* [patch v2 0/2] x86/dumpstack: Prevent access to foreign tasks user space @ 2020-11-17 20:23 Thomas Gleixner 2020-11-17 20:23 ` [patch v2 1/2] x86/dumpstack: Dont try to access user space code of other tasks Thomas Gleixner 2020-11-17 20:23 ` [patch v2 2/2] x86/uaccess: Document copy_from_user_nmi() Thomas Gleixner 0 siblings, 2 replies; 5+ messages in thread From: Thomas Gleixner @ 2020-11-17 20:23 UTC (permalink / raw) To: LKML; +Cc: Oleg Nesterov, Mark Mossberg, Ingo Molnar, X86 ML, Jann Horn, kyin This is the second version of the patch to prevent access to a foreign tasks user space in copy_code(). It addresses the review comments from Boris and adds a new patch which provides documentation for copy_from_user_nmi() to avoid further confusion about it's usage. V1 can be found here: https://lore.kernel.org/r/87blfxx8ps.fsf@nanos.tec.linutronix.de Thanks, tglx ^ permalink raw reply [flat|nested] 5+ messages in thread
* [patch v2 1/2] x86/dumpstack: Dont try to access user space code of other tasks 2020-11-17 20:23 [patch v2 0/2] x86/dumpstack: Prevent access to foreign tasks user space Thomas Gleixner @ 2020-11-17 20:23 ` Thomas Gleixner 2020-11-18 12:20 ` [tip: x86/urgent] x86/dumpstack: Do not " tip-bot2 for Thomas Gleixner 2020-11-17 20:23 ` [patch v2 2/2] x86/uaccess: Document copy_from_user_nmi() Thomas Gleixner 1 sibling, 1 reply; 5+ messages in thread From: Thomas Gleixner @ 2020-11-17 20:23 UTC (permalink / raw) To: LKML Cc: Oleg Nesterov, Mark Mossberg, Ingo Molnar, X86 ML, Jann Horn, kyin, Borislav Petkov sysrq-t ends up invoking show_opcodes() for each task which tries to access the user space code of other processes which is obviously bogus. It either manages to dump where the foreign tasks regs->ip points to in a valid mapping of the current task or triggers a pagefault and prints "Code: Bad RIP value.". Both is just wrong. Add a safeguard in copy_code() and check whether the @regs pointer matches currents pt_regs. If not, do not even try to access it. While at it, add commentary why using copy_from_user_nmi() is safe in copy_code() even if the function name suggests otherwise. Reported-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Borislav Petkov <bp@suse.de> Tested-by: Borislav Petkov <bp@suse.de> Acked-by: Oleg Nesterov <oleg@redhat.com> Link: https://lore.kernel.org/r/87blfxx8ps.fsf@nanos.tec.linutronix.de --- V2: Fixed changelog, comment and Reported-by attribution (Boris) --- arch/x86/kernel/dumpstack.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) --- a/arch/x86/kernel/dumpstack.c +++ b/arch/x86/kernel/dumpstack.c @@ -78,6 +78,9 @@ static int copy_code(struct pt_regs *reg if (!user_mode(regs)) return copy_from_kernel_nofault(buf, (u8 *)src, nbytes); + /* The user space code from other tasks cannot be accessed. */ + if (regs != task_pt_regs(current)) + return -EPERM; /* * Make sure userspace isn't trying to trick us into dumping kernel * memory by pointing the userspace instruction pointer at it. @@ -85,6 +88,12 @@ static int copy_code(struct pt_regs *reg if (__chk_range_not_ok(src, nbytes, TASK_SIZE_MAX)) return -EINVAL; + /* + * Even if named copy_from_user_nmi() this can be invoked from + * other contexts and will not try to resolve a pagefault, which is + * the correct thing to do here as this code can be called from any + * context. + */ return copy_from_user_nmi(buf, (void __user *)src, nbytes); } @@ -115,13 +124,19 @@ void show_opcodes(struct pt_regs *regs, u8 opcodes[OPCODE_BUFSIZE]; unsigned long prologue = regs->ip - PROLOGUE_SIZE; - if (copy_code(regs, opcodes, prologue, sizeof(opcodes))) { - printk("%sCode: Unable to access opcode bytes at RIP 0x%lx.\n", - loglvl, prologue); - } else { + switch (copy_code(regs, opcodes, prologue, sizeof(opcodes))) { + case 0: printk("%sCode: %" __stringify(PROLOGUE_SIZE) "ph <%02x> %" __stringify(EPILOGUE_SIZE) "ph\n", loglvl, opcodes, opcodes[PROLOGUE_SIZE], opcodes + PROLOGUE_SIZE + 1); + break; + case -EPERM: + /* No access to the user space stack of other tasks. Ignore. */ + break; + default: + printk("%sCode: Unable to access opcode bytes at RIP 0x%lx.\n", + loglvl, prologue); + break; } } ^ permalink raw reply [flat|nested] 5+ messages in thread
* [tip: x86/urgent] x86/dumpstack: Do not try to access user space code of other tasks 2020-11-17 20:23 ` [patch v2 1/2] x86/dumpstack: Dont try to access user space code of other tasks Thomas Gleixner @ 2020-11-18 12:20 ` tip-bot2 for Thomas Gleixner 0 siblings, 0 replies; 5+ messages in thread From: tip-bot2 for Thomas Gleixner @ 2020-11-18 12:20 UTC (permalink / raw) To: linux-tip-commits Cc: Oleg Nesterov, Thomas Gleixner, Borislav Petkov, x86, linux-kernel The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 860aaabac8235cfde10fe556aa82abbbe3117888 Gitweb: https://git.kernel.org/tip/860aaabac8235cfde10fe556aa82abbbe3117888 Author: Thomas Gleixner <tglx@linutronix.de> AuthorDate: Tue, 17 Nov 2020 21:23:34 +01:00 Committer: Borislav Petkov <bp@suse.de> CommitterDate: Wed, 18 Nov 2020 12:56:29 +01:00 x86/dumpstack: Do not try to access user space code of other tasks sysrq-t ends up invoking show_opcodes() for each task which tries to access the user space code of other processes, which is obviously bogus. It either manages to dump where the foreign task's regs->ip points to in a valid mapping of the current task or triggers a pagefault and prints "Code: Bad RIP value.". Both is just wrong. Add a safeguard in copy_code() and check whether the @regs pointer matches currents pt_regs. If not, do not even try to access it. While at it, add commentary why using copy_from_user_nmi() is safe in copy_code() even if the function name suggests otherwise. Reported-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Borislav Petkov <bp@suse.de> Reviewed-by: Borislav Petkov <bp@suse.de> Acked-by: Oleg Nesterov <oleg@redhat.com> Tested-by: Borislav Petkov <bp@suse.de> Link: https://lkml.kernel.org/r/20201117202753.667274723@linutronix.de --- arch/x86/kernel/dumpstack.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c index 25c06b6..97aa900 100644 --- a/arch/x86/kernel/dumpstack.c +++ b/arch/x86/kernel/dumpstack.c @@ -78,6 +78,9 @@ static int copy_code(struct pt_regs *regs, u8 *buf, unsigned long src, if (!user_mode(regs)) return copy_from_kernel_nofault(buf, (u8 *)src, nbytes); + /* The user space code from other tasks cannot be accessed. */ + if (regs != task_pt_regs(current)) + return -EPERM; /* * Make sure userspace isn't trying to trick us into dumping kernel * memory by pointing the userspace instruction pointer at it. @@ -85,6 +88,12 @@ static int copy_code(struct pt_regs *regs, u8 *buf, unsigned long src, if (__chk_range_not_ok(src, nbytes, TASK_SIZE_MAX)) return -EINVAL; + /* + * Even if named copy_from_user_nmi() this can be invoked from + * other contexts and will not try to resolve a pagefault, which is + * the correct thing to do here as this code can be called from any + * context. + */ return copy_from_user_nmi(buf, (void __user *)src, nbytes); } @@ -115,13 +124,19 @@ void show_opcodes(struct pt_regs *regs, const char *loglvl) u8 opcodes[OPCODE_BUFSIZE]; unsigned long prologue = regs->ip - PROLOGUE_SIZE; - if (copy_code(regs, opcodes, prologue, sizeof(opcodes))) { - printk("%sCode: Unable to access opcode bytes at RIP 0x%lx.\n", - loglvl, prologue); - } else { + switch (copy_code(regs, opcodes, prologue, sizeof(opcodes))) { + case 0: printk("%sCode: %" __stringify(PROLOGUE_SIZE) "ph <%02x> %" __stringify(EPILOGUE_SIZE) "ph\n", loglvl, opcodes, opcodes[PROLOGUE_SIZE], opcodes + PROLOGUE_SIZE + 1); + break; + case -EPERM: + /* No access to the user space stack of other tasks. Ignore. */ + break; + default: + printk("%sCode: Unable to access opcode bytes at RIP 0x%lx.\n", + loglvl, prologue); + break; } } ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [patch v2 2/2] x86/uaccess: Document copy_from_user_nmi() 2020-11-17 20:23 [patch v2 0/2] x86/dumpstack: Prevent access to foreign tasks user space Thomas Gleixner 2020-11-17 20:23 ` [patch v2 1/2] x86/dumpstack: Dont try to access user space code of other tasks Thomas Gleixner @ 2020-11-17 20:23 ` Thomas Gleixner 2020-11-18 12:31 ` [tip: x86/cleanups] " tip-bot2 for Thomas Gleixner 1 sibling, 1 reply; 5+ messages in thread From: Thomas Gleixner @ 2020-11-17 20:23 UTC (permalink / raw) To: LKML Cc: Oleg Nesterov, Mark Mossberg, Ingo Molnar, X86 ML, Jann Horn, kyin, Borislav Petkov Document the functionality of copy_from_user_nmi() to avoid further confusion. Fix the typo in the existing comment while at it. Requested-by: Borislav Petkov <bp@alien8.de> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> --- V2: New patch --- arch/x86/lib/usercopy.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) --- a/arch/x86/lib/usercopy.c +++ b/arch/x86/lib/usercopy.c @@ -9,9 +9,23 @@ #include <asm/tlbflush.h> -/* - * We rely on the nested NMI work to allow atomic faults from the NMI path; the - * nested NMI paths are careful to preserve CR2. +/** + * copy_from_user_nmi - NMI safe copy from user + * @to: Pointer to the destination buffer + * @from: Pointer to a user space address of the current task + * @n: Number of bytes to copy + * + * Returns: The number of not copied bytes. 0 is success, i.e. all bytes copied + * + * Contrary to other copy_from_user() variants this function can be called + * from NMI context. Despite the name it is not restricted to be called + * from NMI context. It is safe to be called from any other context as + * well. It disables pagefaults across the copy which means a fault will + * abort the copy. + * + * For NMI context invocations this relies on the nested NMI work to allow + * atomic faults from the NMI path; the nested NMI paths are careful to + * preserve CR2. */ unsigned long copy_from_user_nmi(void *to, const void __user *from, unsigned long n) @@ -27,7 +41,7 @@ copy_from_user_nmi(void *to, const void /* * Even though this function is typically called from NMI/IRQ context * disable pagefaults so that its behaviour is consistent even when - * called form other contexts. + * called from other contexts. */ pagefault_disable(); ret = __copy_from_user_inatomic(to, from, n); ^ permalink raw reply [flat|nested] 5+ messages in thread
* [tip: x86/cleanups] x86/uaccess: Document copy_from_user_nmi() 2020-11-17 20:23 ` [patch v2 2/2] x86/uaccess: Document copy_from_user_nmi() Thomas Gleixner @ 2020-11-18 12:31 ` tip-bot2 for Thomas Gleixner 0 siblings, 0 replies; 5+ messages in thread From: tip-bot2 for Thomas Gleixner @ 2020-11-18 12:31 UTC (permalink / raw) To: linux-tip-commits; +Cc: Thomas Gleixner, Borislav Petkov, x86, linux-kernel The following commit has been merged into the x86/cleanups branch of tip: Commit-ID: 907f8eb8e0eb2b3312b292e67dc4dbc493424747 Gitweb: https://git.kernel.org/tip/907f8eb8e0eb2b3312b292e67dc4dbc493424747 Author: Thomas Gleixner <tglx@linutronix.de> AuthorDate: Tue, 17 Nov 2020 21:23:35 +01:00 Committer: Borislav Petkov <bp@suse.de> CommitterDate: Wed, 18 Nov 2020 13:19:01 +01:00 x86/uaccess: Document copy_from_user_nmi() Document the functionality of copy_from_user_nmi() to avoid further confusion. Fix the typo in the existing comment while at it. Requested-by: Borislav Petkov <bp@alien8.de> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Borislav Petkov <bp@suse.de> Link: https://lkml.kernel.org/r/20201117202753.806376613@linutronix.de --- arch/x86/lib/usercopy.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/arch/x86/lib/usercopy.c b/arch/x86/lib/usercopy.c index 3f435d7..c3e8a62 100644 --- a/arch/x86/lib/usercopy.c +++ b/arch/x86/lib/usercopy.c @@ -9,9 +9,23 @@ #include <asm/tlbflush.h> -/* - * We rely on the nested NMI work to allow atomic faults from the NMI path; the - * nested NMI paths are careful to preserve CR2. +/** + * copy_from_user_nmi - NMI safe copy from user + * @to: Pointer to the destination buffer + * @from: Pointer to a user space address of the current task + * @n: Number of bytes to copy + * + * Returns: The number of not copied bytes. 0 is success, i.e. all bytes copied + * + * Contrary to other copy_from_user() variants this function can be called + * from NMI context. Despite the name it is not restricted to be called + * from NMI context. It is safe to be called from any other context as + * well. It disables pagefaults across the copy which means a fault will + * abort the copy. + * + * For NMI context invocations this relies on the nested NMI work to allow + * atomic faults from the NMI path; the nested NMI paths are careful to + * preserve CR2. */ unsigned long copy_from_user_nmi(void *to, const void __user *from, unsigned long n) @@ -27,7 +41,7 @@ copy_from_user_nmi(void *to, const void __user *from, unsigned long n) /* * Even though this function is typically called from NMI/IRQ context * disable pagefaults so that its behaviour is consistent even when - * called form other contexts. + * called from other contexts. */ pagefault_disable(); ret = __copy_from_user_inatomic(to, from, n); ^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-11-18 12:31 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-11-17 20:23 [patch v2 0/2] x86/dumpstack: Prevent access to foreign tasks user space Thomas Gleixner 2020-11-17 20:23 ` [patch v2 1/2] x86/dumpstack: Dont try to access user space code of other tasks Thomas Gleixner 2020-11-18 12:20 ` [tip: x86/urgent] x86/dumpstack: Do not " tip-bot2 for Thomas Gleixner 2020-11-17 20:23 ` [patch v2 2/2] x86/uaccess: Document copy_from_user_nmi() Thomas Gleixner 2020-11-18 12:31 ` [tip: x86/cleanups] " tip-bot2 for Thomas Gleixner
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).