From: Andrey Konovalov <andreyknvl@google.com> To: Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will.deacon@arm.com>, Mark Rutland <mark.rutland@arm.com>, Robin Murphy <robin.murphy@arm.com>, Kees Cook <keescook@chromium.org>, Kate Stewart <kstewart@linuxfoundation.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Andrew Morton <akpm@linux-foundation.org>, Ingo Molnar <mingo@kernel.org>, "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>, Shuah Khan <shuah@kernel.org>, linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Chintan Pandya <cpandya@codeaurora.org>, Jacob Bramley <Jacob.Bramley@arm.com>, Ruben Ayrapetyan <Ruben.Ayrapetyan@arm.com>, Andrey Konovalov <andreyknvl@google.com>, Lee Smith <Lee.Smith@arm.com>, Kostya Serebryany <kcc@google.com>, Dmitry Vyukov <dvyukov@google.com>, Ramana Radhakrishnan <Ramana.Radhakrishnan@arm.com>, Luc Van Oostenryck <luc.vanoostenryck@gmail.com>, Evgeniy Stepanov <eugenis@google.com> Subject: [PATCH v9 3/8] arm64: untag user addresses in access_ok and __uaccess_mask_ptr Date: Mon, 10 Dec 2018 13:51:00 +0100 [thread overview] Message-ID: <674252952827b57f4259876cd4ddf802f3539356.1544445454.git.andreyknvl@google.com> (raw) In-Reply-To: <cover.1544445454.git.andreyknvl@google.com> copy_from_user (and a few other similar functions) are used to copy data from user memory into the kernel memory or vice versa. Since a user can provided a tagged pointer to one of the syscalls that use copy_from_user, we need to correctly handle such pointers. Do this by untagging user pointers in access_ok and in __uaccess_mask_ptr, before performing access validity checks. Reviewed-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> --- arch/arm64/include/asm/uaccess.h | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index 3c3864ba3cc1..d28c3b1314ce 100644 --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -104,7 +104,8 @@ static inline unsigned long __range_ok(const void __user *addr, unsigned long si #define untagged_addr(addr) \ ((__typeof__(addr))sign_extend64((u64)(addr), 55)) -#define access_ok(type, addr, size) __range_ok(addr, size) +#define access_ok(type, addr, size) \ + __range_ok(untagged_addr(addr), size) #define user_addr_max get_fs #define _ASM_EXTABLE(from, to) \ @@ -236,7 +237,8 @@ static inline void uaccess_enable_not_uao(void) /* * Sanitise a uaccess pointer such that it becomes NULL if above the - * current addr_limit. + * current addr_limit. In case the pointer is tagged (has the top byte set), + * untag the pointer before checking. */ #define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr) static inline void __user *__uaccess_mask_ptr(const void __user *ptr) @@ -244,10 +246,11 @@ static inline void __user *__uaccess_mask_ptr(const void __user *ptr) void __user *safe_ptr; asm volatile( - " bics xzr, %1, %2\n" + " bics xzr, %3, %2\n" " csel %0, %1, xzr, eq\n" : "=&r" (safe_ptr) - : "r" (ptr), "r" (current_thread_info()->addr_limit) + : "r" (ptr), "r" (current_thread_info()->addr_limit), + "r" (untagged_addr(ptr)) : "cc"); csdb(); -- 2.20.0.rc2.403.gdbc3b29805-goog
WARNING: multiple messages have this Message-ID (diff)
From: Andrey Konovalov <andreyknvl@google.com> To: Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will.deacon@arm.com>, Mark Rutland <mark.rutland@arm.com>, Robin Murphy <robin.murphy@arm.com>, Kees Cook <keescook@chromium.org>, Kate Stewart <kstewart@linuxfoundation.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Andrew Morton <akpm@linux-foundation.org>, Ingo Molnar <mingo@kernel.org>, "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>, Shuah Khan <shuah@kernel.org>, linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Dmitry Vyukov <dvyukov@google.com>, Kostya Serebryany <kcc@google.com>, Evgeniy Stepanov <eugenis@google.com>, Lee Smith <Lee.Smith@arm.com>, Ramana Radhakrishnan <Ramana.Radhakrishnan@arm.com>, Jacob Bramley <Jacob.Bramley@arm.com>, Ruben Ayrapetyan <Ruben.Ayrapetyan@arm.com>, Chintan Pandya <cpandya@codeaurora.org>, Luc Van Oostenryck <luc.vanoostenryck@gmail.com>, Andrey Konovalov <andreyknvl@google.com> Subject: [PATCH v9 3/8] arm64: untag user addresses in access_ok and __uaccess_mask_ptr Date: Mon, 10 Dec 2018 13:51:00 +0100 [thread overview] Message-ID: <674252952827b57f4259876cd4ddf802f3539356.1544445454.git.andreyknvl@google.com> (raw) Message-ID: <20181210125100.0rKoBsNetHaHaEidPdAfT5L6CK6JqjYaevQspxWyiZw@z> (raw) In-Reply-To: <cover.1544445454.git.andreyknvl@google.com> copy_from_user (and a few other similar functions) are used to copy data from user memory into the kernel memory or vice versa. Since a user can provided a tagged pointer to one of the syscalls that use copy_from_user, we need to correctly handle such pointers. Do this by untagging user pointers in access_ok and in __uaccess_mask_ptr, before performing access validity checks. Reviewed-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> --- arch/arm64/include/asm/uaccess.h | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index 3c3864ba3cc1..d28c3b1314ce 100644 --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -104,7 +104,8 @@ static inline unsigned long __range_ok(const void __user *addr, unsigned long si #define untagged_addr(addr) \ ((__typeof__(addr))sign_extend64((u64)(addr), 55)) -#define access_ok(type, addr, size) __range_ok(addr, size) +#define access_ok(type, addr, size) \ + __range_ok(untagged_addr(addr), size) #define user_addr_max get_fs #define _ASM_EXTABLE(from, to) \ @@ -236,7 +237,8 @@ static inline void uaccess_enable_not_uao(void) /* * Sanitise a uaccess pointer such that it becomes NULL if above the - * current addr_limit. + * current addr_limit. In case the pointer is tagged (has the top byte set), + * untag the pointer before checking. */ #define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr) static inline void __user *__uaccess_mask_ptr(const void __user *ptr) @@ -244,10 +246,11 @@ static inline void __user *__uaccess_mask_ptr(const void __user *ptr) void __user *safe_ptr; asm volatile( - " bics xzr, %1, %2\n" + " bics xzr, %3, %2\n" " csel %0, %1, xzr, eq\n" : "=&r" (safe_ptr) - : "r" (ptr), "r" (current_thread_info()->addr_limit) + : "r" (ptr), "r" (current_thread_info()->addr_limit), + "r" (untagged_addr(ptr)) : "cc"); csdb(); -- 2.20.0.rc2.403.gdbc3b29805-goog
next prev parent reply other threads:[~2018-12-10 12:51 UTC|newest] Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-12-10 12:50 [PATCH v9 0/8] arm64: untag user pointers passed to the kernel Andrey Konovalov 2018-12-10 12:50 ` Andrey Konovalov 2018-12-10 12:50 ` [PATCH v9 1/8] arm64: add type casts to untagged_addr macro Andrey Konovalov 2018-12-10 12:50 ` Andrey Konovalov 2018-12-10 12:50 ` [PATCH v9 2/8] uaccess: add untagged_addr definition for other arches Andrey Konovalov 2018-12-10 12:50 ` Andrey Konovalov 2018-12-10 12:51 ` Andrey Konovalov [this message] 2018-12-10 12:51 ` [PATCH v9 3/8] arm64: untag user addresses in access_ok and __uaccess_mask_ptr Andrey Konovalov 2018-12-10 12:51 ` [PATCH v9 4/8] mm, arm64: untag user addresses in mm/gup.c Andrey Konovalov 2018-12-10 12:51 ` Andrey Konovalov 2018-12-10 12:51 ` [PATCH v9 5/8] lib, arm64: untag addrs passed to strncpy_from_user and strnlen_user Andrey Konovalov 2018-12-10 12:51 ` Andrey Konovalov 2018-12-10 12:51 ` [PATCH v9 6/8] fs, arm64: untag user address in copy_mount_options Andrey Konovalov 2018-12-10 12:51 ` Andrey Konovalov 2018-12-10 12:51 ` [PATCH v9 7/8] arm64: update Documentation/arm64/tagged-pointers.txt Andrey Konovalov 2018-12-10 12:51 ` Andrey Konovalov 2018-12-10 12:51 ` [PATCH v9 8/8] selftests, arm64: add a selftest for passing tagged pointers to kernel Andrey Konovalov 2018-12-10 12:51 ` Andrey Konovalov 2018-12-10 14:30 ` [RFC][PATCH 0/3] arm64 relaxed ABI Vincenzo Frascino 2018-12-10 14:30 ` Vincenzo Frascino 2018-12-10 14:30 ` [RFC][PATCH 1/3] elf: Make AT_FLAGS arch configurable Vincenzo Frascino 2018-12-10 14:30 ` Vincenzo Frascino 2018-12-10 14:30 ` [RFC][PATCH 2/3] arm64: Define Documentation/arm64/elf_at_flags.txt Vincenzo Frascino 2018-12-10 14:30 ` Vincenzo Frascino 2018-12-12 17:34 ` Dave Martin 2018-12-12 17:34 ` Dave Martin 2019-01-09 13:05 ` Vincenzo Frascino 2019-01-09 13:05 ` Vincenzo Frascino 2018-12-10 14:30 ` [RFC][PATCH 3/3] arm64: elf: Advertise relaxed ABI Vincenzo Frascino 2018-12-10 14:30 ` Vincenzo Frascino 2018-12-12 14:23 ` [RFC][PATCH 0/3] arm64 " Andrey Konovalov 2018-12-12 14:23 ` Andrey Konovalov 2018-12-12 15:02 ` Catalin Marinas 2018-12-12 15:02 ` Catalin Marinas 2018-12-18 15:03 ` Andrey Konovalov 2018-12-18 15:03 ` Andrey Konovalov 2018-12-18 17:59 ` Catalin Marinas 2018-12-18 17:59 ` Catalin Marinas 2018-12-19 12:52 ` Dave Martin 2018-12-19 12:52 ` Dave Martin 2019-02-11 17:28 ` Kevin Brodsky 2019-02-11 17:28 ` Kevin Brodsky 2019-02-11 20:32 ` Evgenii Stepanov 2019-02-11 20:32 ` Evgenii Stepanov 2019-02-12 18:02 ` Catalin Marinas 2019-02-12 18:02 ` Catalin Marinas 2019-02-13 14:58 ` Dave Martin 2019-02-13 14:58 ` Dave Martin 2019-02-13 16:42 ` Kevin Brodsky 2019-02-13 16:42 ` Kevin Brodsky 2019-02-13 17:43 ` Dave Martin 2019-02-13 17:43 ` Dave Martin 2019-02-13 21:41 ` Evgenii Stepanov 2019-02-13 21:41 ` Evgenii Stepanov 2019-02-14 11:22 ` Kevin Brodsky 2019-02-14 11:22 ` Kevin Brodsky 2019-02-19 18:38 ` Szabolcs Nagy 2019-02-19 18:38 ` Szabolcs Nagy 2019-02-25 16:57 ` Catalin Marinas 2019-02-25 16:57 ` Catalin Marinas 2019-02-25 18:02 ` Szabolcs Nagy 2019-02-25 18:02 ` Szabolcs Nagy 2019-02-26 17:30 ` Kevin Brodsky 2019-02-26 17:30 ` Kevin Brodsky 2018-12-12 17:01 ` [PATCH v9 0/8] arm64: untag user pointers passed to the kernel Dave Martin 2018-12-12 17:01 ` Dave Martin 2018-12-18 17:17 ` Andrey Konovalov 2018-12-18 17:17 ` Andrey Konovalov 2019-02-11 11:35 ` Catalin Marinas 2019-02-11 11:35 ` Catalin Marinas 2019-02-11 17:02 ` Dave Martin 2019-02-11 17:02 ` Dave Martin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=674252952827b57f4259876cd4ddf802f3539356.1544445454.git.andreyknvl@google.com \ --to=andreyknvl@google.com \ --cc=Jacob.Bramley@arm.com \ --cc=Lee.Smith@arm.com \ --cc=Ramana.Radhakrishnan@arm.com \ --cc=Ruben.Ayrapetyan@arm.com \ --cc=akpm@linux-foundation.org \ --cc=catalin.marinas@arm.com \ --cc=cpandya@codeaurora.org \ --cc=dvyukov@google.com \ --cc=eugenis@google.com \ --cc=gregkh@linuxfoundation.org \ --cc=kcc@google.com \ --cc=keescook@chromium.org \ --cc=kirill.shutemov@linux.intel.com \ --cc=kstewart@linuxfoundation.org \ --cc=linux-arch@vger.kernel.org \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=linux-doc@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-kselftest@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=luc.vanoostenryck@gmail.com \ --cc=mark.rutland@arm.com \ --cc=mingo@kernel.org \ --cc=robin.murphy@arm.com \ --cc=shuah@kernel.org \ --cc=will.deacon@arm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).