From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9EFBBC197A0 for ; Thu, 16 Nov 2023 14:59:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=fr8dJZjsn3ZTA6CgkC19tr+htFAc1cpVfmEMQ8MzVEQ=; b=uSrmWJ9AJ+0uEN eA7diCvS6aXaXzA3QvWRhi4UWHdy6DgfVI1AMqxj/hzRH+XpvkvweHFe2PoyjTJy+QWbzJiT479H7 XIDMkBqhbGsZI0/IT2lI+F+lwu1RBmikJAtNgPXK7VWmQGvFsj5AYiEtL2y4z83OYTwkB+QU0oTf4 XfwlwwaO0JkeGGTCcQTFxbCduEPwjoTrIdfHrhyvG4khBbR6VEvKfJORFsxd1FYYyIYJNsn+eCLPA GtuIQF9DMo+Svv1tHb2bfzVzZqTfI34/Eq9mKiHhaYhdIhYVhnSEUeQj914H+hWvgvQOrK2HARVYU YIwk8HSOzavqs1t6gp3g==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1r3dpm-003kSo-0t; Thu, 16 Nov 2023 14:59:10 +0000 Received: from foss.arm.com ([217.140.110.172]) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1r3dpj-003kRl-0v for linux-arm-kernel@lists.infradead.org; Thu, 16 Nov 2023 14:59:08 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 11B061595; Thu, 16 Nov 2023 06:59:48 -0800 (PST) Received: from FVFF77S0Q05N (unknown [10.119.36.191]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 518AE3F73F; Thu, 16 Nov 2023 06:59:01 -0800 (PST) Date: Thu, 16 Nov 2023 09:58:59 -0500 From: Mark Rutland To: Jinjie Ruan Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Catalin Marinas , Will Deacon , "Eric W. Biederman" , Sam Ravnborg , Stafford Horne , Arnd Bergmann , Dinh Nguyen Subject: Re: [PATCH] arm64: Fix 32-bit compatible userspace write size overflow error Message-ID: References: <20231116074706.3448008-1-ruanjinjie@huawei.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20231116074706.3448008-1-ruanjinjie@huawei.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20231116_065907_442249_8DC2EA31 X-CRM114-Status: GOOD ( 28.23 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Thu, Nov 16, 2023 at 03:47:05PM +0800, Jinjie Ruan wrote: > For 32-bit compatible userspace program, write with size = -1 return not > -1 but unexpected other values, which is due to the __access_ok() check is > not right. Can you please explain why you believe that is unexpected? e.g. Is that documented somewhere? Do you see a real application depending on that somewhow? > The specified "addr + size" is greater than 32-bit limit and > should return -EFAULT, but TASK_SIZE_MAX still defined as UL(1) << VA_BITS > in U32 mode, which is much greater than "addr + size" and cannot catch the > overflow error. The check against TASK_SIZE_MAX is not intended to catch 32-bit addr + size overflow; it's intended to check that uaccesses never touch kernel memory. The kernel's uaccess routines use 64-bit (or 65-bit) arithmetic, so these won't wrap and access memory at the start of the user address space. > Fix above error by checking 32-bit limit if it is 32-bit compatible > userspace program. > > How to reproduce: > > The test program is as below: > > cat test.c > #include > #include > #include > #include > #include > #include > > #define pinfo(fmt, args...) \ > fprintf(stderr, "[INFO][%s][%d][%s]:"fmt, \ > __FILE__,__LINE__,__func__,##args) > > #undef SIZE_MAX > #define SIZE_MAX -1 > > int main() > { > char wbuf[3] = { 'x', 'y', 'z' }; > char *path = "write.tmp"; > int ret; > > int fd = open(path, O_RDWR | O_CREAT); > if (fd<0) > { > pinfo("fd=%d\n", fd); > exit(-1); > } > > assert(write(fd, wbuf, 3) == 3); > > ret = write (fd, wbuf, SIZE_MAX); > pinfo("ret=%d\n", ret); > pinfo("size_max=%d\n",SIZE_MAX); > assert(ret==-1); > close(fd); > pinfo("INFO: end\n"); > > return 0; > } > > aarch64-linux-gnu-gcc --static test.c -o test > arm-linux-gnueabi-gcc --static test.c -o test32 > > Before applying this patch, userspace 32-bit program return 1112 if the > write size = -1 as below: > /root # ./test > [INFO][test.c][32][main]:ret=-1 > [INFO][test.c][33][main]:size_max=-1 > [INFO][test.c][36][main]:INFO: end > /root # ./test32 > [INFO][test.c][32][main]:ret=1112 > [INFO][test.c][33][main]:size_max=-1 > test32: test.c:34: main: Assertion `ret==-1' failed. > Aborted > > After applying this patch, userspace 32-bit program return -1 if the write > size = -1 as expected as below: > /root # ./test > [INFO][test.c][32][main]:ret=-1 > [INFO][test.c][33][main]:size_max=-1 > [INFO][test.c][36][main]:INFO: end > /root # ./test32 > [INFO][test.c][32][main]:ret=-1 > [INFO][test.c][33][main]:size_max=-1 > [INFO][test.c][36][main]:INFO: end > > Fixes: 967747bbc084 ("uaccess: remove CONFIG_SET_FS") As above, this is *not* a fix. This is the intended behaviour. AFAICT, the behaviour didn't change on arm64 in that commit either; we were unconditionally using TASK_SIZE_MAX many commits earlier, e.g. in commit: 3d2403fd10a1dbb3 ("arm64: uaccess: remove set_fs()") ... so the fixes tag is bogus on both fronts. > Signed-off-by: Jinjie Ruan > --- > arch/arm64/include/asm/processor.h | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h > index e5bc54522e71..6a087d58a90a 100644 > --- a/arch/arm64/include/asm/processor.h > +++ b/arch/arm64/include/asm/processor.h > @@ -52,7 +52,12 @@ > > #define DEFAULT_MAP_WINDOW_64 (UL(1) << VA_BITS_MIN) > #define TASK_SIZE_64 (UL(1) << vabits_actual) > +#ifdef CONFIG_COMPAT > +#define TASK_SIZE_MAX (test_thread_flag(TIF_32BIT) ? \ > + UL(0x100000000) : (UL(1) << VA_BITS)) > +#else > #define TASK_SIZE_MAX (UL(1) << VA_BITS) > +#endif This isn't even the same as on 32-bit. On 32-bit arm, the task size split can be 1G/3G, 2G/2G, or 3G/1G depending on configuration, and 4G/4G isn't currently an option. I don't believe that userspace is actually dependent upon this for functional reasons, and I don't believe that there's a security issue here. Even if access_ok() allows addr+size to go past 4G, the kernel address calculations are 64-bit and won't wrap. For all the reasons above, I don't beleive this is correct nor do I believe this is necesssary. Given that, NAK to this patch. Thanks, Mark. > > #ifdef CONFIG_COMPAT > #if defined(CONFIG_ARM64_64K_PAGES) && defined(CONFIG_KUSER_HELPERS) > -- > 2.34.1 > _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel