From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 574F2C43467 for ; Thu, 8 Oct 2020 11:05:24 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 72E41215A4 for ; Thu, 8 Oct 2020 11:05:23 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 72E41215A4 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 4C6SzP30YhzDqdq for ; Thu, 8 Oct 2020 22:05:21 +1100 (AEDT) Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=kernel.org (client-ip=198.145.29.99; helo=mail.kernel.org; envelope-from=cmarinas@kernel.org; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=fail (p=none dis=none) header.from=arm.com Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4C6Sx02lFNzDqWw for ; Thu, 8 Oct 2020 22:03:16 +1100 (AEDT) Received: from gaia (unknown [95.149.105.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C9362215A4; Thu, 8 Oct 2020 11:03:10 +0000 (UTC) Date: Thu, 8 Oct 2020 12:03:07 +0100 From: Catalin Marinas To: Michael Ellerman Subject: Re: [PATCH 1/2] mm/mprotect: Call arch_validate_prot under mmap_lock and with length Message-ID: <20201008110307.GH7661@gaia> References: <20201007073932.865218-1-jannh@google.com> <20201007123544.GA11433@infradead.org> <87o8ld0zwt.fsf@mpe.ellerman.id.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87o8ld0zwt.fsf@mpe.ellerman.id.au> User-Agent: Mutt/1.10.1 (2018-07-13) X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Dave Kleikamp , Will Deacon , Jann Horn , kernel list , Christoph Hellwig , Linux-MM , Khalid Aziz , Paul Mackerras , sparclinux@vger.kernel.org, Anthony Yznaga , Andrew Morton , linuxppc-dev@lists.ozlabs.org, "David S. Miller" , Linux ARM Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" On Thu, Oct 08, 2020 at 09:34:26PM +1100, Michael Ellerman wrote: > Jann Horn writes: > > So while the mprotect() case > > checks the flags and refuses unknown values, the mmap() code just lets > > the architecture figure out which bits are actually valid to set (via > > arch_calc_vm_prot_bits()) and silently ignores the rest? > > > > And powerpc apparently decided that they do want to error out on bogus > > prot values passed to their version of mmap(), and in exchange, assume > > in arch_calc_vm_prot_bits() that the protection bits are valid? > > I don't think we really decided that, it just happened by accident and > no one noticed/complained. > > Seems userspace is pretty well behaved when it comes to passing prot > values to mmap(). It's not necessarily about well behaved but whether it can have security implications. On arm64, if the underlying memory does not support MTE (say some DAX mmap) but we still allow PROT_MTE driven by user, it will lead to an SError which brings the whole machine down. Not sure whether ADI has similar requirements but at least for arm64 we addressed the mmap() case as well (see my other email on the details; I think the approach would work on SPARC as well). -- Catalin From mboxrd@z Thu Jan 1 00:00:00 1970 From: Catalin Marinas Date: Thu, 08 Oct 2020 11:03:07 +0000 Subject: Re: [PATCH 1/2] mm/mprotect: Call arch_validate_prot under mmap_lock and with length Message-Id: <20201008110307.GH7661@gaia> List-Id: References: <20201007073932.865218-1-jannh@google.com> <20201007123544.GA11433@infradead.org> <87o8ld0zwt.fsf@mpe.ellerman.id.au> In-Reply-To: <87o8ld0zwt.fsf@mpe.ellerman.id.au> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Michael Ellerman Cc: Dave Kleikamp , Will Deacon , Jann Horn , Benjamin Herrenschmidt , kernel list , Christoph Hellwig , Linux-MM , Khalid Aziz , Paul Mackerras , sparclinux@vger.kernel.org, Anthony Yznaga , Andrew Morton , linuxppc-dev@lists.ozlabs.org, "David S. Miller" , Linux ARM On Thu, Oct 08, 2020 at 09:34:26PM +1100, Michael Ellerman wrote: > Jann Horn writes: > > So while the mprotect() case > > checks the flags and refuses unknown values, the mmap() code just lets > > the architecture figure out which bits are actually valid to set (via > > arch_calc_vm_prot_bits()) and silently ignores the rest? > > > > And powerpc apparently decided that they do want to error out on bogus > > prot values passed to their version of mmap(), and in exchange, assume > > in arch_calc_vm_prot_bits() that the protection bits are valid? > > I don't think we really decided that, it just happened by accident and > no one noticed/complained. > > Seems userspace is pretty well behaved when it comes to passing prot > values to mmap(). It's not necessarily about well behaved but whether it can have security implications. On arm64, if the underlying memory does not support MTE (say some DAX mmap) but we still allow PROT_MTE driven by user, it will lead to an SError which brings the whole machine down. Not sure whether ADI has similar requirements but at least for arm64 we addressed the mmap() case as well (see my other email on the details; I think the approach would work on SPARC as well). -- Catalin From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CC81CC43467 for ; Thu, 8 Oct 2020 11:04:31 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 58730215A4 for ; Thu, 8 Oct 2020 11:04:31 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="OBfb8w1y" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 58730215A4 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References:Message-ID: Subject:To:From:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=jJh/r961JAoZe31vhkOrR3tY1NDnJ70q7I2iR7si4v4=; b=OBfb8w1ympRdFfhUCAFOVPsG7 R4uGuSL/CybFWLVxgH/0/Vd1rlOg/BV5pV782UCYu/0L6yCrcZD/bT1C9z8baCA3yCgE2/dNazUp8 gzzMnbMI9Ze3aOwVP1lCNqtMjpKmTPgRX1CfPkU4KTcEqkhV1k15xPSjD+gizVL4MMdltpRtKHySg Lv2yMQbyjQzSTuygHvVTtAQj1yzLpXDhQk9PJeP4WTI9cA5Dd41lNoDtsT1qCZugt3yIhyaEmETjX ArZI9hR3u00rhqvnf/e2ak5U3WU2DsH093DRv8Z4Nw1nQUeRX/sMSh800JVHniHA/psTL+gFl7GGw /lXRbIKYg==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kQThd-0007CS-D5; Thu, 08 Oct 2020 11:03:17 +0000 Received: from mail.kernel.org ([198.145.29.99]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kQTha-0007Aw-SX for linux-arm-kernel@lists.infradead.org; Thu, 08 Oct 2020 11:03:16 +0000 Received: from gaia (unknown [95.149.105.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C9362215A4; Thu, 8 Oct 2020 11:03:10 +0000 (UTC) Date: Thu, 8 Oct 2020 12:03:07 +0100 From: Catalin Marinas To: Michael Ellerman Subject: Re: [PATCH 1/2] mm/mprotect: Call arch_validate_prot under mmap_lock and with length Message-ID: <20201008110307.GH7661@gaia> References: <20201007073932.865218-1-jannh@google.com> <20201007123544.GA11433@infradead.org> <87o8ld0zwt.fsf@mpe.ellerman.id.au> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <87o8ld0zwt.fsf@mpe.ellerman.id.au> User-Agent: Mutt/1.10.1 (2018-07-13) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201008_070315_153221_BD6FE475 X-CRM114-Status: GOOD ( 18.38 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Dave Kleikamp , Will Deacon , Jann Horn , Benjamin Herrenschmidt , kernel list , Christoph Hellwig , Linux-MM , Khalid Aziz , Paul Mackerras , sparclinux@vger.kernel.org, Anthony Yznaga , Andrew Morton , linuxppc-dev@lists.ozlabs.org, "David S. Miller" , Linux ARM Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Thu, Oct 08, 2020 at 09:34:26PM +1100, Michael Ellerman wrote: > Jann Horn writes: > > So while the mprotect() case > > checks the flags and refuses unknown values, the mmap() code just lets > > the architecture figure out which bits are actually valid to set (via > > arch_calc_vm_prot_bits()) and silently ignores the rest? > > > > And powerpc apparently decided that they do want to error out on bogus > > prot values passed to their version of mmap(), and in exchange, assume > > in arch_calc_vm_prot_bits() that the protection bits are valid? > > I don't think we really decided that, it just happened by accident and > no one noticed/complained. > > Seems userspace is pretty well behaved when it comes to passing prot > values to mmap(). It's not necessarily about well behaved but whether it can have security implications. On arm64, if the underlying memory does not support MTE (say some DAX mmap) but we still allow PROT_MTE driven by user, it will lead to an SError which brings the whole machine down. Not sure whether ADI has similar requirements but at least for arm64 we addressed the mmap() case as well (see my other email on the details; I think the approach would work on SPARC as well). -- Catalin _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 92045C4363A for ; Thu, 8 Oct 2020 11:03:17 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id EC05B2177B for ; Thu, 8 Oct 2020 11:03:16 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EC05B2177B Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 21FEB6B005C; Thu, 8 Oct 2020 07:03:16 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 1CF5E6B005D; Thu, 8 Oct 2020 07:03:16 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0BFFE900002; Thu, 8 Oct 2020 07:03:16 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0249.hostedemail.com [216.40.44.249]) by kanga.kvack.org (Postfix) with ESMTP id D0AF46B005C for ; Thu, 8 Oct 2020 07:03:15 -0400 (EDT) Received: from smtpin14.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 5ADA6181AE866 for ; Thu, 8 Oct 2020 11:03:15 +0000 (UTC) X-FDA: 77348471550.14.mice53_391634d271d7 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin14.hostedemail.com (Postfix) with ESMTP id 252E218229835 for ; Thu, 8 Oct 2020 11:03:15 +0000 (UTC) X-HE-Tag: mice53_391634d271d7 X-Filterd-Recvd-Size: 2972 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by imf47.hostedemail.com (Postfix) with ESMTP for ; Thu, 8 Oct 2020 11:03:14 +0000 (UTC) Received: from gaia (unknown [95.149.105.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C9362215A4; Thu, 8 Oct 2020 11:03:10 +0000 (UTC) Date: Thu, 8 Oct 2020 12:03:07 +0100 From: Catalin Marinas To: Michael Ellerman Cc: Jann Horn , Christoph Hellwig , Benjamin Herrenschmidt , Paul Mackerras , linuxppc-dev@lists.ozlabs.org, "David S. Miller" , sparclinux@vger.kernel.org, Andrew Morton , Linux-MM , kernel list , Khalid Aziz , Anthony Yznaga , Will Deacon , Linux ARM , Dave Kleikamp Subject: Re: [PATCH 1/2] mm/mprotect: Call arch_validate_prot under mmap_lock and with length Message-ID: <20201008110307.GH7661@gaia> References: <20201007073932.865218-1-jannh@google.com> <20201007123544.GA11433@infradead.org> <87o8ld0zwt.fsf@mpe.ellerman.id.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87o8ld0zwt.fsf@mpe.ellerman.id.au> User-Agent: Mutt/1.10.1 (2018-07-13) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Oct 08, 2020 at 09:34:26PM +1100, Michael Ellerman wrote: > Jann Horn writes: > > So while the mprotect() case > > checks the flags and refuses unknown values, the mmap() code just lets > > the architecture figure out which bits are actually valid to set (via > > arch_calc_vm_prot_bits()) and silently ignores the rest? > > > > And powerpc apparently decided that they do want to error out on bogus > > prot values passed to their version of mmap(), and in exchange, assume > > in arch_calc_vm_prot_bits() that the protection bits are valid? > > I don't think we really decided that, it just happened by accident and > no one noticed/complained. > > Seems userspace is pretty well behaved when it comes to passing prot > values to mmap(). It's not necessarily about well behaved but whether it can have security implications. On arm64, if the underlying memory does not support MTE (say some DAX mmap) but we still allow PROT_MTE driven by user, it will lead to an SError which brings the whole machine down. Not sure whether ADI has similar requirements but at least for arm64 we addressed the mmap() case as well (see my other email on the details; I think the approach would work on SPARC as well). -- Catalin