From: "Michael S. Tsirkin" <mst@redhat.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
Jason Wang <jasowang@redhat.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Netdev <netdev@vger.kernel.org>
Subject: Re: [PATCH RFC] uaccess: user_access_begin_after_access_ok()
Date: Tue, 2 Jun 2020 16:32:55 -0400 [thread overview]
Message-ID: <20200602162931-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <CAHk-=wjgg0bpD0qjYF=twJNXmRXYPjXqO1EFLL-mS8qUphe0AQ@mail.gmail.com>
On Tue, Jun 02, 2020 at 10:18:09AM -0700, Linus Torvalds wrote:
> On Tue, Jun 2, 2020 at 9:33 AM Al Viro <viro@zeniv.linux.org.uk> wrote:
> >
> > >
> > > It's not clear whether we need a new API, I think __uaccess_being() has the
> > > assumption that the address has been validated by access_ok().
> >
> > __uaccess_begin() is a stopgap, not a public API.
>
> Correct. It's just an x86 implementation detail.
>
> > The problem is real, but "let's add a public API that would do user_access_begin()
> > with access_ok() already done" is no-go.
>
> Yeah, it's completely pointless.
>
> The solution to this is easy: remove the incorrect and useless early
> "access_ok()". Boom, done.
Hmm are you sure we can drop it? access_ok is done in the context
of the process. Access itself in the context of a kernel thread
that borrows the same mm. IIUC if the process can be 32 bit
while the kernel is 64 bit, access_ok in the context of the
kernel thread will not DTRT.
> Then use user_access_begin() and the appropriate unsage_get/put_user()
> sequence, and user_access_end().
>
> The range test that user-access-begin does is not just part of the
> ABI, it's just required in general. We have almost thirty years of
> history of trying to avoid it, AND IT WAS ALL BOGUS.
>
> The fact is, the range check is pretty damn cheap, and not doing the
> range check has always been a complete and utter disaster.
>
> You have exactly two cases:
>
> (a) the access_ok() would be right above the code and can't be missed
>
> (b) not
>
> and in (a) the solution is: remove the access_ok() and let
> user_access_begin() do the range check.
>
> In (b), the solution is literally "DON'T DO THAT!"
>
> Because EVERY SINGLE TIME people have eventually noticed (possibly
> after code movement) that "oops, we never did the access_ok at all,
> and now we can be fooled into kernel corruption and a security issue".
>
> And even if that didn't happen, the worry was there.
>
> End result: use user_access_begin() and stop trying to remove the two
> cycles or whatever of the limit checking cost. The "upside" of
> removing that limit check just isn't. It's a downside.
>
> Linus
That's true. Limit check cost is measureable but very small.
It's the speculation barrier that's costly.
--
MST
next prev parent reply other threads:[~2020-06-02 20:33 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-02 8:45 [PATCH RFC] uaccess: user_access_begin_after_access_ok() Michael S. Tsirkin
2020-06-02 10:15 ` Jason Wang
2020-06-02 16:33 ` Al Viro
2020-06-02 17:18 ` Linus Torvalds
2020-06-02 17:44 ` Al Viro
2020-06-02 17:46 ` Al Viro
2020-06-02 20:32 ` Michael S. Tsirkin [this message]
2020-06-02 20:41 ` David Laight
2020-06-02 21:58 ` Al Viro
2020-06-03 8:08 ` David Laight
2020-06-02 20:43 ` Linus Torvalds
2020-06-03 6:01 ` Michael S. Tsirkin
[not found] ` <CAHk-=wi3=QuD30fRq8fYYTj9WmkgeZ0VR_Sh3DQHU+nmwj-jMg@mail.gmail.com>
2020-06-03 16:59 ` Linus Torvalds
2020-06-02 16:30 ` Al Viro
2020-06-02 20:42 ` Michael S. Tsirkin
2020-06-02 22:10 ` Al Viro
2020-06-03 5:17 ` Michael S. Tsirkin
2020-06-03 1:48 ` Al Viro
2020-06-03 3:57 ` Jason Wang
2020-06-03 4:18 ` Al Viro
2020-06-03 5:18 ` Jason Wang
2020-06-03 5:46 ` Michael S. Tsirkin
2020-06-03 6:23 ` Jason Wang
2020-06-03 6:30 ` Michael S. Tsirkin
2020-06-03 6:36 ` Jason Wang
2020-06-04 16:49 ` Michael S. Tsirkin
2020-06-05 10:03 ` Jason Wang
2020-06-06 20:08 ` Michael S. Tsirkin
2020-06-03 6:25 ` Michael S. Tsirkin
2020-06-03 5:29 ` Michael S. Tsirkin
2020-06-03 16:52 ` Al Viro
2020-06-04 6:10 ` Jason Wang
2020-06-04 14:59 ` Al Viro
2020-06-04 16:46 ` Michael S. Tsirkin
2020-06-04 10:10 ` Michael S. Tsirkin
2020-06-04 15:03 ` Al Viro
2020-06-04 16:47 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200602162931-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=jasowang@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.