From: Christophe Leroy <christophe.leroy@c-s.fr>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Michael Ellerman <mpe@ellerman.id.au>,
airlied@linux.ie, daniel@ffwll.ch, torvalds@linux-foundation.org,
akpm@linux-foundation.org, keescook@chromium.org, hpa@zytor.com,
linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-mm@kvack.org, linux-arch@vger.kernel.org,
Russell King <linux@armlinux.org.uk>,
Christian Borntraeger <borntraeger@de.ibm.com>
Subject: Re: [PATCH RESEND 1/4] uaccess: Add user_read_access_begin/end and user_write_access_begin/end
Date: Thu, 2 Apr 2020 19:03:28 +0200 [thread overview]
Message-ID: <67e21b65-0e2d-7ca5-7518-cec1b7abc46c@c-s.fr> (raw)
In-Reply-To: <20200402162942.GG23230@ZenIV.linux.org.uk>
Le 02/04/2020 à 18:29, Al Viro a écrit :
> On Thu, Apr 02, 2020 at 07:34:16AM +0000, Christophe Leroy wrote:
>> Some architectures like powerpc64 have the capability to separate
>> read access and write access protection.
>> For get_user() and copy_from_user(), powerpc64 only open read access.
>> For put_user() and copy_to_user(), powerpc64 only open write access.
>> But when using unsafe_get_user() or unsafe_put_user(),
>> user_access_begin open both read and write.
>>
>> Other architectures like powerpc book3s 32 bits only allow write
>> access protection. And on this architecture protection is an heavy
>> operation as it requires locking/unlocking per segment of 256Mbytes.
>> On those architecture it is therefore desirable to do the unlocking
>> only for write access. (Note that book3s/32 ranges from very old
>> powermac from the 90's with powerpc 601 processor, till modern
>> ADSL boxes with PowerQuicc II modern processors for instance so it
>> is still worth considering)
>>
>> In order to avoid any risk based of hacking some variable parameters
>> passed to user_access_begin/end that would allow hacking and
>> leaving user access open or opening too much, it is preferable to
>> use dedicated static functions that can't be overridden.
>>
>> Add a user_read_access_begin and user_read_access_end to only open
>> read access.
>>
>> Add a user_write_access_begin and user_write_access_end to only open
>> write access.
>>
>> By default, when undefined, those new access helpers default on the
>> existing user_access_begin and user_access_end.
>
> The only problem I have is that we'd better choose the calling
> conventions that work for other architectures as well.
>
> AFAICS, aside of ppc and x86 we have (at least) this:
> arm:
> unsigned int __ua_flags = uaccess_save_and_enable();
> ...
> uaccess_restore(__ua_flags);
> arm64:
> uaccess_enable_not_uao();
> ...
> uaccess_disable_not_uao();
> riscv:
> __enable_user_access();
> ...
> __disable_user_access();
> s390/mvc:
> old_fs = enable_sacf_uaccess();
> ...
> disable_sacf_uaccess(old_fs);
>
> arm64 and riscv are easy - they map well on what we have now.
> The interesting ones are ppc, arm and s390.
>
> You wants to specify the kind of access; OK, but... it's not just read
> vs. write - there's read-write as well. AFAICS, there are 3 users of
> that:
> * copy_in_user()
> * arch_futex_atomic_op_inuser()
> * futex_atomic_cmpxchg_inatomic()
> The former is of dubious utility (all users outside of arch are in
> the badly done compat code), but the other two are not going to go
> away.
user_access_begin() grants both read and write.
This patch adds user_read_access_begin() and user_write_access_begin()
but it doesn't remove user_access_begin()
>
> What should we do about that? Do we prohibit such blocks outside
> of arch?
>
> What should we do about arm and s390? There we want a cookie passed
> from beginning of block to its end; should that be a return value?
That was the way I implemented it in January, see
https://patchwork.ozlabs.org/patch/1227926/
There was some discussion around that and most noticeable was:
H. Peter (hpa) said about it: "I have *deep* concern with carrying state
in a "key" variable: it's a direct attack vector for a crowbar attack,
especially since it is by definition live inside a user access region."
>
> And at least on arm that thing nests (see e.g. __clear_user_memset()
> there), so "stash that cookie in current->something" is not a solution...
>
> Folks, let's sort that out while we still have few users of that
> interface; changing the calling conventions later will be much harder.
> Comments?
>
This patch minimises the change by just adding user_read_access_begin()
and user_write_access_begin() keeping the same parameters as the
existing user_access_begin().
So I can come back to a mix of this patch and the January version if it
corresponds to everyone's view, it will also be a bit easier for powerpc
(especially book3s/32). But that didn't seem to be the expected
direction back when we discussed it in January.
Christophe
next prev parent reply other threads:[~2020-04-02 17:03 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-02 7:34 Christophe Leroy
2020-04-02 7:34 ` [PATCH RESEND 2/4] uaccess: Selectively open read or write user access Christophe Leroy
2020-04-02 7:51 ` Kees Cook
2020-04-02 8:00 ` Christophe Leroy
2020-04-02 7:34 ` [PATCH RESEND 3/4] drm/i915/gem: Replace user_access_begin by user_write_access_begin Christophe Leroy
2020-04-02 7:52 ` Kees Cook
2020-04-02 7:59 ` Christophe Leroy
2020-04-02 7:34 ` [PATCH RESEND 4/4] powerpc/uaccess: Implement user_read_access_begin and user_write_access_begin Christophe Leroy
2020-04-02 7:52 ` Kees Cook
2020-04-02 7:46 ` [PATCH RESEND 1/4] uaccess: Add user_read_access_begin/end and user_write_access_begin/end Kees Cook
2020-04-02 16:29 ` Al Viro
2020-04-02 17:03 ` Christophe Leroy [this message]
2020-04-02 17:38 ` Kees Cook
2020-04-02 17:50 ` Al Viro
2020-04-02 18:35 ` Christophe Leroy
2020-04-02 18:35 ` Kees Cook
2020-04-02 19:26 ` Linus Torvalds
2020-04-02 20:27 ` Kees Cook
2020-04-02 20:47 ` Linus Torvalds
2020-04-03 0:58 ` Al Viro
2020-04-03 9:49 ` Russell King - ARM Linux admin
2020-04-03 11:26 ` Catalin Marinas
2020-04-03 13:37 ` Russell King - ARM Linux admin
2020-04-03 17:26 ` Al Viro
2020-04-03 10:02 ` Russell King - ARM Linux admin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=67e21b65-0e2d-7ca5-7518-cec1b7abc46c@c-s.fr \
--to=christophe.leroy@c-s.fr \
--cc=airlied@linux.ie \
--cc=akpm@linux-foundation.org \
--cc=benh@kernel.crashing.org \
--cc=borntraeger@de.ibm.com \
--cc=daniel@ffwll.ch \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux@armlinux.org.uk \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=paulus@samba.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox