From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9F7A1C433EF for ; Sat, 13 Nov 2021 23:20:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 82C886115A for ; Sat, 13 Nov 2021 23:20:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233999AbhKMXXu (ORCPT ); Sat, 13 Nov 2021 18:23:50 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50284 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233676AbhKMXXt (ORCPT ); Sat, 13 Nov 2021 18:23:49 -0500 Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 30F3EC061766 for ; Sat, 13 Nov 2021 15:20:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=7JzD8UjVOCZI4IEQ3KUFIMRUqWpTq1oE29dyNXDJrWI=; b=Dg5OJAZWUv7ftXGHKYXpmmHP2B h7u9T5+vl1QqAlk34BZomw+mEOSajQsFAma8hWUl2UwwYmDkZ0wggooPWeirj4cEWYgTxueNxvZb2 wYWYD+Ui8yKqlRfakst1cTFHA/DdtoBuGu4dgrIlD/Lmy9g5VP3QJmD8MZSAhiyyeo7z82AUR2ZwJ OOXplRefoxW2lLf4WuMpDxw1bHLvf2LCrQ7Sud6Rprk0voYz/SaIeOjyCISMVIb+ErokMlsoDgpKy Zn3k1/6K9+obulpxFFNhJHTG2C84LwiUsNw58NbYdJq0Ttw+w4m7fb06kGHbXQxW+Fp2m8lI3460A 307e0ywg==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=worktop.programming.kicks-ass.net) by desiato.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1mm2KH-00FtLm-71; Sat, 13 Nov 2021 23:20:49 +0000 Received: by worktop.programming.kicks-ass.net (Postfix, from userid 1000) id BCD3C9867AD; Sun, 14 Nov 2021 00:20:47 +0100 (CET) Date: Sun, 14 Nov 2021 00:20:47 +0100 From: Peter Zijlstra To: David Malcolm Cc: gcc-patches@gcc.gnu.org, linux-toolchains@vger.kernel.org Subject: Re: [PATCH 0/6] RFC: adding support to GCC for detecting trust boundaries Message-ID: <20211113232047.GM174703@worktop.programming.kicks-ass.net> References: <20211113203732.2098220-1-dmalcolm@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20211113203732.2098220-1-dmalcolm@redhat.com> Precedence: bulk List-ID: X-Mailing-List: linux-toolchains@vger.kernel.org On Sat, Nov 13, 2021 at 03:37:24PM -0500, David Malcolm wrote: > This approach is much less expressive that the custom addres space > approach; it would only cover the trust boundary aspect; it wouldn't > cover any differences between generic pointers and __user, vs __iomem, > __percpu, and __rcu which I admit I only dimly understand. __iomem would point at device memory, which can have curious side effects or is yet another trust boundary, depending on device and usage. __percpu is an address space that denotes a per-cpu variable's relative offset, it needs be combined with a per-cpu offset to get a 'real' pointer, on x86_64 %gs segment offset is used for this purpose, other architectures are less fortunate. The whole per_cpu()/this_cpu_*() family of APIs accepts such pointers. __rcu is the regular kernel address space, but denotes that the object pointed to has RCU lifetime management. The attribute is laundered through rcu_dereference() to remove the __rcu qualifier. > Possibly silly question: is it always a bug for the value of a kernel > pointer to leak into user space? i.e. should I be complaining about an > infoleak if the value of a trusted_ptr itself is written to > *untrusted_ptr? e.g. Yes, always. Leaking kernel pointers is unconditionally bad.