From: Kees Cook <keescook@chromium.org>
To: Catalin Marinas <catalin.marinas@arm.com>
Cc: Mark Rutland <mark.rutland@arm.com>,
kvm@vger.kernel.org, Szabolcs Nagy <Szabolcs.Nagy@arm.com>,
Will Deacon <will.deacon@arm.com>,
dri-devel@lists.freedesktop.org,
Linux Memory Management List <linux-mm@kvack.org>,
Khalid Aziz <khalid.aziz@oracle.com>,
"open list:KERNEL SELFTEST FRAMEWORK"
<linux-kselftest@vger.kernel.org>,
Vincenzo Frascino <vincenzo.frascino@arm.com>,
Jacob Bramley <Jacob.Bramley@arm.com>,
Leon Romanovsky <leon@kernel.org>,
linux-rdma@vger.kernel.org, amd-gfx@lists.freedesktop.org,
Dmitry Vyukov <dvyukov@google.com>,
Dave Martin <Dave.Martin@arm.com>,
Evgenii Stepanov <eugenis@google.com>,
linux-media@vger.kernel.org,
Kevin Brodsky <kevin.brodsky@arm.com>,
Ruben Ayrapetyan <Ruben.Ayrapetyan@arm.com>,
Andrey Konovalov <andreyknvl@google.com>,
Ramana Radhakrishnan <Ramana.Radhakrishnan@arm.com>,
Alex Williamson <alex.williamson@redhat.com>,
Yishai Hadas <yishaih@mellanox.com>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
Kostya Serebryany <kcc@google.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Felix Kuehling <Felix.Kuehling@amd.com>,
LKML <linux-kernel@vger.kernel.org>,
Jens Wiklander <jens.wiklander@linaro.org>,
Lee Smith <Lee.Smith@arm.com>,
Alexander Deucher <Alexander.Deucher@amd.com>,
Andrew Morton <akpm@linux-foundation.org>, enh <enh@google.com>,
Robin Murphy <robin.murphy@arm.com>,
Christian Koenig <Christian.Koenig@amd.com>,
Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
Subject: Re: [PATCH v15 00/17] arm64: untag user pointers passed to the kernel
Date: Thu, 23 May 2019 14:31:16 -0700 [thread overview]
Message-ID: <201905231327.77CA8D0A36@keescook> (raw)
In-Reply-To: <20190523174345.6sv3kcipkvlwfmox@mbp>
On Thu, May 23, 2019 at 06:43:46PM +0100, Catalin Marinas wrote:
> On Thu, May 23, 2019 at 09:38:19AM -0700, Kees Cook wrote:
> > What on this front would you be comfortable with? Given it's a new
> > feature isn't it sufficient to have a CONFIG (and/or boot option)?
>
> I'd rather avoid re-building kernels. A boot option would do, unless we
> see value in a per-process (inherited) personality or prctl. The
I think I've convinced myself that the normal<->TBI ABI control should
be a boot parameter. More below...
> > What about testing tools that intentionally insert high bits for syscalls
> > and are _expecting_ them to fail? It seems the TBI series will break them?
> > In that case, do we need to opt into TBI as well?
>
> If there are such tools, then we may need a per-process control. It's
> basically an ABI change.
syzkaller already attempts to randomly inject non-canonical and
0xFFFF....FFFF addresses for user pointers in syscalls in an effort to
find bugs like CVE-2017-5123 where waitid() via unchecked put_user() was
able to write directly to kernel memory[1].
It seems that using TBI by default and not allowing a switch back to
"normal" ABI without a reboot actually means that userspace cannot inject
kernel pointers into syscalls any more, since they'll get universally
stripped now. Is my understanding correct, here? i.e. exploiting
CVE-2017-5123 would be impossible under TBI?
If so, then I think we should commit to the TBI ABI and have a boot
flag to disable it, but NOT have a process flag, as that would allow
attackers to bypass the masking. The only flag should be "TBI or MTE".
If so, can I get top byte masking for other architectures too? Like,
just to strip high bits off userspace addresses? ;)
(Oh, in looking I see this is implemented with sign-extension... why
not just a mask? So it'll either be valid userspace address or forced
into the non-canonical range?)
[1] https://salls.github.io/Linux-Kernel-CVE-2017-5123/
> > Alright, the tl;dr appears to be:
> > - you want more assurances that we can find __user stripping in the
> > kernel more easily. (But this seems like a parallel problem.)
>
> Yes, and that we found all (most) cases now. The reason I don't see it
> as a parallel problem is that, as maintainer, I promise an ABI to user
> and I'd rather stick to it. I don't want, for example, ncurses to stop
> working because of some ioctl() rejecting tagged pointers.
But this is what I don't understand: it would need to be ncurses _using
TBI_, that would stop working (having started to work before, but then
regress due to a newly added one-off bug). Regular ncurses will be fine
because it's not using TBI. So The Golden Rule isn't violated, and by
definition, it's a specific regression caused by some bug (since TBI
would have had to have worked _before_ in the situation to be considered
a regression now). Which describes the normal path for kernel
development... add feature, find corner cases where it doesn't work,
fix them, encounter new regressions, fix those, repeat forever.
> If it's just the occasional one-off bug I'm fine to deal with it. But
> no-one convinced me yet that this is the case.
You believe there still to be some systemic cases that haven't been
found yet? And even if so -- isn't it better to work on that
incrementally?
> As for the generic driver code (filesystems or other subsystems),
> without some clear direction for developers, together with static
> checking/sparse, on how user pointers are cast to longs (one example),
> it would become my responsibility to identify and fix them up with any
> kernel release. This series is not providing such guidance, just adding
> untagged_addr() in some places that we think matter.
What about adding a nice bit of .rst documentation that describes the
situation and shows how to use untagged_addr(). This is the kind of
kernel-wide change that "everyone" needs to know about, and shouldn't
be the arch maintainer's sole responsibility to fix.
> > - we might need to opt in to TBI with a prctl()
>
> Yes, although still up for discussion.
I think I've talked myself out of it. I say boot param only! :)
So what do you say to these next steps:
- change untagged_addr() to use a static branch that is controlled with
a boot parameter.
- add, say, Documentation/core-api/user-addresses.rst to describe
proper care and handling of user space pointers with untagged_addr(),
with examples based on all the cases seen so far in this series.
- continue work to improve static analysis.
Thanks for wading through this with me! :)
--
Kees Cook
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2019-05-23 21:31 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-06 16:30 [PATCH v15 00/17] arm64: untag user pointers passed to the kernel Andrey Konovalov
2019-05-06 16:30 ` [PATCH v15 01/17] uaccess: add untagged_addr definition for other arches Andrey Konovalov
2019-05-29 14:49 ` Khalid Aziz
2019-05-06 16:30 ` [PATCH v15 02/17] arm64: untag user pointers in access_ok and __uaccess_mask_ptr Andrey Konovalov
2019-05-06 16:30 ` [PATCH v15 03/17] lib, arm64: untag user pointers in strn*_user Andrey Konovalov
2019-05-22 10:41 ` Catalin Marinas
2019-05-06 16:30 ` [PATCH v15 04/17] mm: add ksys_ wrappers to memory syscalls Andrey Konovalov
2019-05-22 10:56 ` Catalin Marinas
2019-05-06 16:30 ` [PATCH v15 05/17] arms64: untag user pointers passed " Andrey Konovalov
2019-05-22 11:49 ` Catalin Marinas
2019-05-22 21:16 ` Evgenii Stepanov
2019-05-23 9:04 ` Catalin Marinas
2019-05-24 4:23 ` Evgenii Stepanov
2019-05-24 15:41 ` Andrew Murray
2019-05-25 9:57 ` Catalin Marinas
2019-05-27 9:42 ` Catalin Marinas
2019-05-27 14:37 ` Catalin Marinas
2019-05-28 14:54 ` Andrew Murray
2019-05-28 15:40 ` Catalin Marinas
2019-05-28 15:56 ` Dave Martin
2019-05-28 16:34 ` Catalin Marinas
2019-05-29 12:42 ` Dave Martin
2019-05-29 13:23 ` Catalin Marinas
2019-05-29 15:18 ` Dave Martin
2019-05-28 23:33 ` Khalid Aziz
2019-05-29 14:20 ` Catalin Marinas
2019-05-29 19:16 ` Khalid Aziz
2019-05-30 15:11 ` Catalin Marinas
2019-05-30 16:05 ` Khalid Aziz
2019-05-30 16:57 ` Catalin Marinas
2019-05-28 13:05 ` Catalin Marinas
2019-05-06 16:30 ` [PATCH v15 06/17] mm: untag user pointers in do_pages_move Andrey Konovalov
2019-05-22 11:51 ` Catalin Marinas
2019-05-06 16:30 ` [PATCH v15 07/17] mm, arm64: untag user pointers in mm/gup.c Andrey Konovalov
2019-05-22 11:56 ` Catalin Marinas
2019-05-06 16:30 ` [PATCH v15 08/17] mm, arm64: untag user pointers in get_vaddr_frames Andrey Konovalov
2019-05-06 16:30 ` [PATCH v15 09/17] fs, arm64: untag user pointers in copy_mount_options Andrey Konovalov
2019-05-22 12:09 ` Catalin Marinas
2019-05-06 16:30 ` [PATCH v15 10/17] fs, arm64: untag user pointers in fs/userfaultfd.c Andrey Konovalov
2019-05-06 16:30 ` [PATCH v15 11/17] drm/amdgpu, arm64: untag user pointers Andrey Konovalov
2019-05-07 16:43 ` Kuehling, Felix
2019-05-06 16:30 ` [PATCH v15 12/17] drm/radeon, arm64: untag user pointers in radeon_gem_userptr_ioctl Andrey Konovalov
2019-05-07 16:44 ` Kuehling, Felix
2019-05-06 16:30 ` [PATCH v15 13/17] IB, arm64: untag user pointers in ib_uverbs_(re)reg_mr() Andrey Konovalov
2019-05-06 19:50 ` Jason Gunthorpe
2019-05-07 6:33 ` Leon Romanovsky
2019-05-06 16:31 ` [PATCH v15 14/17] media/v4l2-core, arm64: untag user pointers in videobuf_dma_contig_user_get Andrey Konovalov
2019-05-24 13:13 ` Mauro Carvalho Chehab
2019-05-06 16:31 ` [PATCH v15 15/17] tee, arm64: untag user pointers in tee_shm_register Andrey Konovalov
2019-05-06 16:31 ` [PATCH v15 16/17] vfio/type1, arm64: untag user pointers in vaddr_get_pfn Andrey Konovalov
2019-05-06 16:31 ` [PATCH v15 17/17] selftests, arm64: add a selftest for passing tagged pointers to kernel Andrey Konovalov
2019-05-22 14:16 ` Catalin Marinas
2019-05-31 14:21 ` Andrey Konovalov
2019-05-31 16:22 ` Catalin Marinas
2019-05-17 14:49 ` [PATCH v15 00/17] arm64: untag user pointers passed to the kernel Catalin Marinas
2019-05-20 23:53 ` Evgenii Stepanov
2019-05-21 18:29 ` Catalin Marinas
2019-05-22 0:04 ` Kees Cook
2019-05-22 10:11 ` Catalin Marinas
2019-05-22 15:30 ` enh
2019-05-22 16:35 ` Catalin Marinas
2019-05-22 16:58 ` enh
2019-05-23 15:21 ` Catalin Marinas
2019-05-22 20:47 ` Kees Cook
2019-05-22 23:03 ` Evgenii Stepanov
2019-05-22 23:09 ` enh
2019-05-23 7:34 ` Catalin Marinas
2019-05-23 14:44 ` Catalin Marinas
2019-05-23 15:44 ` enh
2019-05-23 17:00 ` Catalin Marinas
2019-05-23 16:38 ` Kees Cook
2019-05-23 17:43 ` Catalin Marinas
2019-05-23 21:31 ` Kees Cook [this message]
2019-05-24 11:20 ` Catalin Marinas
2019-05-28 17:02 ` Catalin Marinas
2019-06-02 5:06 ` Kees Cook
2019-05-22 19:21 ` Kees Cook
2019-05-22 20:15 ` enh
2019-05-23 15:08 ` Catalin Marinas
2019-05-23 17:51 ` Khalid Aziz
2019-05-23 20:11 ` Catalin Marinas
2019-05-23 21:42 ` Khalid Aziz
2019-05-23 21:49 ` Khalid Aziz
2019-05-24 10:11 ` Catalin Marinas
2019-05-24 14:25 ` Khalid Aziz
2019-05-28 14:14 ` Andrey Konovalov
2019-05-29 6:11 ` Christoph Hellwig
2019-05-29 12:12 ` Catalin Marinas
2019-05-30 17:15 ` Catalin Marinas
2019-05-31 14:29 ` Andrey Konovalov
2019-05-31 16:19 ` Catalin Marinas
2019-05-31 16:24 ` Andrey Konovalov
2019-05-31 16:46 ` Catalin Marinas
2019-05-21 18:48 ` Jason Gunthorpe
2019-05-22 13:49 ` Dave Martin
2019-05-23 0:20 ` Jason Gunthorpe
2019-05-23 10:42 ` Dave Martin
2019-05-23 16:57 ` Catalin Marinas
2019-05-24 14:23 ` Dave Martin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201905231327.77CA8D0A36@keescook \
--to=keescook@chromium.org \
--cc=Alexander.Deucher@amd.com \
--cc=Christian.Koenig@amd.com \
--cc=Dave.Martin@arm.com \
--cc=Felix.Kuehling@amd.com \
--cc=Jacob.Bramley@arm.com \
--cc=Lee.Smith@arm.com \
--cc=Ramana.Radhakrishnan@arm.com \
--cc=Ruben.Ayrapetyan@arm.com \
--cc=Szabolcs.Nagy@arm.com \
--cc=akpm@linux-foundation.org \
--cc=alex.williamson@redhat.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=andreyknvl@google.com \
--cc=catalin.marinas@arm.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=dvyukov@google.com \
--cc=enh@google.com \
--cc=eugenis@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=jens.wiklander@linaro.org \
--cc=kcc@google.com \
--cc=kevin.brodsky@arm.com \
--cc=khalid.aziz@oracle.com \
--cc=kvm@vger.kernel.org \
--cc=leon@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-rdma@vger.kernel.org \
--cc=luc.vanoostenryck@gmail.com \
--cc=mark.rutland@arm.com \
--cc=mchehab@kernel.org \
--cc=robin.murphy@arm.com \
--cc=vincenzo.frascino@arm.com \
--cc=will.deacon@arm.com \
--cc=yishaih@mellanox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).