From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-23.2 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 02ADEC388F9 for ; Fri, 20 Nov 2020 03:10:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8CCEE2145D for ; Fri, 20 Nov 2020 03:10:28 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="BlMJXUOr" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727185AbgKTDJu (ORCPT ); Thu, 19 Nov 2020 22:09:50 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40046 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725936AbgKTDJs (ORCPT ); Thu, 19 Nov 2020 22:09:48 -0500 Received: from mail-ej1-x643.google.com (mail-ej1-x643.google.com [IPv6:2a00:1450:4864:20::643]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 28C19C0617A7 for ; Thu, 19 Nov 2020 19:09:47 -0800 (PST) Received: by mail-ej1-x643.google.com with SMTP id i19so10868101ejx.9 for ; Thu, 19 Nov 2020 19:09:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BHaBikdORLgIWL2Zcc+GTT7BbTPgBYlKWDmbyDdvnI0=; b=BlMJXUOrMkE8p1dWkSA6E9qAZQAPL7vNYFrLTslEl0CJ6Tk5TIEsqYITg83d96s/zP Gn68dv0zAK/lYizr1/20RvnZ4ZrKPLNxWzZNgiIqGzbOPUKd/TSif/KO4B+fKTy5o9zO +N06jKbNsJzav1XU/O3kcsWYleXjdIcIckDilyv44CTt6GxudNElOH4rQFC2D+YPuzmk SMJ7WFpSIzX8I4th8i+uqUkyRjLXmxVhlVpJnF786qLWQ3hhCtP6YVwZmoR/KpQPhw46 aHrCDm9+1u9Qz8gitoX9eR/5aw7h7yqbvEKXp5AgTV3oRjV2nq1o7MMTOaSq75sGn4k2 NTsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BHaBikdORLgIWL2Zcc+GTT7BbTPgBYlKWDmbyDdvnI0=; b=ejRgd2NP0cvMqKynCkC22TwxDkPTyHAPEIJPEgtZqw53Ykfjq/Nd+AKwKsSDUdpbLE 42Hv2iP9l2CB3ZCXlxN3DGw2FR5cG2z1QCIRK8WCCR4OUrZAqhuJ0zXdaqqthtwtVbQj Vtr08DtsVCsGEftCyw3QMuMqHzKN6Yc+EOEFPAA8iPvOwISyqiI/sw9e9GP/KokWbm03 43NP5SrjZC+AFzHqH9iNSVwOncMmGI9cZVG/QsJf+RnElpRBxtn9EUiDMe9xnk5Nd5px kAdJX3nU/VIODe9+foPPanwJGMsRxKiSj+ilyEydgA12scVuj/xUdoLCQ302+HCfhmCh c1bw== X-Gm-Message-State: AOAM531zhG761ObWyE1jGdO4mZr8FCbOV58A5c8tjzklWArh1begzhA0 i+inYTw7AH7/EcM8cYG2mMTs64e4yF8IDn0NqiZpfw== X-Google-Smtp-Source: ABdhPJx5v3n3B2swPuZb7KD4eIkmwhRaWF/FXiLbVFI6wx/oCnz34Y7gUKNQv8DzpME54THwdKVT1yn9jrayayaWLBg= X-Received: by 2002:a17:906:1804:: with SMTP id v4mr31380199eje.201.1605841785662; Thu, 19 Nov 2020 19:09:45 -0800 (PST) MIME-Version: 1.0 References: <20201120030411.2690816-1-lokeshgidra@google.com> <20201120030411.2690816-2-lokeshgidra@google.com> In-Reply-To: <20201120030411.2690816-2-lokeshgidra@google.com> From: Lokesh Gidra Date: Thu, 19 Nov 2020 19:09:34 -0800 Message-ID: Subject: Re: [PATCH v6 1/2] Add UFFD_USER_MODE_ONLY To: Kees Cook , Jonathan Corbet , Peter Xu , Andrea Arcangeli , Sebastian Andrzej Siewior , Andrew Morton Cc: Alexander Viro , Stephen Smalley , Eric Biggers , Daniel Colascione , "Joel Fernandes (Google)" , Linux FS Devel , linux-kernel , linux-doc@vger.kernel.org, Kalesh Singh , Calin Juravle , Suren Baghdasaryan , Jeffrey Vander Stoep , "Cc: Android Kernel" , Mike Rapoport , Shaohua Li , Jerome Glisse , Mauro Carvalho Chehab , Johannes Weiner , Mel Gorman , Nitin Gupta , Vlastimil Babka , Iurii Zaikin , Luis Chamberlain , "open list:MEMORY MANAGEMENT" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org On Thu, Nov 19, 2020 at 7:04 PM Lokesh Gidra wrote: > > userfaultfd handles page faults from both user and kernel code. > Add a new UFFD_USER_MODE_ONLY flag for userfaultfd(2) that makes > the resulting userfaultfd object refuse to handle faults from kernel > mode, treating these faults as if SIGBUS were always raised, causing > the kernel code to fail with EFAULT. > > A future patch adds a knob allowing administrators to give some > processes the ability to create userfaultfd file objects only if they > pass UFFD_USER_MODE_ONLY, reducing the likelihood that these processes > will exploit userfaultfd's ability to delay kernel page faults to open > timing windows for future exploits. > > Signed-off-by: Daniel Colascione > Signed-off-by: Lokesh Gidra > Reviewed-by: Andrea Arcangeli > --- > fs/userfaultfd.c | 10 +++++++++- > include/uapi/linux/userfaultfd.h | 9 +++++++++ > 2 files changed, 18 insertions(+), 1 deletion(-) > > diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c > index 000b457ad087..605599fde015 100644 > --- a/fs/userfaultfd.c > +++ b/fs/userfaultfd.c > @@ -405,6 +405,13 @@ vm_fault_t handle_userfault(struct vm_fault *vmf, unsigned long reason) > > if (ctx->features & UFFD_FEATURE_SIGBUS) > goto out; > + if ((vmf->flags & FAULT_FLAG_USER) == 0 && > + ctx->flags & UFFD_USER_MODE_ONLY) { > + printk_once(KERN_WARNING "uffd: Set unprivileged_userfaultfd " > + "sysctl knob to 1 if kernel faults must be handled " > + "without obtaining CAP_SYS_PTRACE capability\n"); > + goto out; > + } > > /* > * If it's already released don't get it. This avoids to loop > @@ -1965,10 +1972,11 @@ SYSCALL_DEFINE1(userfaultfd, int, flags) > BUG_ON(!current->mm); > > /* Check the UFFD_* constants for consistency. */ > + BUILD_BUG_ON(UFFD_USER_MODE_ONLY & UFFD_SHARED_FCNTL_FLAGS); > BUILD_BUG_ON(UFFD_CLOEXEC != O_CLOEXEC); > BUILD_BUG_ON(UFFD_NONBLOCK != O_NONBLOCK); > > - if (flags & ~UFFD_SHARED_FCNTL_FLAGS) > + if (flags & ~(UFFD_SHARED_FCNTL_FLAGS | UFFD_USER_MODE_ONLY)) > return -EINVAL; > > ctx = kmem_cache_alloc(userfaultfd_ctx_cachep, GFP_KERNEL); > diff --git a/include/uapi/linux/userfaultfd.h b/include/uapi/linux/userfaultfd.h > index e7e98bde221f..5f2d88212f7c 100644 > --- a/include/uapi/linux/userfaultfd.h > +++ b/include/uapi/linux/userfaultfd.h > @@ -257,4 +257,13 @@ struct uffdio_writeprotect { > __u64 mode; > }; > > +/* > + * Flags for the userfaultfd(2) system call itself. > + */ > + > +/* > + * Create a userfaultfd that can handle page faults only in user mode. > + */ > +#define UFFD_USER_MODE_ONLY 1 > + > #endif /* _LINUX_USERFAULTFD_H */ > -- > 2.29.0.rc1.297.gfa9743e501-goog > Adding linux-mm@kvack.org mailing list