From: David Laight <David.Laight@ACULAB.COM>
To: 'Mark Rutland' <mark.rutland@arm.com>,
Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
"x86@kernel.org" <x86@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Will Deacon <will@kernel.org>,
Dan Williams <dan.j.williams@intel.com>,
Andrea Arcangeli <aarcange@redhat.com>,
"Waiman Long" <longman@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
"Thomas Gleixner" <tglx@linutronix.de>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Andy Lutomirski <luto@kernel.org>, Christoph Hellwig <hch@lst.de>,
"Borislav Petkov" <bp@alien8.de>
Subject: RE: [PATCH v4 3/4] x86/uaccess: Use pointer masking to limit uaccess speculation
Date: Wed, 5 May 2021 14:49:53 +0000 [thread overview]
Message-ID: <ae4ca10422824546bca3a184a280a308@AcuMS.aculab.com> (raw)
In-Reply-To: <20210505142542.GC5605@C02TD0UTHF1T.local>
From: Mark Rutland
> Sent: 05 May 2021 15:26
...
> > +/*
> > + * Sanitize a user pointer such that it becomes NULL if it's not a valid user
> > + * pointer. This prevents speculatively dereferencing a user-controlled
> > + * pointer to kernel space if access_ok() speculatively returns true. This
> > + * should be done *after* access_ok(), to avoid affecting error handling
> > + * behavior.
> > + */
> > +#define mask_user_ptr(ptr) \
> > +({ \
> > + unsigned long _ptr = (__force unsigned long)ptr; \
> > + unsigned long mask; \
> > + \
> > + asm volatile("cmp %[max], %[_ptr]\n\t" \
> > + "sbb %[mask], %[mask]\n\t" \
> > + : [mask] "=r" (mask) \
> > + : [_ptr] "r" (_ptr), \
> > + [max] "r" (TASK_SIZE_MAX) \
> > + : "cc"); \
> > + \
> > + mask &= _ptr; \
> > + ((typeof(ptr)) mask); \
> > +})
>
> On arm64 we needed to have a sequence here because the addr_limit used
> to be variable, but now that we've removed set_fs() and split the
> user/kernel access routines we could simplify that to an AND with an
> immediate mask to force all pointers into the user half of the address
> space. IIUC x86_64 could do the same, and I think that was roughly what
> David was suggesting.
Something like that :-)
For 64bit you can either unconditionally mask the user address
(to clear a few high bits) or mask with a calculated value
if the address is invalid.
The former is almost certainly better.
The other thing is that a valid length has to be less than
the TASK_SIZE_MAX.
Provided there are 2 zero bits at the top of every user address
you can check 'addr | size < limit' and know that 'addr + size'
won't wrap into kernel space.
32bit is more difficult.
User addresses (probably) go up to 0xc0000000 and the kernel
starts (almost) immediately.
If you never map a 4k page on one side of the boundary then
you only need to check the base address provided the user buffer
is less than 4k, or the accesses are guaranteed to be sequential.
While the full window test isn't that complicated ignoring the
length will remove some code - especially for hot paths that
use __get_user() to access a fixed size structure
> That does mean that you could still speculatively access user memory
> erroneously other than to NULL, but that's also true for speculated
> pointers below TASK_SIZE_MAX when using the more complex sequence.
True, but there are almost certainly easier ways to speculatively
access user addresses than passing a kernel alias of the address
into a system call!
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
next prev parent reply other threads:[~2021-05-05 14:50 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-05 3:54 [PATCH v4 0/4] x86/uaccess: Use pointer masking to limit uaccess speculation Josh Poimboeuf
2021-05-05 3:54 ` [PATCH v4 1/4] uaccess: Always inline strn*_user() helper functions Josh Poimboeuf
2021-05-05 3:54 ` [PATCH v4 2/4] uaccess: Fix __user annotations for copy_mc_to_user() Josh Poimboeuf
2021-05-05 3:54 ` [PATCH v4 3/4] x86/uaccess: Use pointer masking to limit uaccess speculation Josh Poimboeuf
2021-05-05 8:48 ` David Laight
2021-05-05 13:19 ` Josh Poimboeuf
2021-05-05 13:51 ` David Laight
2021-05-05 18:32 ` Linus Torvalds
2021-05-06 7:57 ` David Laight
2021-05-05 14:25 ` Mark Rutland
2021-05-05 14:48 ` Josh Poimboeuf
2021-05-05 14:49 ` David Laight [this message]
2021-05-05 15:45 ` Mark Rutland
2021-05-05 16:55 ` Andy Lutomirski
2021-05-06 8:36 ` David Laight
2021-05-06 12:05 ` Christoph Hellwig
2021-06-02 17:11 ` Sean Christopherson
2021-06-02 20:11 ` Josh Poimboeuf
2021-05-05 3:54 ` [PATCH v4 4/4] x86/nospec: Remove barrier_nospec() Josh Poimboeuf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ae4ca10422824546bca3a184a280a308@AcuMS.aculab.com \
--to=david.laight@aculab.com \
--cc=aarcange@redhat.com \
--cc=andrew.cooper3@citrix.com \
--cc=bp@alien8.de \
--cc=dan.j.williams@intel.com \
--cc=hch@lst.de \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=longman@redhat.com \
--cc=luto@kernel.org \
--cc=mark.rutland@arm.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).