| Message ID | 20210204121612.32721-1-aik@ozlabs.ru (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [kernel,v3] powerpc/uaccess: Skip might_fault() when user access is enabled | expand |
| Context | Check | Description |
|---|---|---|
| snowpatch_ozlabs/apply_patch | success | Successfully applied on branch powerpc/merge (44158b256b30415079588d0fcb1bccbdc2ccd009) |
| snowpatch_ozlabs/build-ppc64le | success | Build succeeded |
| snowpatch_ozlabs/build-ppc64be | success | Build succeeded |
| snowpatch_ozlabs/build-ppc64e | success | Build succeeded |
| snowpatch_ozlabs/build-pmac32 | success | Build succeeded |
| snowpatch_ozlabs/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 40 lines checked |
| snowpatch_ozlabs/needsstable | warning | Please consider tagging this patch for stable! |
On Thu, 4 Feb 2021 23:16:12 +1100, Alexey Kardashevskiy wrote: > The amount of code executed with enabled user space access (unlocked KUAP) > should be minimal. However with CONFIG_PROVE_LOCKING or > CONFIG_DEBUG_ATOMIC_SLEEP enabled, might_fault() may end up replaying > interrupts which in turn may access the user space and forget to restore > the KUAP state. > > The problem places are: > 1. strncpy_from_user (and similar) which unlock KUAP and call > unsafe_get_user -> __get_user_allowed -> __get_user_nocheck() > with do_allow=false to skip KUAP as the caller took care of it. > 2. __put_user_nocheck_goto() which is called with unlocked KUAP. > > [...] Applied to powerpc/next. [1/1] powerpc/uaccess: Avoid might_fault() when user access is enabled https://git.kernel.org/powerpc/c/7d506ca97b665b95e698a53697dad99fae813c1a cheers
diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h index 501c9a79038c..a789601998d3 100644 --- a/arch/powerpc/include/asm/uaccess.h +++ b/arch/powerpc/include/asm/uaccess.h @@ -216,8 +216,6 @@ do { \ #define __put_user_nocheck_goto(x, ptr, size, label) \ do { \ __typeof__(*(ptr)) __user *__pu_addr = (ptr); \ - if (!is_kernel_addr((unsigned long)__pu_addr)) \ - might_fault(); \ __chk_user_ptr(ptr); \ __put_user_size_goto((x), __pu_addr, (size), label); \ } while (0) @@ -313,7 +311,7 @@ do { \ __typeof__(size) __gu_size = (size); \ \ __chk_user_ptr(__gu_addr); \ - if (!is_kernel_addr((unsigned long)__gu_addr)) \ + if (do_allow && !is_kernel_addr((unsigned long)__gu_addr)) \ might_fault(); \ barrier_nospec(); \ if (do_allow) \ @@ -508,6 +506,8 @@ static __must_check inline bool user_access_begin(const void __user *ptr, size_t { if (unlikely(!access_ok(ptr, len))) return false; + if (!is_kernel_addr((unsigned long)ptr)) + might_fault(); allow_read_write_user((void __user *)ptr, ptr, len); return true; } @@ -521,6 +521,8 @@ user_read_access_begin(const void __user *ptr, size_t len) { if (unlikely(!access_ok(ptr, len))) return false; + if (!is_kernel_addr((unsigned long)ptr)) + might_fault(); allow_read_from_user(ptr, len); return true; } @@ -532,6 +534,8 @@ user_write_access_begin(const void __user *ptr, size_t len) { if (unlikely(!access_ok(ptr, len))) return false; + if (!is_kernel_addr((unsigned long)ptr)) + might_fault(); allow_write_to_user((void __user *)ptr, len); return true; }
The amount of code executed with enabled user space access (unlocked KUAP) should be minimal. However with CONFIG_PROVE_LOCKING or CONFIG_DEBUG_ATOMIC_SLEEP enabled, might_fault() may end up replaying interrupts which in turn may access the user space and forget to restore the KUAP state. The problem places are: 1. strncpy_from_user (and similar) which unlock KUAP and call unsafe_get_user -> __get_user_allowed -> __get_user_nocheck() with do_allow=false to skip KUAP as the caller took care of it. 2. __put_user_nocheck_goto() which is called with unlocked KUAP. This changes __get_user_nocheck() to look at @do_allow to decide whether to skip might_fault(). Since strncpy_from_user/etc call might_fault() anyway before unlocking KUAP, there should be no visible change. This drops might_fault() in __put_user_nocheck_goto() as it is only called from unsafe_xxx helpers which manage KUAP themselves. Since keeping might_fault() is still desireable, this adds those to user_access_begin/read/write which is the last point where we can safely do so. Fixes: 334710b1496a ("powerpc/uaccess: Implement unsafe_put_user() using 'asm goto'") Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru> --- Changes: v3: * removed might_fault() from __put_user_nocheck_goto * added might_fault() to user(_|_read_|_write_)access_begin v2: * s/!do_allow/do_allow/ --- Here is more detail about the issue: https://lore.kernel.org/linuxppc-dev/20210203084503.GX6564@kitsune.suse.cz/T/ Another example of the problem: Kernel attempted to write user page (200002c3) - exploit attempt? (uid: 0) ------------[ cut here ]------------ Bug: Write fault blocked by KUAP! WARNING: CPU: 1 PID: 16712 at /home/aik/p/kernel-syzkaller/arch/powerpc/mm/fault.c:229 __do_page_fault+0xca4/0xf10 NIP [c0000000006ff804] filldir64+0x484/0x820 LR [c0000000006ff7fc] filldir64+0x47c/0x820 --- interrupt: 300 [c0000000589f3b40] [c0000000008131b0] proc_fill_cache+0xf0/0x2b0 [c0000000589f3c60] [c000000000814658] proc_pident_readdir+0x1f8/0x390 [c0000000589f3cc0] [c0000000006fd8e8] iterate_dir+0x108/0x370 [c0000000589f3d20] [c0000000006fe3d8] sys_getdents64+0xa8/0x410 [c0000000589f3db0] [c00000000004b708] system_call_exception+0x178/0x2b0 [c0000000589f3e10] [c00000000000e060] system_call_common+0xf0/0x27c --- arch/powerpc/include/asm/uaccess.h | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-)