From: Kees Cook <keescook@chromium.org>
To: Yu Zhao <yuzhao@google.com>
Cc: Matthew Wilcox <willy@infradead.org>,
dev@der-flo.net, Andrew Morton <akpm@linux-foundation.org>,
Peter Zijlstra <peterz@infradead.org>,
Josh Poimboeuf <jpoimboe@kernel.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
the arch/x86 maintainers <x86@kernel.org>,
stable <stable@vger.kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
"H. Peter Anvin" <hpa@zytor.com>, Arnd Bergmann <arnd@arndb.de>,
Al Viro <viro@zeniv.linux.org.uk>,
linux-kernel <linux-kernel@vger.kernel.org>,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH v2] x86/uaccess: Avoid check_object_size() in copy_from_user_nmi()
Date: Tue, 20 Sep 2022 15:30:05 -0700 [thread overview]
Message-ID: <202209201529.D90CDD898@keescook> (raw)
In-Reply-To: <CAOUHufZpan+wVO7tHgMOkX--0JGhv-mqj2Y+QQKRB4GAGSR18w@mail.gmail.com>
On Tue, Sep 20, 2022 at 04:23:00PM -0600, Yu Zhao wrote:
> On Mon, Sep 19, 2022 at 2:16 PM Kees Cook <keescook@chromium.org> wrote:
> >
> > The check_object_size() helper under CONFIG_HARDENED_USERCOPY is
> > designed to skip any checks where the length is known at compile time as
> > a reasonable heuristic to avoid "likely known-good" cases. However, it can
> > only do this when the copy_*_user() helpers are, themselves, inline too.
> >
> > Using find_vmap_area() requires taking a spinlock. The check_object_size()
> > helper can call find_vmap_area() when the destination is in vmap memory.
> > If show_regs() is called in interrupt context, it will attempt a call to
> > copy_from_user_nmi(), which may call check_object_size() and then
> > find_vmap_area(). If something in normal context happens to be in the
> > middle of calling find_vmap_area() (with the spinlock held), the interrupt
> > handler will hang forever.
> >
> > The copy_from_user_nmi() call is actually being called with a fixed-size
> > length, so check_object_size() should never have been called in
> > the first place. Given the narrow constraints, just replace the
> > __copy_from_user_inatomic() call with an open-coded version that calls
> > only into the sanitizers and not check_object_size(), followed by a call
> > to raw_copy_from_user().
> >
> > Reported-by: Yu Zhao <yuzhao@google.com>
> > Link: https://lore.kernel.org/all/CAOUHufaPshtKrTWOz7T7QFYUNVGFm0JBjvM700Nhf9qEL9b3EQ@mail.gmail.com
> > Reported-by: dev@der-flo.net
> > Suggested-by: Andrew Morton <akpm@linux-foundation.org>
> > Cc: Matthew Wilcox <willy@infradead.org>
> > Cc: Peter Zijlstra <peterz@infradead.org>
> > Cc: Josh Poimboeuf <jpoimboe@kernel.org>
> > Cc: Dave Hansen <dave.hansen@linux.intel.com>
> > Cc: x86@kernel.org
> > Fixes: 0aef499f3172 ("mm/usercopy: Detect vmalloc overruns")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> > v2: drop the call explicitly instead of using inline to do it
> > v1: https://lore.kernel.org/lkml/20220916135953.1320601-1-keescook@chromium.org
> > ---
> > arch/x86/lib/usercopy.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/arch/x86/lib/usercopy.c b/arch/x86/lib/usercopy.c
> > index ad0139d25401..d2aff9b176cf 100644
> > --- a/arch/x86/lib/usercopy.c
> > +++ b/arch/x86/lib/usercopy.c
> > @@ -44,7 +44,8 @@ copy_from_user_nmi(void *to, const void __user *from, unsigned long n)
> > * called from other contexts.
> > */
> > pagefault_disable();
> > - ret = __copy_from_user_inatomic(to, from, n);
> > + instrument_copy_from_user(to, from, n);
>
> Got a build error on top of mm-unstable:
>
> arch/x86/lib/usercopy.c:47:2: error: call to undeclared function
> 'instrument_copy_from_user'; ISO C99 and later do not support implicit
> function declarations [-Wimplicit-function-declaration]
> instrument_copy_from_user(to, from, n);
> ^
> arch/x86/lib/usercopy.c:47:2: note: did you mean 'instrument_copy_to_user'?
> ./include/linux/instrumented.h:117:1: note: 'instrument_copy_to_user'
> declared here
> instrument_copy_to_user(void __user *to, const void *from, unsigned long n)
> ^
> 1 error generated.
Hm, I did test builds of this before sending. I wonder why this passed
for me. I suppose this is needed explicitly in arch/x86/lib/usercopy.c:
#include <linux/instrumented.h>
?
--
Kees Cook
next prev parent reply other threads:[~2022-09-20 22:30 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-19 20:16 [PATCH v2] x86/uaccess: Avoid check_object_size() in copy_from_user_nmi() Kees Cook
2022-09-20 7:07 ` Florian Lehner
2022-09-20 7:38 ` Peter Zijlstra
2022-09-20 22:23 ` Yu Zhao
2022-09-20 22:30 ` Kees Cook [this message]
2022-09-20 22:40 ` Yu Zhao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202209201529.D90CDD898@keescook \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=dev@der-flo.net \
--cc=hpa@zytor.com \
--cc=jpoimboe@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
--cc=x86@kernel.org \
--cc=yuzhao@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.