From: David Hildenbrand <david@redhat.com>
To: Omar Sandoval <osandov@osandov.com>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>,
linux-mm@kvack.org, Andrew Morton <akpm@linux-foundation.org>,
Christoph Hellwig <hch@lst.de>,
x86@kernel.org, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, loongarch@lists.linux.dev,
linux-mips@vger.kernel.org, linux-parisc@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, linux-um@lists.infradead.org,
kernel-team@fb.com
Subject: Re: [PATCH 0/2] mm: make copy_to_kernel_nofault() not fault on user addresses
Date: Mon, 2 Sep 2024 18:39:52 +0200 [thread overview]
Message-ID: <995d18bb-16f1-4843-92bc-6c4a386a811d@redhat.com> (raw)
In-Reply-To: <ZtXZFc9kZAUMD4e0@telecaster>
On 02.09.24 17:26, Omar Sandoval wrote:
> On Mon, Sep 02, 2024 at 10:56:27AM +0200, David Hildenbrand wrote:
>> On 02.09.24 08:31, Omar Sandoval wrote:
>>> On Mon, Sep 02, 2024 at 08:19:33AM +0200, Christophe Leroy wrote:
>>>>
>>>>
>>>> Le 02/09/2024 à 07:31, Omar Sandoval a écrit :
>>>>> [Vous ne recevez pas souvent de courriers de osandov@osandov.com. Découvrez pourquoi ceci est important à https://aka.ms/LearnAboutSenderIdentification ]
>>>>>
>>>>> From: Omar Sandoval <osandov@fb.com>
>>>>>
>>>>> Hi,
>>>>>
>>>>> I hit a case where copy_to_kernel_nofault() will fault (lol): if the
>>>>> destination address is in userspace and x86 Supervisor Mode Access
>>>>> Prevention is enabled. Patch 2 has the details and the fix. Patch 1
>>>>> renames a helper function so that its use in patch 2 makes more sense.
>>>>> If the rename is too intrusive, I can drop it.
>>>>
>>>> The name of the function is "copy_to_kernel". If the destination is a user
>>>> address, it is not a copy to kernel but a copy to user and you already have
>>>> the function copy_to_user() for that. copy_to_user() properly handles SMAP.
>>>
>>> I'm not trying to copy to user. I am (well, KDB is) trying to copy to an
>>> arbitrary address, and I want it to return an error instead of crashing
>>> if the address is not a valid kernel address. As far as I can tell, that
>>> is the whole point of copy_to_kernel_nofault().
>>
>> The thing is that you (well, KDB) triggers something that would be
>> considered a real BUG when triggered from "ordinary" (non-debugging) code.
>
> If that's the case, then it's a really weird inconsistency that it's OK
> to call copy_from_kernel_nofault() with an invalid address but a bug to
> call copy_to_kernel_nofault() on the same address. Again, isn't the
> whole point of these functions to fail gracefully instead of crashing on
> invalid addresses? (Modulo the offline and hwpoison cases you mention
> for /proc/kcore.)
I assume the difference is mostly historically, because usually, when
modifying something (ftrace, live patch, kdb) you better know what you
want to modify actually exist and can be modified. IOW, you usually
read-before-weite.
In contrast, things like /proc/kcore, (I think) while limiting it to
sane addresses, might still read from areas where we remove entries from
the directmap (e.g., secretmem), I think.
Like, in a compiler, modifying a variable you didn't read before is
rather rare as well. If you would have tried to read it, the
copy_from_kernel_nofault() would have failed.
I agree that the difference is weird, and likely really "nobody ran into
this before in sane use cases".
>
>> But now I am confused: "if the destination address is in userspace" does not
>> really make sense in the context of KDB, no?
>>
>> [15]kdb> mm 0 1234
>> [ 94.652476] BUG: kernel NULL pointer dereference, address:
>> 0000000000000000
>>
>> Why is address 0 in "user space"? "Which" user space?
>
> Sure, it's not really user space, but it's below TASK_SIZE_MAX, so
> things like handle_page_fault() and fault_in_kernel_space() treat it as
> if it were a user address. I could
> s/userspace address/address that is less than TASK_SIZE_MAX or is_vsyscall_vaddr(address)/.
Ah, okay, that's x86 specifics detail in
copy_from_kernel_nofault_allowed(), thanks.
>
>> Isn't the problem here that KDB lets you blindly write to any non-existing
>> memory address?
>>
>>
>> Likely it should do some proper filtering like we do in fs/proc/kcore.c:
>>
>> Take a look at the KCORE_RAM case where we make sure the page exists, is
>> online and may be accessed. Only then, we trigger a
>> copy_from_kernel_nofault(). Note that the KCORE_USER is a corner case only
>> for some special thingies on x86 (vsyscall), and can be ignored for our case
>> here.
>
> Sure, it would be better to harden KDB against all of these special
> cases. But you can break things in all sorts of fun ways with a
> debugger, anyways. The point of this patch is that it's nonsense that a
> function named copy_to_kernel_nofault() does indeed fault in a trivial
> case like address < TASK_SIZE_MAX.
Yes, because the write-without-read to kernel memory "you don't know
even exists" is rather ... weird :)
Anyhow, no strong opinion here. Patches look simple enough.
--
Cheers,
David / dhildenb
prev parent reply other threads:[~2024-09-02 16:40 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-02 5:31 Omar Sandoval
2024-09-02 5:31 ` [PATCH 1/2] mm: rename copy_from_kernel_nofault_allowed() to copy_kernel_nofault_allowed() Omar Sandoval
2024-09-02 5:31 ` [PATCH 2/2] mm: make copy_to_kernel_nofault() not fault on user addresses Omar Sandoval
2024-09-04 7:50 ` Christophe Leroy
2024-09-04 22:56 ` Omar Sandoval
2024-09-02 6:19 ` [PATCH 0/2] " Christophe Leroy
2024-09-02 6:31 ` Omar Sandoval
2024-09-02 8:56 ` David Hildenbrand
2024-09-02 15:26 ` Omar Sandoval
2024-09-02 16:39 ` David Hildenbrand [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=995d18bb-16f1-4843-92bc-6c4a386a811d@redhat.com \
--to=david@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=christophe.leroy@csgroup.eu \
--cc=hch@lst.de \
--cc=kernel-team@fb.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-parisc@vger.kernel.org \
--cc=linux-um@lists.infradead.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=loongarch@lists.linux.dev \
--cc=osandov@osandov.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox