From: Mark Rutland <mark.rutland@arm.com>
To: Kees Cook <keescook@chromium.org>
Cc: linux-kernel@vger.kernel.org, Jan Kara <jack@suse.cz>,
kernel-hardening@lists.openwall.com,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
linux-mm@kvack.org, sparclinux@vger.kernel.org,
linux-ia64@vger.kernel.org, Christoph Lameter <cl@linux.com>,
Andrea Arcangeli <aarcange@redhat.com>,
linux-arch@vger.kernel.org, Michael Ellerman <mpe@ellerman.id.au>,
x86@kernel.org, Russell King <linux@armlinux.org.uk>,
linux-arm-kernel@lists.infradead.org,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
PaX Team <pageexec@freemail.hu>, Borislav Petkov <bp@suse.de>,
Mathias Krause <minipli@googlemail.com>,
Fenghua Yu <fenghua.yu@intel.com>, Rik van Riel <riel@redhat.com>,
Vitaly Wool <vitalywool@gmail.com>,
David Rientjes <rientjes@google.com>,
Tony Luck <tony.luck@intel.com>,
Andy Lutomirski <luto@kernel.org>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Dmitry Vyukov <dvyukov@google.com>,
Laura Abbott <labbott@fedoraproject.org>,
Brad Spengler <spender@grsecurity.net>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Pekka Enberg <penberg@kernel.org>,
Casey Schaufler <casey@schaufler-ca.com>,
Andrew Morton <akpm@linux-foundation.org>,
linuxppc-dev@lists.ozlabs.org,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH 4/9] arm64/uaccess: Enable hardened usercopy
Date: Thu, 7 Jul 2016 11:07:18 +0100 [thread overview]
Message-ID: <20160707100717.GB8306@leverpostej> (raw)
In-Reply-To: <1467843928-29351-5-git-send-email-keescook@chromium.org>
Hi,
On Wed, Jul 06, 2016 at 03:25:23PM -0700, Kees Cook wrote:
> Enables CONFIG_HARDENED_USERCOPY checks on arm64. As done by KASAN in -next,
> renames the low-level functions to __arch_copy_*_user() so a static inline
> can do additional work before the copy.
The checks themselves look fine, but as with the KASAN checks, it seems
a shame that this logic is duplicated per arch, integrated in subtly
different ways.
Can we not __arch prefix all the arch uaccess helpers, and place
kasan_check_*() and check_object_size() calls in generic wrappers?
If we're going to update all the arch uaccess helpers anyway, doing that
would make it easier to fix things up, or to add new checks in future.
Thanks,
Mark.
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> arch/arm64/Kconfig | 2 ++
> arch/arm64/include/asm/uaccess.h | 18 ++++++++++++++++--
> arch/arm64/kernel/arm64ksyms.c | 4 ++--
> arch/arm64/lib/copy_from_user.S | 4 ++--
> arch/arm64/lib/copy_to_user.S | 4 ++--
> 5 files changed, 24 insertions(+), 8 deletions(-)
>
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 5a0a691d4220..b771cd97f74b 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -51,10 +51,12 @@ config ARM64
> select HAVE_ALIGNED_STRUCT_PAGE if SLUB
> select HAVE_ARCH_AUDITSYSCALL
> select HAVE_ARCH_BITREVERSE
> + select HAVE_ARCH_HARDENED_USERCOPY
> select HAVE_ARCH_HUGE_VMAP
> select HAVE_ARCH_JUMP_LABEL
> select HAVE_ARCH_KASAN if SPARSEMEM_VMEMMAP && !(ARM64_16K_PAGES && ARM64_VA_BITS_48)
> select HAVE_ARCH_KGDB
> + select HAVE_ARCH_LINEAR_KERNEL_MAPPING
> select HAVE_ARCH_MMAP_RND_BITS
> select HAVE_ARCH_MMAP_RND_COMPAT_BITS if COMPAT
> select HAVE_ARCH_SECCOMP_FILTER
> diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
> index 9e397a542756..6d0f86300936 100644
> --- a/arch/arm64/include/asm/uaccess.h
> +++ b/arch/arm64/include/asm/uaccess.h
> @@ -256,11 +256,25 @@ do { \
> -EFAULT; \
> })
>
> -extern unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n);
> -extern unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n);
> +extern unsigned long __must_check __arch_copy_from_user(void *to, const void __user *from, unsigned long n);
> +extern unsigned long __must_check __arch_copy_to_user(void __user *to, const void *from, unsigned long n);
> extern unsigned long __must_check __copy_in_user(void __user *to, const void __user *from, unsigned long n);
> extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
>
> +static inline unsigned long __must_check
> +__copy_from_user(void *to, const void __user *from, unsigned long n)
> +{
> + check_object_size(to, n, false);
> + return __arch_copy_from_user(to, from, n);
> +}
> +
> +static inline unsigned long __must_check
> +__copy_to_user(void __user *to, const void *from, unsigned long n)
> +{
> + check_object_size(from, n, true);
> + return __arch_copy_to_user(to, from, n);
> +}
> +
> static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
> {
> if (access_ok(VERIFY_READ, from, n))
> diff --git a/arch/arm64/kernel/arm64ksyms.c b/arch/arm64/kernel/arm64ksyms.c
> index 678f30b05a45..2dc44406a7ad 100644
> --- a/arch/arm64/kernel/arm64ksyms.c
> +++ b/arch/arm64/kernel/arm64ksyms.c
> @@ -34,8 +34,8 @@ EXPORT_SYMBOL(copy_page);
> EXPORT_SYMBOL(clear_page);
>
> /* user mem (segment) */
> -EXPORT_SYMBOL(__copy_from_user);
> -EXPORT_SYMBOL(__copy_to_user);
> +EXPORT_SYMBOL(__arch_copy_from_user);
> +EXPORT_SYMBOL(__arch_copy_to_user);
> EXPORT_SYMBOL(__clear_user);
> EXPORT_SYMBOL(__copy_in_user);
>
> diff --git a/arch/arm64/lib/copy_from_user.S b/arch/arm64/lib/copy_from_user.S
> index 17e8306dca29..0b90497d4424 100644
> --- a/arch/arm64/lib/copy_from_user.S
> +++ b/arch/arm64/lib/copy_from_user.S
> @@ -66,7 +66,7 @@
> .endm
>
> end .req x5
> -ENTRY(__copy_from_user)
> +ENTRY(__arch_copy_from_user)
> ALTERNATIVE("nop", __stringify(SET_PSTATE_PAN(0)), ARM64_ALT_PAN_NOT_UAO, \
> CONFIG_ARM64_PAN)
> add end, x0, x2
> @@ -75,7 +75,7 @@ ALTERNATIVE("nop", __stringify(SET_PSTATE_PAN(1)), ARM64_ALT_PAN_NOT_UAO, \
> CONFIG_ARM64_PAN)
> mov x0, #0 // Nothing to copy
> ret
> -ENDPROC(__copy_from_user)
> +ENDPROC(__arch_copy_from_user)
>
> .section .fixup,"ax"
> .align 2
> diff --git a/arch/arm64/lib/copy_to_user.S b/arch/arm64/lib/copy_to_user.S
> index 21faae60f988..7a7efe255034 100644
> --- a/arch/arm64/lib/copy_to_user.S
> +++ b/arch/arm64/lib/copy_to_user.S
> @@ -65,7 +65,7 @@
> .endm
>
> end .req x5
> -ENTRY(__copy_to_user)
> +ENTRY(__arch_copy_to_user)
> ALTERNATIVE("nop", __stringify(SET_PSTATE_PAN(0)), ARM64_ALT_PAN_NOT_UAO, \
> CONFIG_ARM64_PAN)
> add end, x0, x2
> @@ -74,7 +74,7 @@ ALTERNATIVE("nop", __stringify(SET_PSTATE_PAN(1)), ARM64_ALT_PAN_NOT_UAO, \
> CONFIG_ARM64_PAN)
> mov x0, #0
> ret
> -ENDPROC(__copy_to_user)
> +ENDPROC(__arch_copy_to_user)
>
> .section .fixup,"ax"
> .align 2
> --
> 2.7.4
>
>
> _______________________________________________
> linux-arm-kernel mailing list
> linux-arm-kernel@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
>
next prev parent reply other threads:[~2016-07-07 10:07 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-06 22:25 [PATCH 0/9] mm: Hardened usercopy Kees Cook
2016-07-06 22:25 ` [PATCH 1/9] " Kees Cook
2016-07-07 5:37 ` Baruch Siach
2016-07-07 17:25 ` Kees Cook
2016-07-07 18:35 ` Baruch Siach
2016-07-07 7:42 ` Thomas Gleixner
2016-07-07 17:29 ` Kees Cook
2016-07-07 19:34 ` Thomas Gleixner
2016-07-07 8:01 ` Arnd Bergmann
2016-07-07 17:37 ` Kees Cook
2016-07-08 5:34 ` Michael Ellerman
2016-07-08 9:22 ` Arnd Bergmann
2016-07-07 16:19 ` Rik van Riel
2016-07-07 16:35 ` Rik van Riel
2016-07-07 17:41 ` Kees Cook
2016-07-06 22:25 ` [PATCH 2/9] x86/uaccess: Enable hardened usercopy Kees Cook
2016-07-06 22:25 ` [PATCH 3/9] ARM: uaccess: " Kees Cook
2016-07-06 22:25 ` [PATCH 4/9] arm64/uaccess: " Kees Cook
2016-07-07 10:07 ` Mark Rutland [this message]
2016-07-07 17:19 ` Kees Cook
2016-07-06 22:25 ` [PATCH 5/9] ia64/uaccess: " Kees Cook
2016-07-06 22:25 ` [PATCH 6/9] powerpc/uaccess: " Kees Cook
2016-07-06 22:25 ` [PATCH 7/9] sparc/uaccess: " Kees Cook
2016-07-06 22:25 ` [PATCH 8/9] mm: SLAB hardened usercopy support Kees Cook
2016-07-06 22:25 ` [PATCH 9/9] mm: SLUB " Kees Cook
2016-07-07 4:35 ` Michael Ellerman
[not found] ` <577ddc18.d351190a.1fa54.ffffbe79SMTPIN_ADDED_BROKEN@mx.google.com>
2016-07-07 18:56 ` [kernel-hardening] " Kees Cook
2016-07-08 10:19 ` Michael Ellerman
2016-07-08 13:45 ` Christoph Lameter
2016-07-08 16:07 ` Kees Cook
2016-07-08 16:20 ` Christoph Lameter
2016-07-08 17:41 ` Kees Cook
2016-07-08 20:48 ` Kees Cook
2016-07-09 5:58 ` Michael Ellerman
2016-07-09 6:07 ` Michael Ellerman
[not found] ` <57809299.84b3370a.5390c.ffff9e58SMTPIN_ADDED_BROKEN@mx.google.com>
2016-07-09 6:17 ` Valdis.Kletnieks
2016-07-09 17:07 ` Kees Cook
2016-07-11 6:08 ` Joonsoo Kim
2016-07-07 7:30 ` [PATCH 0/9] mm: Hardened usercopy Christian Borntraeger
2016-07-07 17:27 ` Kees Cook
2016-07-08 8:46 ` Ingo Molnar
2016-07-08 16:19 ` Linus Torvalds
2016-07-08 18:23 ` Ingo Molnar
2016-07-09 2:22 ` Laura Abbott
2016-07-09 2:44 ` Rik van Riel
2016-07-09 7:55 ` Ingo Molnar
2016-07-09 8:25 ` Ard Biesheuvel
2016-07-09 12:58 ` Laura Abbott
2016-07-09 17:03 ` Kees Cook
2016-07-09 17:01 ` Kees Cook
2016-07-09 21:27 ` Andy Lutomirski
2016-07-09 23:16 ` PaX Team
2016-07-10 9:16 ` Ingo Molnar
2016-07-10 12:03 ` PaX Team
2016-07-10 12:38 ` Andy Lutomirski
2016-07-11 18:40 ` Kees Cook
2016-07-11 18:34 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160707100717.GB8306@leverpostej \
--to=mark.rutland@arm.com \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=benh@kernel.crashing.org \
--cc=bp@suse.de \
--cc=casey@schaufler-ca.com \
--cc=catalin.marinas@arm.com \
--cc=cl@linux.com \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=fenghua.yu@intel.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=jack@suse.cz \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@fedoraproject.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-ia64@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux@armlinux.org.uk \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=luto@kernel.org \
--cc=minipli@googlemail.com \
--cc=mpe@ellerman.id.au \
--cc=pageexec@freemail.hu \
--cc=penberg@kernel.org \
--cc=riel@redhat.com \
--cc=rientjes@google.com \
--cc=sparclinux@vger.kernel.org \
--cc=spender@grsecurity.net \
--cc=tony.luck@intel.com \
--cc=vitalywool@gmail.com \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).