linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Christoph Hellwig <hch@lst.de>
To: Guenter Roeck <linux@roeck-us.net>
Cc: Christoph Hellwig <hch@lst.de>, Nick Hu <nickhu@andestech.com>,
	Greentime Hu <green.hu@gmail.com>,
	Vincent Chen <deanbo422@gmail.com>,
	Paul Walmsley <paul.walmsley@sifive.com>,
	Palmer Dabbelt <palmer@dabbelt.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	linux-riscv@lists.infradead.org, linux-arch@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/6] syscalls: use uaccess_kernel in addr_limit_user_check
Date: Tue, 21 Jul 2020 06:58:34 +0200	[thread overview]
Message-ID: <20200721045834.GA9613@lst.de> (raw)
In-Reply-To: <20200720221046.GA86726@roeck-us.net>

On Mon, Jul 20, 2020 at 03:10:46PM -0700, Guenter Roeck wrote:
> I had another look into the code. Right after this patch, I see
> 
> #define uaccess_kernel() segment_eq(get_fs(), KERNEL_DS)
> 
> Yet, this patch is:
> 
> -       if (CHECK_DATA_CORRUPTION(!segment_eq(get_fs(), USER_DS),
> +       if (CHECK_DATA_CORRUPTION(uaccess_kernel(),
> 
> So there is a negation in the condition. Indeed, the following change
> on top of next-20200720 fixes the problem for mps2-an385.
> 
> -       if (CHECK_DATA_CORRUPTION(uaccess_kernel(),
> +       if (CHECK_DATA_CORRUPTION(!uaccess_kernel(),
> 
> How does this work anywhere ?

No, that is the wrong check - we want to make sure the address
space override doesn't leak to userspace.  The problem is that
armnommu (and m68knommu, but that doesn't call the offending
function) pretends to not have a kernel address space, which doesn't
really work.  Here is the fix I sent out yesterday, which I should
have Cc'ed you on, sorry:

---
From 2bb889b2d99a2d978e90640ade8fe02359287092 Mon Sep 17 00:00:00 2001
From: Christoph Hellwig <hch@lst.de>
Date: Mon, 20 Jul 2020 17:46:50 +0200
Subject: arm: don't call addr_limit_user_check for nommu

On arm nommu kernel use the same constant for USER_DS and KERNEL_DS,
and seqment_eq always returns false.  With the current check in
addr_limit_user_check that works by accident, but when replacing
seqment_eq with uaccess_kerne it will fail.  Just remove the not
needed check entirely.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reported-by: Guenter Roeck <linux@roeck-us.net>
---
 arch/arm/kernel/signal.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
index ab2568996ddb0c..c9dc912b83f012 100644
--- a/arch/arm/kernel/signal.c
+++ b/arch/arm/kernel/signal.c
@@ -713,7 +713,9 @@ struct page *get_signal_page(void)
 /* Defer to generic check */
 asmlinkage void addr_limit_check_failed(void)
 {
+#ifdef CONFIG_MMU
 	addr_limit_user_check();
+#endif
 }
 
 #ifdef CONFIG_DEBUG_RSEQ
-- 
2.27.0


  reply	other threads:[~2020-07-21  4:58 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-14 10:54 clean up address limit helpers v2 Christoph Hellwig
2020-07-14 10:55 ` [PATCH 1/6] syscalls: use uaccess_kernel in addr_limit_user_check Christoph Hellwig
2020-07-18  1:38   ` Guenter Roeck
2020-07-18  9:48     ` Christoph Hellwig
2020-07-18 14:54       ` Guenter Roeck
2020-07-20 10:01         ` Christoph Hellwig
2020-07-20 14:55           ` Guenter Roeck
2020-07-20 15:28             ` Peter Maydell
2020-07-20 22:10       ` Guenter Roeck
2020-07-21  4:58         ` Christoph Hellwig [this message]
2020-07-21  5:15           ` Guenter Roeck
2020-07-21  5:20             ` Christoph Hellwig
2020-07-21  5:30               ` Guenter Roeck
2020-07-21  5:35                 ` Christoph Hellwig
2020-07-14 10:55 ` [PATCH 2/6] nds32: use uaccess_kernel in show_regs Christoph Hellwig
2020-07-14 10:55 ` [PATCH 3/6] riscv: include <asm/pgtable.h> in <asm/uaccess.h> Christoph Hellwig
2020-07-14 10:55 ` [PATCH 4/6] uaccess: remove segment_eq Christoph Hellwig
2020-07-14 15:27   ` Linus Torvalds
2020-07-14 10:55 ` [PATCH 5/6] uaccess: add force_uaccess_{begin,end} helpers Christoph Hellwig
2020-07-14 15:29   ` Linus Torvalds
2020-07-14 10:55 ` [PATCH 6/6] exec: use force_uaccess_begin during exec and exit Christoph Hellwig
2020-07-15  3:33   ` Eric W. Biederman
2020-07-15  6:06     ` Christoph Hellwig
2020-07-16 23:49 ` clean up address limit helpers v2 Andrew Morton
2020-07-17  6:06   ` Christoph Hellwig
2020-07-20 15:54 ` [PATCH 0/6] arm: don't call addr_limit_user_check for nommu Christoph Hellwig
  -- strict thread matches above, loose matches on Subject: below --
2020-07-10 13:57 clean up address limit helpers Christoph Hellwig
2020-07-10 13:57 ` [PATCH 1/6] syscalls: use uaccess_kernel in addr_limit_user_check Christoph Hellwig

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200721045834.GA9613@lst.de \
    --to=hch@lst.de \
    --cc=akpm@linux-foundation.org \
    --cc=deanbo422@gmail.com \
    --cc=green.hu@gmail.com \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-riscv@lists.infradead.org \
    --cc=linux@roeck-us.net \
    --cc=nickhu@andestech.com \
    --cc=palmer@dabbelt.com \
    --cc=paul.walmsley@sifive.com \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).