From: Catalin Marinas <catalin.marinas@arm.com>
To: Kevin Brodsky <kevin.brodsky@arm.com>
Cc: linux-arm-kernel@lists.infradead.org, akpm@linux-foundation.org,
anshuman.khandual@arm.com, aruna.ramakrishna@oracle.com,
broonie@kernel.org, dave.hansen@linux.intel.com,
dave.martin@arm.com, jeffxu@chromium.org, joey.gouly@arm.com,
pierre.langlois@arm.com, shuah@kernel.org, sroettger@google.com,
will@kernel.org, linux-kselftest@vger.kernel.org, x86@kernel.org
Subject: Re: [PATCH v2 3/5] arm64: signal: Improve POR_EL0 handling to avoid uaccess failures
Date: Thu, 24 Oct 2024 11:59:46 +0100 [thread overview]
Message-ID: <ZxoooqtuqTK5CAMR@arm.com> (raw)
In-Reply-To: <20241023150511.3923558-4-kevin.brodsky@arm.com>
On Wed, Oct 23, 2024 at 04:05:09PM +0100, Kevin Brodsky wrote:
> diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
> index f5fb48dabebe..d2e4e50977ae 100644
> --- a/arch/arm64/kernel/signal.c
> +++ b/arch/arm64/kernel/signal.c
> @@ -66,9 +66,63 @@ struct rt_sigframe_user_layout {
> unsigned long end_offset;
> };
>
> +/*
> + * Holds any EL0-controlled state that influences unprivileged memory accesses.
> + * This includes both accesses done in userspace and uaccess done in the kernel.
> + *
> + * This state needs to be carefully managed to ensure that it doesn't cause
> + * uaccess to fail when setting up the signal frame, and the signal handler
> + * itself also expects a well-defined state when entered.
> + */
> +struct user_access_state {
> + u64 por_el0;
> +};
> +
> #define TERMINATOR_SIZE round_up(sizeof(struct _aarch64_ctx), 16)
> #define EXTRA_CONTEXT_SIZE round_up(sizeof(struct extra_context), 16)
>
> +/*
> + * Save the unpriv access state into ua_state and reset it to disable any
> + * restrictions.
> + */
> +static void save_reset_user_access_state(struct user_access_state *ua_state)
> +{
> + if (system_supports_poe()) {
> + /*
> + * Enable all permissions in all 8 keys
> + * (inspired by REPEAT_BYTE())
> + */
> + u64 por_enable_all = (~0u / POE_MASK) * POE_RXW;
I think this should be ~0ul.
> @@ -907,6 +964,7 @@ SYSCALL_DEFINE0(rt_sigreturn)
> {
> struct pt_regs *regs = current_pt_regs();
> struct rt_sigframe __user *frame;
> + struct user_access_state ua_state;
>
> /* Always make any pending restarted system calls return -EINTR */
> current->restart_block.fn = do_no_restart_syscall;
> @@ -923,12 +981,14 @@ SYSCALL_DEFINE0(rt_sigreturn)
> if (!access_ok(frame, sizeof (*frame)))
> goto badframe;
>
> - if (restore_sigframe(regs, frame))
> + if (restore_sigframe(regs, frame, &ua_state))
> goto badframe;
>
> if (restore_altstack(&frame->uc.uc_stack))
> goto badframe;
>
> + restore_user_access_state(&ua_state);
> +
> return regs->regs[0];
>
> badframe:
The saving part I'm fine with. For restoring, I was wondering whether we
can get a more privileged POR_EL0 if reading the frame somehow failed.
This is largely theoretical, there are other ways to attack like
writing POR_EL0 directly than unmapping/remapping the signal stack.
What I'd change here is always restore_user_access_state() to
POR_EL0_INIT. Maybe just initialise ua_state above and add the function
call after the badframe label.
Either way:
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
next prev parent reply other threads:[~2024-10-24 11:09 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-23 15:05 [PATCH v2 0/5] Improve arm64 pkeys handling in signal delivery Kevin Brodsky
2024-10-23 15:05 ` [PATCH v2 1/5] arm64: signal: Remove unused macro Kevin Brodsky
2024-10-23 15:05 ` [PATCH v2 2/5] arm64: signal: Remove unnecessary check when saving POE state Kevin Brodsky
2024-10-23 15:05 ` [PATCH v2 3/5] arm64: signal: Improve POR_EL0 handling to avoid uaccess failures Kevin Brodsky
2024-10-24 10:59 ` Catalin Marinas [this message]
2024-10-24 14:55 ` Kevin Brodsky
2024-10-24 15:42 ` Catalin Marinas
2024-10-24 16:19 ` Dave Martin
2024-10-25 8:24 ` Kevin Brodsky
2024-10-25 11:04 ` Dave Martin
2024-10-25 11:33 ` Dave Martin
2024-10-25 15:34 ` Kevin Brodsky
2024-11-18 15:06 ` Dave Martin
2024-10-23 15:05 ` [PATCH v2 4/5] selftests/mm: Use generic pkey register manipulation Kevin Brodsky
2024-10-23 16:51 ` Dave Hansen
2024-10-25 8:31 ` Kevin Brodsky
2024-10-25 15:09 ` Dave Hansen
2024-10-28 10:20 ` Kevin Brodsky
2024-10-23 15:05 ` [PATCH v2 5/5] selftests/mm: Enable pkey_sighandler_tests on arm64 Kevin Brodsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZxoooqtuqTK5CAMR@arm.com \
--to=catalin.marinas@arm.com \
--cc=akpm@linux-foundation.org \
--cc=anshuman.khandual@arm.com \
--cc=aruna.ramakrishna@oracle.com \
--cc=broonie@kernel.org \
--cc=dave.hansen@linux.intel.com \
--cc=dave.martin@arm.com \
--cc=jeffxu@chromium.org \
--cc=joey.gouly@arm.com \
--cc=kevin.brodsky@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=pierre.langlois@arm.com \
--cc=shuah@kernel.org \
--cc=sroettger@google.com \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).