From: Al Viro <viro@ZenIV.linux.org.uk>
To: Dan Williams <dan.j.williams@intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-arch@vger.kernel.org, Andi Kleen <ak@linux.intel.com>,
Kees Cook <keescook@chromium.org>,
kernel-hardening@lists.openwall.com,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
the arch/x86 maintainers <x86@kernel.org>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Andrew Morton <akpm@linux-foundation.org>,
Alan Cox <alan@linux.intel.com>
Subject: [kernel-hardening] Re: [PATCH v3 8/9] x86: use __uaccess_begin_nospec and ASM_IFENCE in get_user paths
Date: Wed, 17 Jan 2018 06:28:00 +0000 [thread overview]
Message-ID: <20180117062800.GU13338@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CAPcyv4g94iysWqz64KNk=HDdx6+b2e0O-rRrnFZDqfNSR3Xrjg@mail.gmail.com>
On Tue, Jan 16, 2018 at 08:30:17PM -0800, Dan Williams wrote:
> On Tue, Jan 16, 2018 at 2:23 PM, Dan Williams <dan.j.williams@intel.com> wrote:
> > On Sat, Jan 13, 2018 at 11:33 AM, Linus Torvalds
> [..]
> > I'll respin this set along those lines, and drop the ifence bits.
>
> So now I'm not so sure. Yes, get_user_{1,2,4,8} can mask the pointer
> with the address limit result, but this doesn't work for the
> access_ok() + __get_user() case. We can either change the access_ok()
> calling convention to return a properly masked pointer to be used in
> subsequent calls to __get_user(), or go with lfence on every
> __get_user call. There seem to be several drivers that open code
> copy_from_user() with __get_user loops, so the 'fence every
> __get_user' approach might have noticeable overhead. On the other hand
> the access_ok conversion, while it could be scripted with coccinelle,
> is ~300 sites (VERIFY_READ), if you're concerned about having
> something small to merge for 4.15.
>
> I think the access_ok() conversion to return a speculation sanitized
> pointer or NULL is the way to go unless I'm missing something simpler.
> Other ideas?
What masked pointer? access_ok() exists for other architectures as well,
and the fewer callers remain outside of arch/*, the better.
Anything that open-codes copy_from_user() that way is *ALREADY* fucked if
it cares about the overhead - recent x86 boxen will have slowdown from
hell on stac()/clac() pairs. Anything like that on a hot path is already
deep in trouble and needs to be found and fixed. What drivers would those
be? We don't have that many __get_user() users left outside of arch/*
anymore...
WARNING: multiple messages have this Message-ID (diff)
From: Al Viro <viro@ZenIV.linux.org.uk>
To: Dan Williams <dan.j.williams@intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-arch@vger.kernel.org, Andi Kleen <ak@linux.intel.com>,
Kees Cook <keescook@chromium.org>,
kernel-hardening@lists.openwall.com,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
the arch/x86 maintainers <x86@kernel.org>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Andrew Morton <akpm@linux-foundation.org>,
Alan Cox <alan@linux.intel.com>
Subject: Re: [PATCH v3 8/9] x86: use __uaccess_begin_nospec and ASM_IFENCE in get_user paths
Date: Wed, 17 Jan 2018 06:28:00 +0000 [thread overview]
Message-ID: <20180117062800.GU13338@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CAPcyv4g94iysWqz64KNk=HDdx6+b2e0O-rRrnFZDqfNSR3Xrjg@mail.gmail.com>
On Tue, Jan 16, 2018 at 08:30:17PM -0800, Dan Williams wrote:
> On Tue, Jan 16, 2018 at 2:23 PM, Dan Williams <dan.j.williams@intel.com> wrote:
> > On Sat, Jan 13, 2018 at 11:33 AM, Linus Torvalds
> [..]
> > I'll respin this set along those lines, and drop the ifence bits.
>
> So now I'm not so sure. Yes, get_user_{1,2,4,8} can mask the pointer
> with the address limit result, but this doesn't work for the
> access_ok() + __get_user() case. We can either change the access_ok()
> calling convention to return a properly masked pointer to be used in
> subsequent calls to __get_user(), or go with lfence on every
> __get_user call. There seem to be several drivers that open code
> copy_from_user() with __get_user loops, so the 'fence every
> __get_user' approach might have noticeable overhead. On the other hand
> the access_ok conversion, while it could be scripted with coccinelle,
> is ~300 sites (VERIFY_READ), if you're concerned about having
> something small to merge for 4.15.
>
> I think the access_ok() conversion to return a speculation sanitized
> pointer or NULL is the way to go unless I'm missing something simpler.
> Other ideas?
What masked pointer? access_ok() exists for other architectures as well,
and the fewer callers remain outside of arch/*, the better.
Anything that open-codes copy_from_user() that way is *ALREADY* fucked if
it cares about the overhead - recent x86 boxen will have slowdown from
hell on stac()/clac() pairs. Anything like that on a hot path is already
deep in trouble and needs to be found and fixed. What drivers would those
be? We don't have that many __get_user() users left outside of arch/*
anymore...
next prev parent reply other threads:[~2018-01-17 6:28 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-13 18:17 [kernel-hardening] [PATCH v3 0/9] core, x86: prevent bounds-check bypass via speculative execution Dan Williams
2018-01-13 18:17 ` Dan Williams
2018-01-13 18:17 ` [kernel-hardening] [PATCH v3 1/9] Documentation: document array_ptr Dan Williams
2018-01-13 18:17 ` Dan Williams
2018-01-13 18:17 ` [kernel-hardening] [PATCH v3 2/9] arm64: implement ifence_array_ptr() Dan Williams
2018-01-13 18:17 ` Dan Williams
2018-01-13 18:17 ` [kernel-hardening] [PATCH v3 3/9] arm: " Dan Williams
2018-01-13 18:17 ` Dan Williams
2018-01-13 18:17 ` [kernel-hardening] [PATCH v3 4/9] x86: implement ifence() Dan Williams
2018-01-13 18:17 ` Dan Williams
2018-01-13 18:17 ` [kernel-hardening] [PATCH v3 5/9] x86: implement ifence_array_ptr() and array_ptr_mask() Dan Williams
2018-01-13 18:17 ` Dan Williams
2018-01-13 18:17 ` [kernel-hardening] [PATCH v3 6/9] asm/nospec: mask speculative execution flows Dan Williams
2018-01-13 18:17 ` Dan Williams
2018-01-13 18:18 ` [kernel-hardening] [PATCH v3 7/9] x86: introduce __uaccess_begin_nospec and ASM_IFENCE Dan Williams
2018-01-13 18:18 ` Dan Williams
2018-01-13 18:18 ` [kernel-hardening] [PATCH v3 8/9] x86: use __uaccess_begin_nospec and ASM_IFENCE in get_user paths Dan Williams
2018-01-13 18:18 ` Dan Williams
2018-01-13 19:05 ` [kernel-hardening] " Linus Torvalds
2018-01-13 19:05 ` Linus Torvalds
2018-01-13 19:33 ` [kernel-hardening] " Linus Torvalds
2018-01-13 19:33 ` Linus Torvalds
2018-01-13 20:22 ` [kernel-hardening] " Eric W. Biederman
2018-01-13 20:22 ` Eric W. Biederman
2018-01-13 20:22 ` Eric W. Biederman
2018-01-13 20:22 ` Eric W. Biederman
2018-01-16 22:23 ` [kernel-hardening] " Dan Williams
2018-01-16 22:23 ` Dan Williams
2018-01-16 22:23 ` Dan Williams
2018-01-16 22:23 ` Dan Williams
[not found] ` <CA+55aFxAFG5czVmCyhYMyHmXLNJ7pcXxWzusjZvLRh_qTGHj6Q@mail.gmail.com>
2018-01-16 22:41 ` [kernel-hardening] " Linus Torvalds
2018-01-16 22:41 ` Linus Torvalds
2018-01-17 14:17 ` [kernel-hardening] " Alan Cox
2018-01-17 14:17 ` Alan Cox
2018-01-17 18:52 ` [kernel-hardening] " Al Viro
2018-01-17 18:52 ` Al Viro
2018-01-17 19:54 ` [kernel-hardening] " Dan Williams
2018-01-17 19:54 ` Dan Williams
2018-01-17 20:05 ` [kernel-hardening] " Al Viro
2018-01-17 20:05 ` Al Viro
2018-01-17 20:14 ` [kernel-hardening] " Dan Williams
2018-01-17 20:14 ` Dan Williams
2018-01-18 3:06 ` [kernel-hardening] [RFC][PATCH] get rid of the use of set_fs() (by way of kernel_recvmsg()) in sunrpc Al Viro
2018-01-18 3:06 ` Al Viro
2018-01-18 3:16 ` [kernel-hardening] " Linus Torvalds
2018-01-18 3:16 ` Linus Torvalds
2018-01-18 4:43 ` [kernel-hardening] " Al Viro
2018-01-18 4:43 ` Al Viro
2018-01-18 16:29 ` [kernel-hardening] " Christoph Hellwig
2018-01-18 16:29 ` Christoph Hellwig
2018-01-18 17:10 ` [kernel-hardening] " Al Viro
2018-01-18 17:10 ` Al Viro
2018-01-18 19:31 ` [kernel-hardening] " Al Viro
2018-01-18 19:31 ` Al Viro
2018-01-18 19:37 ` [PATCH 01/10] net: separate SIOCGIFCONF handling from dev_ioctl() Al Viro
2018-01-18 19:37 ` [PATCH 02/10] devinet_ioctl(): take copyin/copyout to caller Al Viro
2018-01-22 16:40 ` Christoph Hellwig
2018-01-18 19:37 ` [PATCH 03/10] ip_rt_ioctl(): take copyin " Al Viro
2018-01-22 16:43 ` Christoph Hellwig
2018-01-18 19:37 ` [PATCH 04/10] kill dev_ifsioc() Al Viro
2018-01-22 16:47 ` Christoph Hellwig
2018-01-18 19:37 ` [PATCH 05/10] kill bond_ioctl() Al Viro
2018-01-22 16:48 ` Christoph Hellwig
2018-01-18 19:37 ` [PATCH 06/10] kill dev_ifname32() Al Viro
2018-01-18 19:37 ` [PATCH 07/10] lift handling of SIOCIW... out of dev_ioctl() Al Viro
2018-01-18 19:37 ` [PATCH 08/10] ipconfig: use dev_set_mtu() Al Viro
2018-01-18 19:37 ` [PATCH 09/10] dev_ioctl(): move copyin/copyout to callers Al Viro
2018-01-18 19:37 ` [PATCH 10/10] kill kernel_sock_ioctl() Al Viro
2018-01-22 16:49 ` Christoph Hellwig
2018-01-24 20:52 ` David Miller
2018-01-25 0:01 ` Al Viro
2018-01-25 0:21 ` Al Viro
2018-01-25 4:11 ` David Miller
2018-01-22 16:40 ` [PATCH 01/10] net: separate SIOCGIFCONF handling from dev_ioctl() Christoph Hellwig
2018-01-18 20:33 ` [kernel-hardening] Re: [RFC][PATCH] get rid of the use of set_fs() (by way of kernel_recvmsg()) in sunrpc Al Viro
2018-01-18 20:33 ` Al Viro
2018-01-19 3:27 ` [kernel-hardening] " Al Viro
2018-01-19 3:27 ` Al Viro
2018-01-17 19:26 ` [kernel-hardening] Re: [PATCH v3 8/9] x86: use __uaccess_begin_nospec and ASM_IFENCE in get_user paths Linus Torvalds
2018-01-17 19:26 ` Linus Torvalds
2018-01-17 20:01 ` [kernel-hardening] " Eric Dumazet
2018-01-17 20:01 ` Eric Dumazet
2018-01-18 16:38 ` [kernel-hardening] " Christoph Hellwig
2018-01-18 16:38 ` Christoph Hellwig
2018-01-18 16:49 ` [kernel-hardening] " Linus Torvalds
2018-01-18 16:49 ` Linus Torvalds
2018-01-18 18:12 ` [kernel-hardening] " Al Viro
2018-01-18 18:12 ` Al Viro
2018-01-17 4:30 ` [kernel-hardening] " Dan Williams
2018-01-17 4:30 ` Dan Williams
2018-01-17 6:28 ` Al Viro [this message]
2018-01-17 6:28 ` Al Viro
2018-01-17 6:50 ` [kernel-hardening] " Dan Williams
2018-01-17 6:50 ` Dan Williams
2018-01-17 10:07 ` [kernel-hardening] " David Laight
2018-01-17 10:07 ` David Laight
2018-01-17 18:12 ` [kernel-hardening] " Dan Williams
2018-01-17 18:12 ` Dan Williams
2018-01-17 19:16 ` [kernel-hardening] " Linus Torvalds
2018-01-17 19:16 ` Linus Torvalds
2018-01-13 18:18 ` [kernel-hardening] [PATCH v3 9/9] vfs, fdtable: prevent bounds-check bypass via speculative execution Dan Williams
2018-01-13 18:18 ` Dan Williams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180117062800.GU13338@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=alan@linux.intel.com \
--cc=dan.j.williams@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.