From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
To: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
Boqun Feng <boqun.feng@gmail.com>,
linux-kernel <linux-kernel@vger.kernel.org>,
linux-api <linux-api@vger.kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Andy Lutomirski <luto@amacapital.net>,
Dave Watson <davejwatson@fb.com>, Paul Turner <pjt@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Russell King <linux@arm.linux.org.uk>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
Andi Kleen <andi@firstfloor.org>, Chris Lameter <cl@linux.com>,
Ben Maurer <bmaurer@fb.com>, rostedt <rostedt@goodmis.org>,
Josh Triplett <josh@joshtriplett.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Will
Subject: Re: [RFC PATCH for 4.21 06/16] cpu_opv: Provide cpu_opv system call (v8)
Date: Tue, 16 Oct 2018 15:17:37 -0400 (EDT) [thread overview]
Message-ID: <1984292897.263.1539717457933.JavaMail.zimbra@efficios.com> (raw)
In-Reply-To: <20181016081029.GA30363@jagdpanzerIV>
----- On Oct 16, 2018, at 4:10 AM, Sergey Senozhatsky sergey.senozhatsky.work@gmail.com wrote:
> Hi Mathieu,
>
> On (10/10/18 15:19), Mathieu Desnoyers wrote:
> [..]
>> +SYSCALL_DEFINE4(cpu_opv, struct cpu_op __user *, ucpuopv, int, cpuopcnt,
>> + int, cpu, int, flags)
>> +{
> [..]
>> +again:
>> + ret = cpu_opv_pin_pages(cpuopv, cpuopcnt, &vaddr_ptrs);
>> + if (ret)
>> + goto end;
>> + ret = do_cpu_opv(cpuopv, cpuopcnt, &vaddr_ptrs, cpu);
>> + if (ret == -EAGAIN)
>> + retry = true;
>> +end:
>> + for (i = 0; i < vaddr_ptrs.nr_vaddr; i++) {
>> + struct vaddr *vaddr = &vaddr_ptrs.addr[i];
>> + int j;
>> +
>> + vm_unmap_user_ram((void *)vaddr->mem, vaddr->nr_pages);
>
> A dumb question.
>
> Both vm_unmap_user_ram() and vm_map_user_ram() can BUG_ON().
> So this is
> userspace -> syscall -> cpu_opv() -> vm_unmap_user_ram() -> BUG_ON()
>
> Any chance someone can exploit it?
Hi Sergey,
Let's look at vm_unmap_user_ram() and vm_map_user_ram() separately.
If we look at the input from vm_unmap_user_ram, it's called with the
following parameters by the cpu_opv system call:
for (i = 0; i < vaddr_ptrs.nr_vaddr; i++) {
struct vaddr *vaddr = &vaddr_ptrs.addr[i];
int j;
vm_unmap_user_ram((void *)vaddr->mem, vaddr->nr_pages);
[...]
}
The vaddr_ptrs array content is filled by the call to cpu_opv_pin_pages above:
ret = cpu_opv_pin_pages(cpuopv, cpuopcnt, &vaddr_ptrs);
if (ret)
goto end;
by passing the array to cpu_op_pin_pages(), which appends a virtual address at
the end of the array (on success) and increments nr_vaddr. Those virtual
addresses are returned by vm_map_user_ram(), so they are not user-controlled.
Therefore, only an internal kernel bug between vm_map_user_ram() and
vm_unmap_user_ram() should trigger the BUG_ON(). No user input is passed
to vm_unmap_user_ram().
Now, let's look at vm_map_user_ram(). It calls alloc_vmap_area(), which returns
a vmap_area. Then if vmap_page_range failed, vm_unmap_user_ram is called on the
memory that has just been returned by vm_map_user_ram. Again, only an internal
bug between map/unmap can trigger the BUG_ON() in vm_unmap_user_ram.
Is there another scenario I missed ?
Thanks,
Mathieu
--
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com
WARNING: multiple messages have this Message-ID (diff)
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
To: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
Boqun Feng <boqun.feng@gmail.com>,
linux-kernel <linux-kernel@vger.kernel.org>,
linux-api <linux-api@vger.kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Andy Lutomirski <luto@amacapital.net>,
Dave Watson <davejwatson@fb.com>, Paul Turner <pjt@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Russell King <linux@arm.linux.org.uk>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
Andi Kleen <andi@firstfloor.org>, Chris Lameter <cl@linux.com>,
Ben Maurer <bmaurer@fb.com>, rostedt <rostedt@goodmis.org>,
Josh Triplett <josh@joshtriplett.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
Michael Kerrisk <mtk.manpages@gmail.com>,
Joel Fernandes <joelaf@google.com>
Subject: Re: [RFC PATCH for 4.21 06/16] cpu_opv: Provide cpu_opv system call (v8)
Date: Tue, 16 Oct 2018 15:17:37 -0400 (EDT) [thread overview]
Message-ID: <1984292897.263.1539717457933.JavaMail.zimbra@efficios.com> (raw)
In-Reply-To: <20181016081029.GA30363@jagdpanzerIV>
----- On Oct 16, 2018, at 4:10 AM, Sergey Senozhatsky sergey.senozhatsky.work@gmail.com wrote:
> Hi Mathieu,
>
> On (10/10/18 15:19), Mathieu Desnoyers wrote:
> [..]
>> +SYSCALL_DEFINE4(cpu_opv, struct cpu_op __user *, ucpuopv, int, cpuopcnt,
>> + int, cpu, int, flags)
>> +{
> [..]
>> +again:
>> + ret = cpu_opv_pin_pages(cpuopv, cpuopcnt, &vaddr_ptrs);
>> + if (ret)
>> + goto end;
>> + ret = do_cpu_opv(cpuopv, cpuopcnt, &vaddr_ptrs, cpu);
>> + if (ret == -EAGAIN)
>> + retry = true;
>> +end:
>> + for (i = 0; i < vaddr_ptrs.nr_vaddr; i++) {
>> + struct vaddr *vaddr = &vaddr_ptrs.addr[i];
>> + int j;
>> +
>> + vm_unmap_user_ram((void *)vaddr->mem, vaddr->nr_pages);
>
> A dumb question.
>
> Both vm_unmap_user_ram() and vm_map_user_ram() can BUG_ON().
> So this is
> userspace -> syscall -> cpu_opv() -> vm_unmap_user_ram() -> BUG_ON()
>
> Any chance someone can exploit it?
Hi Sergey,
Let's look at vm_unmap_user_ram() and vm_map_user_ram() separately.
If we look at the input from vm_unmap_user_ram, it's called with the
following parameters by the cpu_opv system call:
for (i = 0; i < vaddr_ptrs.nr_vaddr; i++) {
struct vaddr *vaddr = &vaddr_ptrs.addr[i];
int j;
vm_unmap_user_ram((void *)vaddr->mem, vaddr->nr_pages);
[...]
}
The vaddr_ptrs array content is filled by the call to cpu_opv_pin_pages above:
ret = cpu_opv_pin_pages(cpuopv, cpuopcnt, &vaddr_ptrs);
if (ret)
goto end;
by passing the array to cpu_op_pin_pages(), which appends a virtual address at
the end of the array (on success) and increments nr_vaddr. Those virtual
addresses are returned by vm_map_user_ram(), so they are not user-controlled.
Therefore, only an internal kernel bug between vm_map_user_ram() and
vm_unmap_user_ram() should trigger the BUG_ON(). No user input is passed
to vm_unmap_user_ram().
Now, let's look at vm_map_user_ram(). It calls alloc_vmap_area(), which returns
a vmap_area. Then if vmap_page_range failed, vm_unmap_user_ram is called on the
memory that has just been returned by vm_map_user_ram. Again, only an internal
bug between map/unmap can trigger the BUG_ON() in vm_unmap_user_ram.
Is there another scenario I missed ?
Thanks,
Mathieu
--
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com
next prev parent reply other threads:[~2018-10-16 19:17 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-10 19:19 [RFC PATCH for 4.21 00/16] rseq updates, new cpu_opv system call Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-10 19:19 ` [RFC PATCH for 4.21 01/16] rseq/selftests: Add reference counter to coexist with glibc Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-11 10:37 ` Szabolcs Nagy
2018-10-11 10:37 ` Szabolcs Nagy
2018-10-11 15:13 ` Mathieu Desnoyers
2018-10-11 15:13 ` Mathieu Desnoyers
2018-10-11 16:20 ` Szabolcs Nagy
2018-10-11 16:20 ` Szabolcs Nagy
2018-10-11 16:37 ` Mathieu Desnoyers
2018-10-11 16:37 ` Mathieu Desnoyers
2018-10-11 17:04 ` Szabolcs Nagy
2018-10-11 17:04 ` Szabolcs Nagy
2018-10-11 19:42 ` Mathieu Desnoyers
2018-10-11 19:42 ` Mathieu Desnoyers
2018-10-12 9:59 ` Szabolcs Nagy
2018-10-12 9:59 ` Szabolcs Nagy
2018-10-23 14:59 ` Mathieu Desnoyers
2018-10-23 14:59 ` Mathieu Desnoyers
2018-10-10 19:19 ` [RFC PATCH for 4.21 02/16] rseq/selftests: Adapt number of threads to the number of detected cpus Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-10 19:19 ` mathieu.desnoyers
2018-10-10 19:19 ` [RFC PATCH for 4.21 03/16] sched: Implement push_task_to_cpu (v2) Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-17 6:51 ` Srikar Dronamraju
2018-10-17 6:51 ` Srikar Dronamraju
2018-10-17 15:09 ` Mathieu Desnoyers
2018-10-17 15:09 ` Mathieu Desnoyers
2018-10-10 19:19 ` [RFC PATCH for 4.21 04/16] mm: Introduce vm_map_user_ram, vm_unmap_user_ram Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-16 18:30 ` Steven Rostedt
2018-10-16 18:30 ` Steven Rostedt
2018-10-16 19:21 ` Mathieu Desnoyers
2018-10-16 19:21 ` Mathieu Desnoyers
2018-10-16 19:40 ` Steven Rostedt
2018-10-16 19:40 ` Steven Rostedt
2018-10-17 0:27 ` Sergey Senozhatsky
2018-10-17 0:27 ` Sergey Senozhatsky
2018-10-17 15:00 ` Mathieu Desnoyers
2018-10-17 15:00 ` Mathieu Desnoyers
2018-10-17 15:04 ` Mathieu Desnoyers
2018-10-17 15:04 ` Mathieu Desnoyers
2018-10-17 15:34 ` Sergey Senozhatsky
2018-10-17 15:34 ` Sergey Senozhatsky
2018-10-10 19:19 ` [RFC PATCH for 4.21 05/16] mm: Provide is_vma_noncached Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-10 19:19 ` [RFC PATCH for 4.21 06/16] cpu_opv: Provide cpu_opv system call (v8) Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-16 8:10 ` Sergey Senozhatsky
2018-10-16 8:10 ` Sergey Senozhatsky
2018-10-16 19:17 ` Mathieu Desnoyers [this message]
2018-10-16 19:17 ` Mathieu Desnoyers
2018-10-17 1:46 ` Sergey Senozhatsky
2018-10-17 1:46 ` Sergey Senozhatsky
2018-10-17 7:19 ` Srikar Dronamraju
2018-10-17 7:19 ` Srikar Dronamraju
2018-10-17 15:11 ` Mathieu Desnoyers
2018-10-17 15:11 ` Mathieu Desnoyers
2018-10-17 16:09 ` Mathieu Desnoyers
2018-10-17 16:09 ` Mathieu Desnoyers
2018-10-10 19:19 ` [RFC PATCH for 4.21 07/16] cpu_opv: limit amount of virtual address space used by cpu_opv Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-10 19:19 ` [RFC PATCH for 4.21 08/16] x86: Wire up cpu_opv system call Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-10 19:19 ` [RFC PATCH for 4.21 09/16] powerpc: " Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-10 19:19 ` [RFC PATCH for 4.21 10/16] arm: " Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-10 19:19 ` [RFC PATCH for 4.21 11/16] cpu-opv/selftests: Provide cpu-op library Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-10 19:19 ` mathieu.desnoyers
2018-10-10 19:19 ` [RFC PATCH for 4.21 12/16] cpu-opv/selftests: Provide basic test Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-10 19:19 ` mathieu.desnoyers
2018-10-10 19:19 ` [RFC PATCH for 4.21 13/16] cpu-opv/selftests: Provide percpu_op API Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-10 19:19 ` mathieu.desnoyers
2018-10-10 19:19 ` [RFC PATCH for 4.21 14/16] cpu-opv/selftests: Provide basic percpu ops test Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-10 19:19 ` mathieu.desnoyers
2018-10-10 19:19 ` [RFC PATCH for 4.21 15/16] cpu-opv/selftests: Provide parametrized tests Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-10 19:19 ` mathieu.desnoyers
2018-10-10 19:19 ` [RFC PATCH for 4.21 16/16] cpu-opv/selftests: Provide Makefile, scripts, gitignore Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-10 19:19 ` Mathieu Desnoyers
2018-10-10 19:19 ` mathieu.desnoyers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1984292897.263.1539717457933.JavaMail.zimbra@efficios.com \
--to=mathieu.desnoyers@efficios.com \
--cc=akpm@linux-foundation.org \
--cc=andi@firstfloor.org \
--cc=bmaurer@fb.com \
--cc=boqun.feng@gmail.com \
--cc=catalin.marinas@arm.com \
--cc=cl@linux.com \
--cc=davejwatson@fb.com \
--cc=hpa@zytor.com \
--cc=josh@joshtriplett.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@arm.linux.org.uk \
--cc=luto@amacapital.net \
--cc=mingo@redhat.com \
--cc=paulmck@linux.vnet.ibm.com \
--cc=peterz@infradead.org \
--cc=pjt@google.com \
--cc=rostedt@goodmis.org \
--cc=sergey.senozhatsky.work@gmail.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.