From: Christoph Hellwig <hch@lst.de>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Arnd Bergmann <arnd@arndb.de>,
x86@kernel.org, linux-kernel@vger.kernel.org,
Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
linuxppc-dev@lists.ozlabs.org, Christoph Hellwig <hch@lst.de>,
Jeremy Kerr <jk@ozlabs.org>
Subject: Re: [PATCH 1/2] signal: Factor copy_siginfo_to_external32 from copy_siginfo_to_user32
Date: Sun, 19 Apr 2020 10:13:53 +0200 [thread overview]
Message-ID: <20200419081353.GF12222@lst.de> (raw)
In-Reply-To: <87v9lx3t4j.fsf@x220.int.ebiederm.org>
On Sat, Apr 18, 2020 at 06:55:56AM -0500, Eric W. Biederman wrote:
> > Is that really an issue to use that set_fs() in the coredump code ?
>
> Using set_fs() is pretty bad and something that we would like to remove
> from the kernel entirely. The fewer instances of set_fs() we have the
> better.
>
> I forget all of the details but set_fs() is both a type violation and an
> attack point when people are attacking the kernel. The existence of
> set_fs() requires somethings that should be constants to be variables.
> Something about that means that our current code is difficult to protect
> from spectre style vulnerabilities.
Yes, set_fs requires variable based address checking in the uaccess
routines for architectures with a shared address space, or even entirely
different code for architectures with separate kernel and user address
spaces. My plan is to hopefully kill set_fs in its current form a few
merge windows down the road. We'll probably still need some form of
it to e.g. mark a thread as kernel thread vs also being able to execute
user code, but it will be much ore limited than before, called from very
few places and actually be a no-op for many architectures.
WARNING: multiple messages have this Message-ID (diff)
From: Christoph Hellwig <hch@lst.de>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Christophe Leroy <christophe.leroy@c-s.fr>,
Christoph Hellwig <hch@lst.de>, Arnd Bergmann <arnd@arndb.de>,
x86@kernel.org, linux-kernel@vger.kernel.org,
Alexander Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
linuxppc-dev@lists.ozlabs.org, Jeremy Kerr <jk@ozlabs.org>
Subject: Re: [PATCH 1/2] signal: Factor copy_siginfo_to_external32 from copy_siginfo_to_user32
Date: Sun, 19 Apr 2020 10:13:53 +0200 [thread overview]
Message-ID: <20200419081353.GF12222@lst.de> (raw)
In-Reply-To: <87v9lx3t4j.fsf@x220.int.ebiederm.org>
On Sat, Apr 18, 2020 at 06:55:56AM -0500, Eric W. Biederman wrote:
> > Is that really an issue to use that set_fs() in the coredump code ?
>
> Using set_fs() is pretty bad and something that we would like to remove
> from the kernel entirely. The fewer instances of set_fs() we have the
> better.
>
> I forget all of the details but set_fs() is both a type violation and an
> attack point when people are attacking the kernel. The existence of
> set_fs() requires somethings that should be constants to be variables.
> Something about that means that our current code is difficult to protect
> from spectre style vulnerabilities.
Yes, set_fs requires variable based address checking in the uaccess
routines for architectures with a shared address space, or even entirely
different code for architectures with separate kernel and user address
spaces. My plan is to hopefully kill set_fs in its current form a few
merge windows down the road. We'll probably still need some form of
it to e.g. mark a thread as kernel thread vs also being able to execute
user code, but it will be much ore limited than before, called from very
few places and actually be a no-op for many architectures.
next prev parent reply other threads:[~2020-04-19 8:21 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-14 7:01 remove set_fs calls from the exec and coredump code v2 Christoph Hellwig
2020-04-14 7:01 ` Christoph Hellwig
2020-04-14 7:01 ` [PATCH 1/8] powerpc/spufs: simplify spufs core dumping Christoph Hellwig
2020-04-14 7:01 ` Christoph Hellwig
2020-04-14 7:01 ` [PATCH 2/8] signal: clean up __copy_siginfo_to_user32 Christoph Hellwig
2020-04-14 7:01 ` Christoph Hellwig
2020-04-17 21:08 ` Eric W. Biederman
2020-04-17 21:08 ` Eric W. Biederman
2020-04-17 21:09 ` [PATCH 1/2] signal: Factor copy_siginfo_to_external32 from copy_siginfo_to_user32 Eric W. Biederman
2020-04-17 21:09 ` Eric W. Biederman
2020-04-18 8:05 ` Christophe Leroy
2020-04-18 11:55 ` Eric W. Biederman
2020-04-18 11:55 ` Eric W. Biederman
2020-04-19 8:13 ` Christoph Hellwig [this message]
2020-04-19 8:13 ` Christoph Hellwig
2020-04-19 9:46 ` Christophe Leroy
2020-04-19 9:54 ` Christophe Leroy
2020-04-19 8:05 ` Christoph Hellwig
2020-04-19 8:05 ` Christoph Hellwig
2020-04-17 21:09 ` [PATCH 2/2] signal: Remove the set_fs in binfmt_elf.c:fill_siginfo_note Eric W. Biederman
2020-04-17 21:09 ` Eric W. Biederman
2020-04-19 8:03 ` [PATCH 2/8] signal: clean up __copy_siginfo_to_user32 Christoph Hellwig
2020-04-19 8:03 ` Christoph Hellwig
2020-04-14 7:01 ` [PATCH 3/8] signal: replace __copy_siginfo_to_user32 with to_compat_siginfo Christoph Hellwig
2020-04-14 7:01 ` Christoph Hellwig
2020-04-14 14:00 ` Arnd Bergmann
2020-04-14 14:00 ` Arnd Bergmann
2020-04-14 7:01 ` [PATCH 4/8] binfmt_elf: open code copy_siginfo_to_user to kernelspace buffer Christoph Hellwig
2020-04-14 7:01 ` Christoph Hellwig
2020-04-14 13:15 ` Arnd Bergmann
2020-04-14 13:15 ` Arnd Bergmann
2020-04-15 7:45 ` Christoph Hellwig
2020-04-15 7:45 ` Christoph Hellwig
2020-04-15 8:20 ` Arnd Bergmann
2020-04-15 8:20 ` Arnd Bergmann
2020-04-17 13:27 ` Christoph Hellwig
2020-04-17 13:27 ` Christoph Hellwig
2020-04-17 18:10 ` Eric W. Biederman
2020-04-17 18:10 ` Eric W. Biederman
2020-04-17 20:06 ` Arnd Bergmann
2020-04-17 20:06 ` Arnd Bergmann
2020-04-15 3:01 ` Michael Ellerman
2020-04-15 3:01 ` Michael Ellerman
2020-04-15 6:19 ` Christoph Hellwig
2020-04-15 6:19 ` Christoph Hellwig
2020-04-14 7:01 ` [PATCH 5/8] binfmt_elf: remove the set_fs(KERNEL_DS) in elf_core_dump Christoph Hellwig
2020-04-14 7:01 ` Christoph Hellwig
2020-04-14 7:01 ` [PATCH 6/8] binfmt_elf_fdpic: remove the set_fs(KERNEL_DS) in elf_fdpic_core_dump Christoph Hellwig
2020-04-14 7:01 ` Christoph Hellwig
2020-04-14 7:01 ` [PATCH 7/8] exec: simplify the copy_strings_kernel calling convention Christoph Hellwig
2020-04-14 7:01 ` Christoph Hellwig
2020-04-14 7:01 ` [PATCH 8/8] exec: open code copy_string_kernel Christoph Hellwig
2020-04-14 7:01 ` Christoph Hellwig
2020-04-18 8:15 ` Christophe Leroy
2020-04-18 8:15 ` Christophe Leroy
2020-04-19 8:06 ` Christoph Hellwig
2020-04-19 8:06 ` Christoph Hellwig
2020-04-19 9:44 ` Christophe Leroy
2020-04-19 9:44 ` Christophe Leroy
2020-04-17 22:41 ` remove set_fs calls from the exec and coredump code v2 Eric W. Biederman
2020-04-17 22:41 ` Eric W. Biederman
2020-04-19 8:19 ` Christoph Hellwig
2020-04-19 8:19 ` Christoph Hellwig
2020-04-19 11:50 ` Eric W. Biederman
2020-04-19 11:50 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200419081353.GF12222@lst.de \
--to=hch@lst.de \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=ebiederm@xmission.com \
--cc=jk@ozlabs.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=viro@zeniv.linux.org.uk \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.