linux-next.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Peter Zijlstra <peterz@infradead.org>
To: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Randy Dunlap <rdunlap@infradead.org>,
	akpm@linux-foundation.org, broonie@kernel.org,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-mm@kvack.org, linux-next@vger.kernel.org, mhocko@suse.cz,
	mm-commits@vger.kernel.org, sfr@canb.auug.org.au
Subject: Re: mmotm 2019-08-27-20-39 uploaded (objtool: xen)
Date: Thu, 29 Aug 2019 10:24:45 +0200	[thread overview]
Message-ID: <20190829082445.GM2369@hirez.programming.kicks-ass.net> (raw)
In-Reply-To: <20190828200134.d3lwgyunlpxc6cbn@treble>

On Wed, Aug 28, 2019 at 03:01:34PM -0500, Josh Poimboeuf wrote:
> On Wed, Aug 28, 2019 at 10:56:25AM -0700, Randy Dunlap wrote:
> > >> drivers/xen/gntdev.o: warning: objtool: gntdev_copy()+0x229: call to __ubsan_handle_out_of_bounds() with UACCESS enabled
> > > 
> > > Easy one :-)
> > > 
> > > diff --git a/tools/objtool/check.c b/tools/objtool/check.c
> > > index 0c8e17f946cd..6a935ab93149 100644
> > > --- a/tools/objtool/check.c
> > > +++ b/tools/objtool/check.c
> > > @@ -483,6 +483,7 @@ static const char *uaccess_safe_builtin[] = {
> > >  	"ubsan_type_mismatch_common",
> > >  	"__ubsan_handle_type_mismatch",
> > >  	"__ubsan_handle_type_mismatch_v1",
> > > +	"__ubsan_handle_out_of_bounds",
> > >  	/* misc */
> > >  	"csum_partial_copy_generic",
> > >  	"__memcpy_mcsafe",
> > > 
> > 
> > 
> > then I get this one:
> > 
> > lib/ubsan.o: warning: objtool: __ubsan_handle_out_of_bounds()+0x5d: call to ubsan_prologue() with UACCESS enabled
> 
> And of course I jinxed it by calling it easy.
> 
> Peter, how do you want to handle this?
> 
> Should we just disable UACCESS checking in lib/ubsan.c?

No, that is actually unsafe and could break things (as would you patch
above).

I'm thinking the below patch ought to cure things:

---
Subject: x86/uaccess: Don't leak the AC flags into __get_user() argument evalidation

Identical to __put_user(); the __get_user() argument evalution will too
leak UBSAN crud into the __uaccess_begin() / __uaccess_end() region.
While uncommon this was observed to happen for:

  drivers/xen/gntdev.c: if (__get_user(old_status, batch->status[i]))

where UBSAN added array bound checking.

This complements commit:

  6ae865615fc4 ("x86/uaccess: Dont leak the AC flag into __put_user() argument evaluation")

Reported-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: luto@kernel.org
---
 arch/x86/include/asm/uaccess.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index 9c4435307ff8..35c225ede0e4 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -444,8 +444,10 @@ __pu_label:							\
 ({									\
 	int __gu_err;							\
 	__inttype(*(ptr)) __gu_val;					\
+	__typeof__(ptr) __gu_ptr = (ptr);				\
+	__typeof__(size) __gu_size = (size);				\
 	__uaccess_begin_nospec();					\
-	__get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT);	\
+	__get_user_size(__gu_val, __gu_ptr, __gu_size, __gu_err, -EFAULT);	\
 	__uaccess_end();						\
 	(x) = (__force __typeof__(*(ptr)))__gu_val;			\
 	__builtin_expect(__gu_err, 0);					\

  reply	other threads:[~2019-08-29  8:25 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-28  3:40 mmotm 2019-08-27-20-39 uploaded akpm
2019-08-28 16:58 ` mmotm 2019-08-27-20-39 uploaded (objtool: xen) Randy Dunlap
2019-08-28 17:19   ` Josh Poimboeuf
2019-08-28 17:56     ` Randy Dunlap
2019-08-28 20:01       ` Josh Poimboeuf
2019-08-29  8:24         ` Peter Zijlstra [this message]
2019-08-29 23:37           ` Josh Poimboeuf
2019-08-30  4:10             ` Sedat Dilek
2019-08-28 17:59 ` mmotm 2019-08-27-20-39 uploaded (gpu/drm/amd/display/) Randy Dunlap
2019-08-28 18:53   ` Alex Deucher
2019-08-28 18:30 ` mmotm 2019-08-27-20-39 uploaded (sound/hda/intel-nhlt.c) Randy Dunlap
2019-08-28 19:28   ` Pierre-Louis Bossart
2019-08-28 21:06     ` Randy Dunlap
2019-08-28 22:20       ` Pierre-Louis Bossart
2019-08-28 22:45         ` Pierre-Louis Bossart
2019-08-28 22:59           ` Randy Dunlap
2019-08-29  2:26             ` Randy Dunlap
2019-08-29 15:08           ` [alsa-devel] " Takashi Iwai
2019-08-29 16:22             ` Pierre-Louis Bossart

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190829082445.GM2369@hirez.programming.kicks-ass.net \
    --to=peterz@infradead.org \
    --cc=akpm@linux-foundation.org \
    --cc=broonie@kernel.org \
    --cc=jpoimboe@redhat.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=linux-next@vger.kernel.org \
    --cc=mhocko@suse.cz \
    --cc=mm-commits@vger.kernel.org \
    --cc=rdunlap@infradead.org \
    --cc=sfr@canb.auug.org.au \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).