From: Will Deacon <will@kernel.org>
To: Gax-c <zichenxie0106@gmail.com>
Cc: catalin.marinas@arm.com, robin.murphy@arm.com,
mark.rutland@arm.com, linux-arm-kernel@lists.infradead.org,
chenyuan0y@gmail.com, zzjas98@gmail.com, stable@vger.kernel.org
Subject: Re: [PATCH] arm64: uaccess: Restrict user access to kernel memory in __copy_user_flushcache()
Date: Mon, 18 Nov 2024 11:56:55 +0000 [thread overview]
Message-ID: <20241118115654.GA27696@willie-the-truck> (raw)
In-Reply-To: <20241115205206.17678-1-zichenxie0106@gmail.com>
On Fri, Nov 15, 2024 at 02:52:07PM -0600, Gax-c wrote:
> From: Zichen Xie <zichenxie0106@gmail.com>
>
> raw_copy_from_user() do not call access_ok(), so this code allowed
> userspace to access any virtual memory address. Change it to
> copy_from_user().
How can you access *any* virtual memory address, given that we force the
address to map userspace via __uaccess_mask_ptr()?
> Fixes: 9e94fdade4d8 ("arm64: uaccess: simplify __copy_user_flushcache()")
I don't think that commit changed the semantics of the code, so if it's
broken then I think it was broken before that change as well.
> Signed-off-by: Zichen Xie <zichenxie0106@gmail.com>
> Cc: stable@vger.kernel.org
> ---
> arch/arm64/lib/uaccess_flushcache.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/arm64/lib/uaccess_flushcache.c b/arch/arm64/lib/uaccess_flushcache.c
> index 7510d1a23124..fb138a3934db 100644
> --- a/arch/arm64/lib/uaccess_flushcache.c
> +++ b/arch/arm64/lib/uaccess_flushcache.c
> @@ -24,7 +24,7 @@ unsigned long __copy_user_flushcache(void *to, const void __user *from,
> {
> unsigned long rc;
>
> - rc = raw_copy_from_user(to, from, n);
> + rc = copy_from_user(to, from, n);
Does anybody actually call this with an unchecked user address?
From a quick look, there are two callers of _copy_from_iter_flushcache():
1. pmem_recovery_write() - looks like it's using a kernel address?
2. dax_copy_from_iter() - has a comment saying the address was already
checked in vfs_write().
What am I missing? It also looks like x86 elides the check.
Will
next prev parent reply other threads:[~2024-11-18 11:58 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-15 20:52 [PATCH] arm64: uaccess: Restrict user access to kernel memory in __copy_user_flushcache() Gax-c
2024-11-18 11:56 ` Will Deacon [this message]
2024-11-18 13:07 ` Mark Rutland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241118115654.GA27696@willie-the-truck \
--to=will@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=chenyuan0y@gmail.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=mark.rutland@arm.com \
--cc=robin.murphy@arm.com \
--cc=stable@vger.kernel.org \
--cc=zichenxie0106@gmail.com \
--cc=zzjas98@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox