From: Christoph Hellwig <hch@lst.de>
To: Guenter Roeck <linux@roeck-us.net>
Cc: Christoph Hellwig <hch@lst.de>, Nick Hu <nickhu@andestech.com>,
Greentime Hu <green.hu@gmail.com>,
Vincent Chen <deanbo422@gmail.com>,
Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-riscv@lists.infradead.org, linux-arch@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/6] syscalls: use uaccess_kernel in addr_limit_user_check
Date: Tue, 21 Jul 2020 06:58:34 +0200 [thread overview]
Message-ID: <20200721045834.GA9613@lst.de> (raw)
In-Reply-To: <20200720221046.GA86726@roeck-us.net>
On Mon, Jul 20, 2020 at 03:10:46PM -0700, Guenter Roeck wrote:
> I had another look into the code. Right after this patch, I see
>
> #define uaccess_kernel() segment_eq(get_fs(), KERNEL_DS)
>
> Yet, this patch is:
>
> - if (CHECK_DATA_CORRUPTION(!segment_eq(get_fs(), USER_DS),
> + if (CHECK_DATA_CORRUPTION(uaccess_kernel(),
>
> So there is a negation in the condition. Indeed, the following change
> on top of next-20200720 fixes the problem for mps2-an385.
>
> - if (CHECK_DATA_CORRUPTION(uaccess_kernel(),
> + if (CHECK_DATA_CORRUPTION(!uaccess_kernel(),
>
> How does this work anywhere ?
No, that is the wrong check - we want to make sure the address
space override doesn't leak to userspace. The problem is that
armnommu (and m68knommu, but that doesn't call the offending
function) pretends to not have a kernel address space, which doesn't
really work. Here is the fix I sent out yesterday, which I should
have Cc'ed you on, sorry:
---
From 2bb889b2d99a2d978e90640ade8fe02359287092 Mon Sep 17 00:00:00 2001
From: Christoph Hellwig <hch@lst.de>
Date: Mon, 20 Jul 2020 17:46:50 +0200
Subject: arm: don't call addr_limit_user_check for nommu
On arm nommu kernel use the same constant for USER_DS and KERNEL_DS,
and seqment_eq always returns false. With the current check in
addr_limit_user_check that works by accident, but when replacing
seqment_eq with uaccess_kerne it will fail. Just remove the not
needed check entirely.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reported-by: Guenter Roeck <linux@roeck-us.net>
---
arch/arm/kernel/signal.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
index ab2568996ddb0c..c9dc912b83f012 100644
--- a/arch/arm/kernel/signal.c
+++ b/arch/arm/kernel/signal.c
@@ -713,7 +713,9 @@ struct page *get_signal_page(void)
/* Defer to generic check */
asmlinkage void addr_limit_check_failed(void)
{
+#ifdef CONFIG_MMU
addr_limit_user_check();
+#endif
}
#ifdef CONFIG_DEBUG_RSEQ
--
2.27.0
next prev parent reply other threads:[~2020-07-21 4:58 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-14 10:54 clean up address limit helpers v2 Christoph Hellwig
2020-07-14 10:55 ` [PATCH 1/6] syscalls: use uaccess_kernel in addr_limit_user_check Christoph Hellwig
2020-07-18 1:38 ` Guenter Roeck
2020-07-18 9:48 ` Christoph Hellwig
2020-07-18 14:54 ` Guenter Roeck
2020-07-20 10:01 ` Christoph Hellwig
2020-07-20 14:55 ` Guenter Roeck
2020-07-20 15:28 ` Peter Maydell
2020-07-20 22:10 ` Guenter Roeck
2020-07-21 4:58 ` Christoph Hellwig [this message]
2020-07-21 5:15 ` Guenter Roeck
2020-07-21 5:20 ` Christoph Hellwig
2020-07-21 5:30 ` Guenter Roeck
2020-07-21 5:35 ` Christoph Hellwig
2020-07-14 10:55 ` [PATCH 2/6] nds32: use uaccess_kernel in show_regs Christoph Hellwig
2020-07-14 10:55 ` [PATCH 3/6] riscv: include <asm/pgtable.h> in <asm/uaccess.h> Christoph Hellwig
2020-07-14 10:55 ` [PATCH 4/6] uaccess: remove segment_eq Christoph Hellwig
2020-07-14 15:27 ` Linus Torvalds
2020-07-14 10:55 ` [PATCH 5/6] uaccess: add force_uaccess_{begin,end} helpers Christoph Hellwig
2020-07-14 15:29 ` Linus Torvalds
2020-07-14 10:55 ` [PATCH 6/6] exec: use force_uaccess_begin during exec and exit Christoph Hellwig
2020-07-15 3:33 ` Eric W. Biederman
2020-07-15 6:06 ` Christoph Hellwig
2020-07-16 23:49 ` clean up address limit helpers v2 Andrew Morton
2020-07-17 6:06 ` Christoph Hellwig
2020-07-20 15:54 ` [PATCH 0/6] arm: don't call addr_limit_user_check for nommu Christoph Hellwig
-- strict thread matches above, loose matches on Subject: below --
2020-07-10 13:57 clean up address limit helpers Christoph Hellwig
2020-07-10 13:57 ` [PATCH 1/6] syscalls: use uaccess_kernel in addr_limit_user_check Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200721045834.GA9613@lst.de \
--to=hch@lst.de \
--cc=akpm@linux-foundation.org \
--cc=deanbo422@gmail.com \
--cc=green.hu@gmail.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linux@roeck-us.net \
--cc=nickhu@andestech.com \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).