From: Christoph Hellwig <hch@lst.de>
To: Guenter Roeck <linux@roeck-us.net>
Cc: linux-arch@vger.kernel.org, Nick Hu <nickhu@andestech.com>,
linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org,
Palmer Dabbelt <palmer@dabbelt.com>,
Greentime Hu <green.hu@gmail.com>,
Paul Walmsley <paul.walmsley@sifive.com>,
Andrew Morton <akpm@linux-foundation.org>,
Vincent Chen <deanbo422@gmail.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Christoph Hellwig <hch@lst.de>
Subject: Re: [PATCH 1/6] syscalls: use uaccess_kernel in addr_limit_user_check
Date: Tue, 21 Jul 2020 07:20:22 +0200 [thread overview]
Message-ID: <20200721052022.GA10011@lst.de> (raw)
In-Reply-To: <eb470677-b569-a6f0-e63b-60149b54863a@roeck-us.net>
On Mon, Jul 20, 2020 at 10:15:37PM -0700, Guenter Roeck wrote:
> >> - if (CHECK_DATA_CORRUPTION(uaccess_kernel(),
> >> + if (CHECK_DATA_CORRUPTION(!uaccess_kernel(),
> >>
> >> How does this work anywhere ?
> >
> > No, that is the wrong check - we want to make sure the address
> > space override doesn't leak to userspace. The problem is that
> > armnommu (and m68knommu, but that doesn't call the offending
> > function) pretends to not have a kernel address space, which doesn't
> > really work. Here is the fix I sent out yesterday, which I should
> > have Cc'ed you on, sorry:
> >
>
> The patch below makes sense, and it does work, but I still suspect
> that something with your original patch is wrong, or at least suspicious.
> Reason: My change above (Adding the "!") works for _all_ of my arm boot
> tests. Or, in other words, it doesn't make a difference if true
> or false is passed as first parameter of CHECK_DATA_CORRUPTION(), except
> for nommu systems. Also, unless I am really missing something, your
> original patch _does_ reverse the logic.
Well. segment_eq is in current mainline used in two places:
1) to implement uaccess_kernel
2) in addr_limit_user_check to implement uaccess_kernel-like
semantics using a strange reverse notation
I think the explanation for your observation is how addr_limit_user_check
is called on arm. The addr_limit_check_failed wrapper for it is called
from assembly code, but only after already checking the addr_limit,
basically duplicating the segment_eq check. So for mmu builds it won't
get called unless we leak the kernel address space override, which
is a pretty fatal error and won't show up in your boot tests. The
only good way to test it is by explicit injecting it using the
lkdtm module.
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2020-07-21 5:20 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-14 10:54 clean up address limit helpers v2 Christoph Hellwig
2020-07-14 10:55 ` [PATCH 1/6] syscalls: use uaccess_kernel in addr_limit_user_check Christoph Hellwig
2020-07-18 1:38 ` Guenter Roeck
2020-07-18 9:48 ` Christoph Hellwig
2020-07-18 14:54 ` Guenter Roeck
2020-07-20 22:10 ` Guenter Roeck
2020-07-21 4:58 ` Christoph Hellwig
2020-07-21 5:15 ` Guenter Roeck
2020-07-21 5:20 ` Christoph Hellwig [this message]
2020-07-21 5:30 ` Guenter Roeck
2020-07-21 5:35 ` Christoph Hellwig
2020-07-14 10:55 ` [PATCH 2/6] nds32: use uaccess_kernel in show_regs Christoph Hellwig
2020-07-14 10:55 ` [PATCH 3/6] riscv: include <asm/pgtable.h> in <asm/uaccess.h> Christoph Hellwig
2020-07-14 10:55 ` [PATCH 4/6] uaccess: remove segment_eq Christoph Hellwig
2020-07-14 15:27 ` Linus Torvalds
2020-07-14 10:55 ` [PATCH 5/6] uaccess: add force_uaccess_{begin,end} helpers Christoph Hellwig
2020-07-14 15:29 ` Linus Torvalds
2020-07-14 10:55 ` [PATCH 6/6] exec: use force_uaccess_begin during exec and exit Christoph Hellwig
2020-07-15 3:33 ` Eric W. Biederman
2020-07-15 6:06 ` Christoph Hellwig
2020-07-16 23:49 ` clean up address limit helpers v2 Andrew Morton
2020-07-17 6:06 ` Christoph Hellwig
2020-07-20 15:54 ` [PATCH 0/6] arm: don't call addr_limit_user_check for nommu Christoph Hellwig
-- strict thread matches above, loose matches on Subject: below --
2020-07-10 13:57 clean up address limit helpers Christoph Hellwig
2020-07-10 13:57 ` [PATCH 1/6] syscalls: use uaccess_kernel in addr_limit_user_check Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200721052022.GA10011@lst.de \
--to=hch@lst.de \
--cc=akpm@linux-foundation.org \
--cc=deanbo422@gmail.com \
--cc=green.hu@gmail.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linux@roeck-us.net \
--cc=nickhu@andestech.com \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).