From: Dave Martin <Dave.Martin@arm.com>
To: linux-arm-kernel@lists.infradead.org
Cc: linux-arch@vger.kernel.org,
Okamoto Takayuki <tokamoto@jp.fujitsu.com>,
libc-alpha@sourceware.org,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Szabolcs Nagy <szabolcs.nagy@arm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
kvmarm@lists.cs.columbia.edu
Subject: [PATCH v5 03/30] arm64: signal: Verify extra data is user-readable in sys_rt_sigreturn
Date: Tue, 31 Oct 2017 15:50:55 +0000 [thread overview]
Message-ID: <1509465082-30427-4-git-send-email-Dave.Martin@arm.com> (raw)
In-Reply-To: <1509465082-30427-1-git-send-email-Dave.Martin@arm.com>
Currently sys_rt_sigreturn() verifies that the base sigframe is
readable, but no similar check is performed on the extra data to
which an extra_context record points.
This matters because the extra data will be read with the
unprotected user accessors. However, this is not a problem at
present because the extra data base address is required to be
exactly at the end of the base sigframe. So, there would need to
be a non-user-readable kernel address within about 59K
(SIGFRAME_MAXSZ - sizeof(struct rt_sigframe)) of some address for
which access_ok(VERIFY_READ) returns true, in order for sigreturn
to be able to read kernel memory that should be inaccessible to the
user task. This is currently impossible due to the untranslatable
address hole between the TTBR0 and TTBR1 address ranges.
Disappearance of the hole between the TTBR0 and TTBR1 mapping
ranges would require the VA size for TTBR0 and TTBR1 to grow to at
least 55 bits, and either the disabling of tagged pointers for
userspace or enabling of tagged pointers for kernel space; none of
which is currently envisaged.
Even so, it is wrong to use the unprotected user accessors without
an accompanying access_ok() check.
To avoid the potential for future surprises, this patch does an
explicit access_ok() check on the extra data space when parsing an
extra_context record.
Fixes: 33f082614c34 ("arm64: signal: Allow expansion of the signal frame")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
---
arch/arm64/kernel/signal.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index 0bdc96c..4716729 100644
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -343,6 +343,10 @@ static int parse_user_sigframe(struct user_ctxs *user,
*/
offset = 0;
limit = extra_size;
+
+ if (!access_ok(VERIFY_READ, base, limit))
+ goto invalid;
+
continue;
default:
--
2.1.4
WARNING: multiple messages have this Message-ID (diff)
From: Dave Martin <Dave.Martin@arm.com>
To: linux-arm-kernel@lists.infradead.org
Cc: "Catalin Marinas" <catalin.marinas@arm.com>,
"Will Deacon" <will.deacon@arm.com>,
"Ard Biesheuvel" <ard.biesheuvel@linaro.org>,
"Alex Bennée" <alex.bennee@linaro.org>,
"Szabolcs Nagy" <szabolcs.nagy@arm.com>,
"Okamoto Takayuki" <tokamoto@jp.fujitsu.com>,
kvmarm@lists.cs.columbia.edu, libc-alpha@sourceware.org,
linux-arch@vger.kernel.org
Subject: [PATCH v5 03/30] arm64: signal: Verify extra data is user-readable in sys_rt_sigreturn
Date: Tue, 31 Oct 2017 15:50:55 +0000 [thread overview]
Message-ID: <1509465082-30427-4-git-send-email-Dave.Martin@arm.com> (raw)
Message-ID: <20171031155055.gKDye_J1Nyb4QBs3MzRStqH7LgZsM-ex1X-RNk3bw28@z> (raw)
In-Reply-To: <1509465082-30427-1-git-send-email-Dave.Martin@arm.com>
Currently sys_rt_sigreturn() verifies that the base sigframe is
readable, but no similar check is performed on the extra data to
which an extra_context record points.
This matters because the extra data will be read with the
unprotected user accessors. However, this is not a problem at
present because the extra data base address is required to be
exactly at the end of the base sigframe. So, there would need to
be a non-user-readable kernel address within about 59K
(SIGFRAME_MAXSZ - sizeof(struct rt_sigframe)) of some address for
which access_ok(VERIFY_READ) returns true, in order for sigreturn
to be able to read kernel memory that should be inaccessible to the
user task. This is currently impossible due to the untranslatable
address hole between the TTBR0 and TTBR1 address ranges.
Disappearance of the hole between the TTBR0 and TTBR1 mapping
ranges would require the VA size for TTBR0 and TTBR1 to grow to at
least 55 bits, and either the disabling of tagged pointers for
userspace or enabling of tagged pointers for kernel space; none of
which is currently envisaged.
Even so, it is wrong to use the unprotected user accessors without
an accompanying access_ok() check.
To avoid the potential for future surprises, this patch does an
explicit access_ok() check on the extra data space when parsing an
extra_context record.
Fixes: 33f082614c34 ("arm64: signal: Allow expansion of the signal frame")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
---
arch/arm64/kernel/signal.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index 0bdc96c..4716729 100644
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -343,6 +343,10 @@ static int parse_user_sigframe(struct user_ctxs *user,
*/
offset = 0;
limit = extra_size;
+
+ if (!access_ok(VERIFY_READ, base, limit))
+ goto invalid;
+
continue;
default:
--
2.1.4
next prev parent reply other threads:[~2017-10-31 15:50 UTC|newest]
Thread overview: 106+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-31 15:50 [PATCH v5 00/30] ARM Scalable Vector Extension (SVE) Dave Martin
2017-10-31 15:50 ` Dave Martin
2017-10-31 15:50 ` [PATCH v5 01/30] regset: Add support for dynamically sized regsets Dave Martin
2017-11-01 11:42 ` Catalin Marinas
2017-11-01 13:16 ` Dave Martin
2017-11-01 13:16 ` Dave Martin
2017-11-08 11:50 ` Alex Bennée
2017-11-08 11:50 ` Alex Bennée
2017-10-31 15:50 ` [PATCH v5 02/30] arm64: fpsimd: Correctly annotate exception helpers called from asm Dave Martin
2017-10-31 15:50 ` Dave Martin
2017-11-01 11:42 ` Catalin Marinas
2017-10-31 15:50 ` Dave Martin [this message]
2017-10-31 15:50 ` [PATCH v5 03/30] arm64: signal: Verify extra data is user-readable in sys_rt_sigreturn Dave Martin
2017-11-01 11:43 ` Catalin Marinas
2017-10-31 15:50 ` [PATCH v5 04/30] arm64: KVM: Hide unsupported AArch64 CPU features from guests Dave Martin
2017-11-01 4:47 ` Christoffer Dall
2017-11-01 10:26 ` Dave Martin
2017-11-02 8:15 ` Christoffer Dall
2017-11-02 9:20 ` Dave Martin
2017-11-02 11:01 ` Dave Martin
2017-11-02 19:18 ` Christoffer Dall
2017-10-31 15:50 ` [PATCH v5 05/30] arm64: efi: Add missing Kconfig dependency on KERNEL_MODE_NEON Dave Martin
2017-10-31 15:50 ` Dave Martin
2017-10-31 15:50 ` [PATCH v5 06/30] arm64: Port deprecated instruction emulation to new sysctl interface Dave Martin
2017-10-31 15:50 ` [PATCH v5 07/30] arm64: fpsimd: Simplify uses of {set,clear}_ti_thread_flag() Dave Martin
2017-10-31 15:51 ` [PATCH v5 08/30] arm64/sve: System register and exception syndrome definitions Dave Martin
2017-10-31 15:51 ` [PATCH v5 09/30] arm64/sve: Low-level SVE architectural state manipulation functions Dave Martin
2017-10-31 15:51 ` [PATCH v5 10/30] arm64/sve: Kconfig update and conditional compilation support Dave Martin
2017-10-31 15:51 ` [PATCH v5 11/30] arm64/sve: Signal frame and context structure definition Dave Martin
2017-11-08 16:34 ` Alex Bennée
2017-11-08 16:34 ` Alex Bennée
2017-10-31 15:51 ` [PATCH v5 12/30] arm64/sve: Low-level CPU setup Dave Martin
2017-11-08 16:37 ` Alex Bennée
2017-11-08 16:37 ` Alex Bennée
2017-10-31 15:51 ` [PATCH v5 13/30] arm64/sve: Core task context handling Dave Martin
2017-10-31 15:51 ` Dave Martin
2017-11-09 17:16 ` Alex Bennée
2017-11-09 17:16 ` Alex Bennée
2017-11-09 17:56 ` Dave Martin
2017-11-09 18:06 ` Alex Bennée
2017-11-09 18:06 ` Alex Bennée
2017-10-31 15:51 ` [PATCH v5 14/30] arm64/sve: Support vector length resetting for new processes Dave Martin
2017-10-31 15:51 ` [PATCH v5 15/30] arm64/sve: Signal handling support Dave Martin
2017-10-31 15:51 ` Dave Martin
2017-11-01 14:33 ` Catalin Marinas
2017-11-07 13:22 ` Alex Bennée
2017-11-07 13:22 ` Alex Bennée
2017-11-08 16:11 ` Dave Martin
2017-12-06 19:56 ` Kees Cook
2017-12-07 10:49 ` Will Deacon
2017-12-07 12:03 ` Dave Martin
2017-12-07 18:50 ` Kees Cook
2017-12-11 14:07 ` Will Deacon
2017-12-11 19:23 ` Kees Cook
2017-12-12 10:40 ` Will Deacon
2017-12-12 11:11 ` Dave Martin
2017-12-12 19:36 ` Kees Cook
2017-12-12 19:36 ` Kees Cook
2017-10-31 15:51 ` [PATCH v5 16/30] arm64/sve: Backend logic for setting the vector length Dave Martin
2017-10-31 15:51 ` Dave Martin
2017-11-10 10:27 ` Alex Bennée
2017-11-10 10:27 ` Alex Bennée
2017-10-31 15:51 ` [PATCH v5 17/30] arm64: cpufeature: Move sys_caps_initialised declarations Dave Martin
2017-10-31 15:51 ` [PATCH v5 18/30] arm64/sve: Probe SVE capabilities and usable vector lengths Dave Martin
2017-10-31 15:51 ` Dave Martin
2017-10-31 15:51 ` [PATCH v5 19/30] arm64/sve: Preserve SVE registers around kernel-mode NEON use Dave Martin
2017-10-31 15:51 ` [PATCH v5 20/30] arm64/sve: Preserve SVE registers around EFI runtime service calls Dave Martin
2017-10-31 15:51 ` [PATCH v5 21/30] arm64/sve: ptrace and ELF coredump support Dave Martin
2017-10-31 15:51 ` [PATCH v5 22/30] arm64/sve: Add prctl controls for userspace vector length management Dave Martin
2017-10-31 15:51 ` Dave Martin
2017-10-31 15:51 ` [PATCH v5 23/30] arm64/sve: Add sysctl to set the default vector length for new processes Dave Martin
2017-10-31 15:51 ` Dave Martin
2017-10-31 15:51 ` [PATCH v5 24/30] arm64/sve: KVM: Prevent guests from using SVE Dave Martin
2017-10-31 15:51 ` Dave Martin
2017-10-31 15:51 ` [PATCH v5 25/30] arm64/sve: KVM: Treat guest SVE use as undefined instruction execution Dave Martin
2017-10-31 15:51 ` [PATCH v5 26/30] arm64/sve: KVM: Hide SVE from CPU features exposed to guests Dave Martin
2017-10-31 15:51 ` [PATCH v5 27/30] arm64/sve: Detect SVE and activate runtime support Dave Martin
2017-10-31 15:51 ` Dave Martin
[not found] ` <1509465082-30427-1-git-send-email-Dave.Martin-5wv7dgnIgG8@public.gmane.org>
2017-10-31 15:51 ` [PATCH v5 28/30] arm64/sve: Add documentation Dave Martin
2017-10-31 15:51 ` Dave Martin
2017-11-02 16:32 ` [PATCH v5 00/30] ARM Scalable Vector Extension (SVE) Will Deacon
2017-11-02 16:32 ` Will Deacon
[not found] ` <20171102163248.GB595-5wv7dgnIgG8@public.gmane.org>
2017-11-02 17:04 ` Dave P Martin
2017-11-02 17:04 ` Dave P Martin
2017-10-31 15:51 ` [RFC PATCH v5 29/30] arm64: signal: Report signal frame size to userspace via auxv Dave Martin
2017-10-31 15:51 ` Dave Martin
2017-10-31 15:51 ` [RFC PATCH v5 30/30] arm64/sve: signal: Include SVE when computing AT_MINSIGSTKSZ Dave Martin
2017-10-31 15:51 ` Dave Martin
2017-11-29 15:04 ` [PATCH v5 00/30] ARM Scalable Vector Extension (SVE) Alex Bennée
2017-11-29 15:04 ` Alex Bennée
[not found] ` <877eu9dt3n.fsf-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
2017-11-29 15:21 ` Will Deacon
2017-11-29 15:21 ` Will Deacon
[not found] ` <20171129152140.GD10650-5wv7dgnIgG8@public.gmane.org>
2017-11-29 15:37 ` Dave Martin
2017-11-29 15:37 ` Dave Martin
2018-01-08 14:49 ` Yury Norov
2018-01-08 14:49 ` Yury Norov
2018-01-09 16:51 ` Yury Norov
2018-01-09 16:51 ` Yury Norov
2018-01-15 17:22 ` Dave Martin
2018-01-15 17:22 ` Dave Martin
[not found] ` <20180115172201.GW22781-M5GwZQ6tE7x5pKCnmE3YQBJ8xKzm50AiAL8bYrjMMd8@public.gmane.org>
2018-01-16 10:11 ` Yury Norov
2018-01-16 10:11 ` Yury Norov
2018-01-16 16:05 ` Dave Martin
2018-01-16 16:05 ` Dave Martin
2018-01-15 16:55 ` Dave Martin
2018-01-15 16:55 ` Dave Martin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1509465082-30427-4-git-send-email-Dave.Martin@arm.com \
--to=dave.martin@arm.com \
--cc=ard.biesheuvel@linaro.org \
--cc=catalin.marinas@arm.com \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=libc-alpha@sourceware.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=szabolcs.nagy@arm.com \
--cc=tokamoto@jp.fujitsu.com \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).