From: Andy Lutomirski <luto@amacapital.net>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
"H. Peter Anvin" <hpa@zytor.com>,
Julien Thierry <julien.thierry@arm.com>,
Will Deacon <will.deacon@arm.com>, Ingo Molnar <mingo@kernel.org>,
Catalin Marinas <catalin.marinas@arm.com>,
James Morse <james.morse@arm.com>,
valentin.schneider@arm.com, Brian Gerst <brgerst@gmail.com>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Andrew Lutomirski <luto@kernel.org>,
Borislav Petkov <bp@alien8.de>,
Denys Vlasenko <dvlasenk@redhat.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 5/6] objtool: Add UACCESS validation
Date: Mon, 25 Feb 2019 07:53:01 -0800 [thread overview]
Message-ID: <CALCETrW1_r=Qgbpiq8PsYYD11W7CwAS-UCAxzvvubJnMAHH2Dg@mail.gmail.com> (raw)
In-Reply-To: <20190225125232.191698923@infradead.org>
On Mon, Feb 25, 2019 at 4:53 AM Peter Zijlstra <peterz@infradead.org> wrote:
>
> It is important that UACCESS regions are as small as possible;
> furthermore the UACCESS state is not scheduled, so doing anything that
> might directly call into the scheduler will cause random code to be
> ran with UACCESS enabled.
>
> Teach objtool too track UACCESS state and warn about any CALL made
> while UACCESS is enabled. This very much includes the __fentry__()
> tracing calls and __preempt_schedule() calls.
>
> Note that exceptions _do_ save/restore the UACCESS state, and therefore
> they can drive preemption. This also means that all exception handlers
> must have an otherwise dedundant UACCESS disable instruction;
> therefore ignore this warning for !STT_FUNC code (exception handlers
> are not normal functions).
>
> It also provides a UACCESS_SAFE() annotation which allows explicit
> annotation. This is meant to be used for future things like:
> unsafe_copy_{to,from}_user().
>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
> ---
> include/linux/frame.h | 30 +++++++++++-
> tools/objtool/arch.h | 4 +
> tools/objtool/arch/x86/decode.c | 14 +++++
> tools/objtool/check.c | 100 ++++++++++++++++++++++++++++++++++++----
> tools/objtool/check.h | 2
> tools/objtool/elf.h | 1
> 6 files changed, 138 insertions(+), 13 deletions(-)
>
> --- a/include/linux/frame.h
> +++ b/include/linux/frame.h
> @@ -28,10 +28,38 @@ asm (".pushsection .discard.nonstd_frame
> ".byte 0\n\t"
> ".popsection\n\t");
>
> +/*
> + * This macro marks functions as UACCESS-safe, that is, it is safe to call from an
> + * UACCESS enabled region (typically user_access_begin() /
> + * user_access_end()).
> + *
> + * These functions in turn will only call UACCESS-safe functions themselves (which
> + * precludes tracing, including __fentry__ and scheduling, including
> + * preempt_enable).
> + *
> + * UACCESS-safe functions will obviously also not change UACCESS themselves.
> + */
> +#define UACCESS_SAFE(func) \
> + asm (".pushsection .discard.uaccess_safe_strtab, \"S\", @3\n\t" \
> + "999: .ascii \"" #func "\"\n\t" \
> + " .byte 0\n\t" \
> + ".popsection\n\t" \
> + ".pushsection .discard.uaccess_safe\n\t" \
> + ".long 999b - .\n\t" \
> + ".popsection")
Minor nit: using big numbers like 999: like this always bugs me. It
relies on there not being a macro nested inside or outside this that
uses the same number. My general preference is to do something like
.Ldescription_\@ instead.
Otherwise this looks conceptually good :)
next prev parent reply other threads:[~2019-02-25 15:53 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-25 12:43 [PATCH 0/6] objtool: UACCESS validation Peter Zijlstra
2019-02-25 12:43 ` [PATCH 1/6] x86/uaccess: Dont evaluate argument inside AC region Peter Zijlstra
2019-02-25 15:43 ` Andy Lutomirski
2019-02-25 16:02 ` Peter Zijlstra
2019-02-25 16:36 ` Borislav Petkov
2019-02-25 16:50 ` Andy Lutomirski
2019-02-25 19:09 ` Linus Torvalds
2019-02-25 19:18 ` Borislav Petkov
2019-02-25 18:10 ` [tip:x86/urgent] x86/uaccess: Don't leak the AC flag into __put_user() value evaluation tip-bot for Andy Lutomirski
2019-02-25 19:46 ` tip-bot for Andy Lutomirski
2019-02-25 12:43 ` [PATCH 2/6] x86/ia32: Fix ia32_restore_sigcontext AC leak Peter Zijlstra
2019-02-25 15:41 ` Andy Lutomirski
2019-02-25 16:10 ` Peter Zijlstra
2019-02-25 16:29 ` Andy Lutomirski
2019-02-25 16:37 ` Peter Zijlstra
2019-02-25 16:41 ` Peter Zijlstra
2019-02-25 16:49 ` Andy Lutomirski
2019-02-25 12:43 ` [PATCH 3/6] objtool: Set insn->func for alternatives Peter Zijlstra
2019-02-25 12:43 ` [PATCH 4/6] objtool: Replace STACK_FRAME_NON_STANDARD annotation Peter Zijlstra
2019-02-25 16:11 ` Josh Poimboeuf
2019-02-25 16:17 ` Peter Zijlstra
2019-02-25 16:23 ` Josh Poimboeuf
2019-02-27 12:20 ` Peter Zijlstra
2019-02-28 0:30 ` Andy Lutomirski
2019-02-25 12:43 ` [PATCH 5/6] objtool: Add UACCESS validation Peter Zijlstra
2019-02-25 15:53 ` Andy Lutomirski [this message]
2019-02-25 16:12 ` Peter Zijlstra
2019-02-25 17:15 ` Peter Zijlstra
2019-02-25 17:34 ` Linus Torvalds
2019-02-25 17:38 ` Josh Poimboeuf
2019-02-27 14:08 ` Peter Zijlstra
2019-02-27 14:17 ` Andrey Ryabinin
2019-02-27 14:26 ` Peter Zijlstra
2019-02-27 14:33 ` Peter Zijlstra
2019-02-27 15:40 ` Dmitry Vyukov
2019-02-27 17:28 ` Peter Zijlstra
2019-02-28 9:40 ` Peter Zijlstra
2019-02-28 9:59 ` Dmitry Vyukov
2019-02-28 10:05 ` Dmitry Vyukov
2019-02-28 10:52 ` Peter Zijlstra
2019-02-27 16:18 ` Linus Torvalds
2019-02-27 17:30 ` Peter Zijlstra
2019-02-27 17:36 ` Linus Torvalds
2019-02-25 12:43 ` [PATCH 6/6] objtool: Add Direction Flag validation Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALCETrW1_r=Qgbpiq8PsYYD11W7CwAS-UCAxzvvubJnMAHH2Dg@mail.gmail.com' \
--to=luto@amacapital.net \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=catalin.marinas@arm.com \
--cc=dvlasenk@redhat.com \
--cc=hpa@zytor.com \
--cc=james.morse@arm.com \
--cc=jpoimboe@redhat.com \
--cc=julien.thierry@arm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=valentin.schneider@arm.com \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).