

 include/linux/cpumask.h | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h
index 147bdec42215..f371e44cb5ff 100644
--- a/include/linux/cpumask.h
+++ b/include/linux/cpumask.h
@@ -11,6 +11,7 @@
 #include <linux/threads.h>
 #include <linux/bitmap.h>
 #include <linux/bug.h>
+#include <linux/nospec.h>
 
 /* Don't assign or return these: may not be this big! */
 typedef struct cpumask { DECLARE_BITMAP(bits, NR_CPUS); } cpumask_t;
@@ -102,6 +103,7 @@ extern struct cpumask __cpu_active_mask;
 #define num_active_cpus()	cpumask_weight(cpu_active_mask)
 #define cpu_online(cpu)		cpumask_test_cpu((cpu), cpu_online_mask)
 #define cpu_possible(cpu)	cpumask_test_cpu((cpu), cpu_possible_mask)
+#define cpu_possible_safe(cpu)	cpumask_test_cpu_safe((cpu), cpu_possible_mask)
 #define cpu_present(cpu)	cpumask_test_cpu((cpu), cpu_present_mask)
 #define cpu_active(cpu)		cpumask_test_cpu((cpu), cpu_active_mask)
 #else
@@ -111,6 +113,7 @@ extern struct cpumask __cpu_active_mask;
 #define num_active_cpus()	1U
 #define cpu_online(cpu)		((cpu) = 0)
 #define cpu_possible(cpu)	((cpu) = 0)
+#define cpu_possible_safe(cpu)  ((cpu) = 0)
 #define cpu_present(cpu)	((cpu) = 0)
 #define cpu_active(cpu)		((cpu) = 0)
 #endif
@@ -344,6 +347,28 @@ static inline int cpumask_test_cpu(int cpu, const struct cpumask *cpumask)
 	return test_bit(cpumask_check(cpu), cpumask_bits((cpumask)));
 }
 
+static inline unsigned int cpumask_validate_cpu(unsigned int cpu)
+{
+	if (cpu >= nr_cpumask_bits)
+		return nr_cpumask_bits;
+	return array_index_nospec(cpu, nr_cpumask_bits);
+}
+
+/**
+ * cpumask_test_cpu_safe - test for a cpu in a cpumask
+ * @cpu: cpu number
+ * @cpumask: the cpumask pointer
+ *
+ * Returns 1 if @cpu is valid and set in @cpumask, else returns 0
+ */
+static inline int cpumask_test_cpu_safe(int cpu, const struct cpumask *cpumask)
+{
+	cpu = cpumask_validate_cpu(cpu);
+	if (cpu >= nr_cpu_ids)
+		return 0;
+	return test_bit(cpu, cpumask_bits(cpumask));
+}
+
 /**
  * cpumask_test_and_set_cpu - atomically test and set a cpu in a cpumask
  * @cpu: cpu number (< nr_cpu_ids)
-- 
2.17.1

[PATCH v2 2/2] io_uring: Potential Oops in io_sq_offload_start()

[Dan Carpenter]

The "p->sq_thread_cpu" variable is an integer which comes from the user.
We can't pass values greater than NR_CPUS to cpu_possible() or it could
lead to an out of bound read and possibly an Oops.

The recently added cpu_possible_safe() function can handle unfiltered
input so lets use that instead.  This patch also removes the call to
array_index_nospec() since that is handled in cpu_possible_safe().

Fixes: 6c271ce2f1d5 ("io_uring: add submission polling")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
No change.

 fs/io_uring.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index c0fecb9d889f..9789887b0d36 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2240,16 +2240,13 @@ static int io_sq_offload_start(struct io_ring_ctx *ctx,
 		ctx->sq_thread_idle = HZ;
 
 	ret = -EINVAL;
-	if (!cpu_possible(p->sq_thread_cpu))
+	if (!cpu_possible_safe(p->sq_thread_cpu))
 		goto err;
 
 	if (ctx->flags & IORING_SETUP_SQPOLL) {
 		if (p->flags & IORING_SETUP_SQ_AFF) {
-			int cpu;
-
-			cpu = array_index_nospec(p->sq_thread_cpu, NR_CPUS);
 			ctx->sqo_thread = kthread_create_on_cpu(io_sq_thread,
-							ctx, cpu,
+							ctx, p->sq_thread_cpu,
 							"io_uring-sq");
 		} else {
 			ctx->sqo_thread = kthread_create(io_sq_thread, ctx,
-- 
2.17.1

Re: [PATCH v2 2/2] io_uring: Potential Oops in io_sq_offload_start()

[Dan Carpenter]

The io_uring patches are slated for v5.7 so we should figure out a
solution for this bug.

regrds,
dan carpenter

Re: [PATCH v2 2/2] io_uring: Potential Oops in io_sq_offload_start()

[Dan Carpenter]

On Tue, Apr 30, 2019 at 12:26:19PM +0300, Dan Carpenter wrote:
> The io_uring patches are slated for v5.7 so we should figure out a
> solution for this bug.
> 

Never mind.  We merged a different fix.  975554b03edd
("io_uring: fix SQPOLL cpu validation").

regards,
dan carpenter