[PATCH 9/9] ARM: software-based priviledged-no-access support

All of lore.kernel.org
 help / color / mirror / Atom feed

From: will.deacon@arm.com (Will Deacon)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 9/9] ARM: software-based priviledged-no-access support
Date: Tue, 25 Aug 2015 15:05:52 +0100	[thread overview]
Message-ID: <20150825140552.GH21300@arm.com> (raw)
In-Reply-To: <E1ZSmQG-0002za-E3@rmk-PC.arm.linux.org.uk>

On Fri, Aug 21, 2015 at 02:31:56PM +0100, Russell King wrote:
> Provide a software-based implementation of the priviledged no access
> support found in ARMv8.1.
> 
> Userspace pages are mapped using a different domain number from the
> kernel and IO mappings.  If we switch the user domain to "no access"
> when we enter the kernel, we can prevent the kernel from touching
> userspace.
> 
> However, the kernel needs to be able to access userspace via the
> various user accessor functions.  With the wrapping in the previous
> patch, we can temporarily enable access when the kernel needs user
> access, and re-disable it afterwards.
> 
> This allows us to trap non-intended accesses to userspace, eg, caused
> by an inadvertent dereference of the LIST_POISON* values, which, with
> appropriate user mappings setup, can be made to succeed.  This in turn
> can allow use-after-free bugs to be further exploited than would
> otherwise be possible.
> 
> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
> ---
>  arch/arm/Kconfig               | 15 +++++++++++++++
>  arch/arm/include/asm/domain.h  | 15 ++++++++++++---
>  arch/arm/include/asm/uaccess.h | 14 ++++++++++++++
>  arch/arm/kernel/entry-header.S | 25 +++++++++++++++++++++++++
>  arch/arm/kernel/process.c      | 24 ++++++++++++++++++------
>  5 files changed, 84 insertions(+), 9 deletions(-)

[...]

> diff --git a/arch/arm/kernel/entry-header.S b/arch/arm/kernel/entry-header.S
> index 3aa6c3742182..bec7ee0764e1 100644
> --- a/arch/arm/kernel/entry-header.S
> +++ b/arch/arm/kernel/entry-header.S
> @@ -54,15 +54,40 @@
>  	.endm
>  
>  	.macro	uaccess_disable, tmp
> +#ifdef CONFIG_CPU_SW_DOMAIN_PAN
> +	/*
> +	 * Whenever we re-enter userspace, the domains should always be
> +	 * set appropriately.
> +	 */
> +	mov	\tmp, #DACR_UACCESS_DISABLE
> +	mcr	p15, 0, \tmp, c3, c0, 0		@ Set domain register
> +#endif

Missing ISB?

>  	.endm
>  
>  	.macro	uaccess_enable, tmp
> +#ifdef CONFIG_CPU_SW_DOMAIN_PAN
> +	/*
> +	 * Whenever we re-enter userspace, the domains should always be
> +	 * set appropriately.
> +	 */
> +	mov	\tmp, #DACR_UACCESS_ENABLE
> +	mcr	p15, 0, \tmp, c3, c0, 0
> +#endif
>  	.endm
>  
>  	.macro	uaccess_save_and_disable, tmp
> +#ifdef CONFIG_CPU_SW_DOMAIN_PAN
> +	mrc	p15, 0, \tmp, c3, c0, 0
> +	str	\tmp, [sp, #S_FRAME_SIZE]
> +#endif
> +	uaccess_disable \tmp
>  	.endm

Same here. For the enable/restore cases, the exception return will
synchronise the DACR for us, but I think we need the ISB to be sure that
the change has taken effect on the exception entry paths.

Will

next prev parent reply	other threads:[~2015-08-25 14:05 UTC|newest]

Thread overview: 45+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-08-18 21:42 Prevent list poison values from being mapped by userspace processes Jeffrey Vander Stoep
2015-08-21 13:30 ` Russell King - ARM Linux
2015-08-21 13:31   ` [PATCH 1/9] ARM: domains: switch to keeping domain value in register Russell King
2015-08-21 13:31   ` [PATCH 2/9] ARM: domains: provide domain_mask() Russell King
2015-08-21 13:31   ` [PATCH 3/9] ARM: domains: move initial domain setting value to asm/domains.h Russell King
2015-08-21 13:31   ` [PATCH 4/9] ARM: domains: get rid of manager mode for user domain Russell King
2015-08-21 13:31   ` [PATCH 5/9] ARM: domains: keep vectors in separate domain Russell King
2015-08-21 13:31   ` [PATCH 6/9] ARM: domains: remove DOMAIN_TABLE Russell King
2015-08-21 13:31   ` [PATCH 7/9] ARM: uaccess: provide uaccess_save_and_enable() and uaccess_restore() Russell King
2015-08-21 13:31   ` [PATCH 8/9] ARM: entry: provide uaccess assembly macro hooks Russell King
2015-08-27 21:40     ` Stephen Boyd
2015-08-21 13:31   ` [PATCH 9/9] ARM: software-based priviledged-no-access support Russell King
2015-08-25 10:32     ` Geert Uytterhoeven
2015-08-25 10:32       ` Geert Uytterhoeven
2015-08-25 10:44       ` Russell King - ARM Linux
2015-08-25 10:44         ` Russell King - ARM Linux
2015-08-25 11:21         ` Geert Uytterhoeven
2015-08-25 11:21           ` Geert Uytterhoeven
2015-08-25 12:38           ` Russell King - ARM Linux
2015-08-25 12:38             ` Russell King - ARM Linux
2015-08-25 12:47             ` Geert Uytterhoeven
2015-08-25 12:47               ` Geert Uytterhoeven
2015-08-25 13:55             ` Nicolas Schichan
2015-08-25 13:55               ` Nicolas Schichan
2015-08-25 14:05     ` Will Deacon [this message]
2015-08-21 13:46   ` [PATCH 0/4] Efficiency cleanups Russell King - ARM Linux
2015-08-21 13:48     ` [PATCH 1/4] ARM: uaccess: simplify user access assembly Russell King
2015-08-21 13:48     ` [PATCH 2/4] ARM: entry: get rid of asm_trace_hardirqs_on_cond Russell King
2015-08-21 13:48     ` [PATCH 3/4] ARM: entry: efficiency cleanups Russell King
2015-08-21 13:48     ` [PATCH 4/4] ARM: entry: ensure that IRQs are enabled when calling syscall_trace_exit() Russell King
2015-08-24 14:36     ` [PATCH 0/4] Efficiency cleanups Will Deacon
2015-08-24 15:00       ` Russell King - ARM Linux
2015-08-21 17:32   ` Prevent list poison values from being mapped by userspace processes Catalin Marinas
2015-08-24 12:06     ` Russell King - ARM Linux
2015-08-24 13:05   ` Nicolas Schichan
2015-08-25  8:15     ` Russell King - ARM Linux
2015-08-25 13:17       ` Nicolas Schichan
2015-08-24 18:06   ` Kees Cook
2015-08-24 18:47     ` Russell King - ARM Linux
2015-08-24 18:51       ` Kees Cook
2015-08-24 19:14         ` Russell King - ARM Linux
2015-08-24 19:22           ` Kees Cook
2015-08-24 19:32             ` Russell King - ARM Linux
2015-08-24 22:01               ` Kees Cook
2015-08-26 20:34                 ` Russell King - ARM Linux

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150825140552.GH21300@arm.com \
    --to=will.deacon@arm.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.