From: Will Deacon <will@kernel.org>
To: Evgenii Stepanov <eugenis@google.com>
Cc: Andrey Konovalov <andreyknvl@google.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Linux Memory Management List <linux-mm@kvack.org>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
Szabolcs Nagy <szabolcs.nagy@arm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Florian Weimer <fweimer@redhat.com>,
Victor Stinner <vstinner@redhat.com>
Subject: Re: [PATCH] mm: Avoid creating virtual address aliases in brk()/mmap()/mremap()
Date: Wed, 19 Feb 2020 10:39:28 +0000 [thread overview]
Message-ID: <20200219103927.GB16824@willie-the-truck> (raw)
In-Reply-To: <CAFKCwrhysxATNaPWQR9Nn-P1+ngBMXauPUuEdpaYRgKZH0XV7Q@mail.gmail.com>
On Tue, Feb 18, 2020 at 01:05:14PM -0800, Evgenii Stepanov wrote:
> On Tue, Feb 18, 2020 at 5:07 AM Andrey Konovalov <andreyknvl@google.com> wrote:
> >
> > On Tue, Feb 18, 2020 at 1:34 PM Will Deacon <will@kernel.org> wrote:
> > >
> > > On Tue, Feb 18, 2020 at 12:23:10PM +0000, Catalin Marinas wrote:
> > > > Currently the arm64 kernel ignores the top address byte passed to brk(),
> > > > mmap() and mremap(). When the user is not aware of the 56-bit address
> > > > limit or relies on the kernel to return an error, untagging such
> > > > pointers has the potential to create address aliases in user-space.
> > > > Passing a tagged address to munmap(), madvise() is permitted since the
> > > > tagged pointer is expected to be inside an existing mapping.
> > >
> > > Might be worth mentioning that this is causing real issues for existing
> > > userspace:
> > >
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1797052
> > >
> > > and so should be merged as a fix.
> > >
> > > > Remove untagging in the above functions by partially reverting commit
> > > > ce18d171cb73 ("mm: untag user pointers in mmap/munmap/mremap/brk"). In
> > > > addition, update the arm64 tagged-address-abi.rst document accordingly.
> >
> > Evgenii, do you know if this will cause any issues for HWASAN?
>
> Is it possible to preserve the untagging behavior when a process has
> opted in TBI?
It's /possible/, but without a concrete need I'm not keen to special case
mmap() like this. "Avoid aliasing user addresses" is an enforceable rule
across all system calls and is easily documented as such, so I'd prefer
to start from that position and only add exceptions where they are really
needed. That clearly doesn't preclude adding them later on with an extension
to the current prctl() controls.
> I have not seen an actual issue with a tagged pointer in mmap yet
> (I've seen two with mprotect, but not mmap or sbrk), so we should be
> fine either way.
Right, and we're leaving mprotect() and madvise() as they were.
Will
next prev parent reply other threads:[~2020-02-19 10:39 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-18 12:23 Catalin Marinas
2020-02-18 12:34 ` Will Deacon
2020-02-18 13:06 ` Andrey Konovalov
2020-02-18 13:07 ` Andrey Konovalov
2020-02-18 21:05 ` Evgenii Stepanov
2020-02-19 10:39 ` Will Deacon [this message]
2020-02-19 12:18 ` Andrey Konovalov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200219103927.GB16824@willie-the-truck \
--to=will@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@google.com \
--cc=catalin.marinas@arm.com \
--cc=eugenis@google.com \
--cc=fweimer@redhat.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-mm@kvack.org \
--cc=szabolcs.nagy@arm.com \
--cc=vstinner@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox