From: Ingo Molnar <mingo@kernel.org>
To: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
kasan-dev@googlegroups.com, linux-mm@kvack.org,
linux-kernel@vger.kernel.org,
Alexander Potapenko <glider@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
x86@kernel.org
Subject: Re: [PATCH 4/4] x86/kasan: Instrument user memory access API
Date: Mon, 9 May 2016 08:29:21 +0200 [thread overview]
Message-ID: <20160509062921.GA2522@gmail.com> (raw)
In-Reply-To: <1462538722-1574-4-git-send-email-aryabinin@virtuozzo.com>
* Andrey Ryabinin <aryabinin@virtuozzo.com> wrote:
> Exchange between user and kernel memory is coded in assembly language.
> Which means that such accesses won't be spotted by KASAN as a compiler
> instruments only C code.
> Add explicit KASAN checks to user memory access API to ensure that
> userspace writes to (or reads from) a valid kernel memory.
>
> Note: Unlike others strncpy_from_user() is written mostly in C and KASAN
> sees memory accesses in it. However, it makes sense to add explicit check
> for all @count bytes that *potentially* could be written to the kernel.
>
> Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
> Cc: Alexander Potapenko <glider@google.com>
> Cc: Dmitry Vyukov <dvyukov@google.com>
> Cc: x86@kernel.org
> ---
> arch/x86/include/asm/uaccess.h | 5 +++++
> arch/x86/include/asm/uaccess_64.h | 7 +++++++
> lib/strncpy_from_user.c | 2 ++
> 3 files changed, 14 insertions(+)
[...]
> diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c
> index 3384032..e3472b0 100644
> --- a/lib/strncpy_from_user.c
> +++ b/lib/strncpy_from_user.c
> @@ -1,5 +1,6 @@
> #include <linux/compiler.h>
> #include <linux/export.h>
> +#include <linux/kasan-checks.h>
> #include <linux/uaccess.h>
> #include <linux/kernel.h>
> #include <linux/errno.h>
> @@ -103,6 +104,7 @@ long strncpy_from_user(char *dst, const char __user *src, long count)
> if (unlikely(count <= 0))
> return 0;
>
> + kasan_check_write(dst, count);
> max_addr = user_addr_max();
> src_addr = (unsigned long)src;
> if (likely(src_addr < max_addr)) {
Please do the check inside the condition, before the user_access_begin(), because
where you've put the check we might still fail and not do a user copy and -EFAULT
out.
With that fixed:
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Thanks,
Ingo
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Ingo Molnar <mingo@kernel.org>
To: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
kasan-dev@googlegroups.com, linux-mm@kvack.org,
linux-kernel@vger.kernel.org,
Alexander Potapenko <glider@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
x86@kernel.org
Subject: Re: [PATCH 4/4] x86/kasan: Instrument user memory access API
Date: Mon, 9 May 2016 08:29:21 +0200 [thread overview]
Message-ID: <20160509062921.GA2522@gmail.com> (raw)
In-Reply-To: <1462538722-1574-4-git-send-email-aryabinin@virtuozzo.com>
* Andrey Ryabinin <aryabinin@virtuozzo.com> wrote:
> Exchange between user and kernel memory is coded in assembly language.
> Which means that such accesses won't be spotted by KASAN as a compiler
> instruments only C code.
> Add explicit KASAN checks to user memory access API to ensure that
> userspace writes to (or reads from) a valid kernel memory.
>
> Note: Unlike others strncpy_from_user() is written mostly in C and KASAN
> sees memory accesses in it. However, it makes sense to add explicit check
> for all @count bytes that *potentially* could be written to the kernel.
>
> Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
> Cc: Alexander Potapenko <glider@google.com>
> Cc: Dmitry Vyukov <dvyukov@google.com>
> Cc: x86@kernel.org
> ---
> arch/x86/include/asm/uaccess.h | 5 +++++
> arch/x86/include/asm/uaccess_64.h | 7 +++++++
> lib/strncpy_from_user.c | 2 ++
> 3 files changed, 14 insertions(+)
[...]
> diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c
> index 3384032..e3472b0 100644
> --- a/lib/strncpy_from_user.c
> +++ b/lib/strncpy_from_user.c
> @@ -1,5 +1,6 @@
> #include <linux/compiler.h>
> #include <linux/export.h>
> +#include <linux/kasan-checks.h>
> #include <linux/uaccess.h>
> #include <linux/kernel.h>
> #include <linux/errno.h>
> @@ -103,6 +104,7 @@ long strncpy_from_user(char *dst, const char __user *src, long count)
> if (unlikely(count <= 0))
> return 0;
>
> + kasan_check_write(dst, count);
> max_addr = user_addr_max();
> src_addr = (unsigned long)src;
> if (likely(src_addr < max_addr)) {
Please do the check inside the condition, before the user_access_begin(), because
where you've put the check we might still fail and not do a user copy and -EFAULT
out.
With that fixed:
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Thanks,
Ingo
next prev parent reply other threads:[~2016-05-09 6:29 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-06 12:45 [PATCH 1/4] kasan/tests: add tests for user memory access functions Andrey Ryabinin
2016-05-06 12:45 ` Andrey Ryabinin
2016-05-06 12:45 ` [PATCH 2/4] mm/kasan: print name of mem[set,cpy,move]() caller in report Andrey Ryabinin
2016-05-06 12:45 ` Andrey Ryabinin
2016-05-13 12:15 ` Alexander Potapenko
2016-05-13 12:15 ` Alexander Potapenko
2016-05-06 12:45 ` [PATCH 3/4] mm/kasan: add API to check memory regions Andrey Ryabinin
2016-05-06 12:45 ` Andrey Ryabinin
2016-05-13 12:18 ` Alexander Potapenko
2016-05-13 12:18 ` Alexander Potapenko
2016-05-06 12:45 ` [PATCH 4/4] x86/kasan: Instrument user memory access API Andrey Ryabinin
2016-05-06 12:45 ` Andrey Ryabinin
2016-05-09 5:08 ` Dmitry Vyukov
2016-05-09 5:08 ` Dmitry Vyukov
2016-05-09 6:29 ` Ingo Molnar [this message]
2016-05-09 6:29 ` Ingo Molnar
2016-05-10 8:33 ` [PATCH] x86-kasan-instrument-user-memory-access-api-fix Andrey Ryabinin
2016-05-10 8:33 ` Andrey Ryabinin
2016-05-06 22:48 ` [PATCH 1/4] kasan/tests: add tests for user memory access functions Andrew Morton
2016-05-06 22:48 ` Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160509062921.GA2522@gmail.com \
--to=mingo@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=aryabinin@virtuozzo.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.