From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 4C9EEC54E76 for ; Sat, 18 Nov 2023 06:09:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:From:References:CC:To: Subject:MIME-Version:Date:Message-ID:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=lPEIkdqupwoha9DQQ8FkzZgaSyhcL8pndkL/N/3NLiI=; b=LD1ho4JJOhb/Sp i+ifpZJt0W2n+WPzbme06Sa2SV2h/lLp2pDmVhXZLYB41o/Xql4A4MLbR3p0Jfa9ciu046gKlcC8t OIsnuNXvYTO/hQQwgcYmgWEjElGf9Qtx77SS12rxJTDY6PvSCYpR1rg9PUvLMgK9nkps9KOtfd0Oz t8xT+ES/2/rYg5trLGJD4UU/xv6m2k+6xKvMSqbrL0tmIL+Y+92rB9MQzaIR2FdClSmQih8rS+Mar jxZC80Mz7y6iVshUXhym8ptFkwPTOLGZsGcWHML0pDvyg9DjXdyRMwapyWMrosVeC9Vz2gD9anc3L z1rtcWW3pU3iERTLgRbQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1r4EVN-007vwL-2y; Sat, 18 Nov 2023 06:08:33 +0000 Received: from szxga01-in.huawei.com ([45.249.212.187]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1r4EVI-007vvp-2h for linux-arm-kernel@lists.infradead.org; Sat, 18 Nov 2023 06:08:32 +0000 Received: from kwepemi500008.china.huawei.com (unknown [172.30.72.54]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4SXNXL5WFHzsR6b; Sat, 18 Nov 2023 14:04:50 +0800 (CST) Received: from [10.67.109.254] (10.67.109.254) by kwepemi500008.china.huawei.com (7.221.188.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.31; Sat, 18 Nov 2023 14:08:14 +0800 Message-ID: Date: Sat, 18 Nov 2023 14:08:13 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.2.0 Subject: Re: [PATCH] arm64: Fix 32-bit compatible userspace write size overflow error Content-Language: en-US To: Mark Rutland CC: , , Catalin Marinas , Will Deacon , "Eric W. Biederman" , Sam Ravnborg , Stafford Horne , Arnd Bergmann , Dinh Nguyen References: <20231116074706.3448008-1-ruanjinjie@huawei.com> From: Jinjie Ruan In-Reply-To: X-Originating-IP: [10.67.109.254] X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To kwepemi500008.china.huawei.com (7.221.188.139) X-CFilter-Loop: Reflected X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20231117_220829_214517_096CC541 X-CRM114-Status: GOOD ( 28.30 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 2023/11/16 22:58, Mark Rutland wrote: > On Thu, Nov 16, 2023 at 03:47:05PM +0800, Jinjie Ruan wrote: >> For 32-bit compatible userspace program, write with size = -1 return not >> -1 but unexpected other values, which is due to the __access_ok() check is >> not right. > > Can you please explain why you believe that is unexpected? > > e.g. Is that documented somewhere? Do you see a real application depending on > that somewhow? I think access_ok() needs to ensure that the address is not out of bounds, which guarantees that address access should not exceed the 32-bit boundary. > >> The specified "addr + size" is greater than 32-bit limit and >> should return -EFAULT, but TASK_SIZE_MAX still defined as UL(1) << VA_BITS >> in U32 mode, which is much greater than "addr + size" and cannot catch the >> overflow error. > > The check against TASK_SIZE_MAX is not intended to catch 32-bit addr + size > overflow; it's intended to check that uaccesses never touch kernel memory. The > kernel's uaccess routines use 64-bit (or 65-bit) arithmetic, so these won't > wrap and access memory at the start of the user address space. Thank you! My understanding of TASK_SIZE_MAX is wrong.I seems that "MAX_RW_COUNT" is designed to catch the 32-bit addr + size overflow. > >> Fix above error by checking 32-bit limit if it is 32-bit compatible >> userspace program. >> >> How to reproduce: >> >> The test program is as below: >> >> cat test.c >> #include >> #include >> #include >> #include >> #include >> #include >> >> #define pinfo(fmt, args...) \ >> fprintf(stderr, "[INFO][%s][%d][%s]:"fmt, \ >> __FILE__,__LINE__,__func__,##args) >> >> #undef SIZE_MAX >> #define SIZE_MAX -1 >> >> int main() >> { >> char wbuf[3] = { 'x', 'y', 'z' }; >> char *path = "write.tmp"; >> int ret; >> >> int fd = open(path, O_RDWR | O_CREAT); >> if (fd<0) >> { >> pinfo("fd=%d\n", fd); >> exit(-1); >> } >> >> assert(write(fd, wbuf, 3) == 3); >> >> ret = write (fd, wbuf, SIZE_MAX); >> pinfo("ret=%d\n", ret); >> pinfo("size_max=%d\n",SIZE_MAX); >> assert(ret==-1); >> close(fd); >> pinfo("INFO: end\n"); >> >> return 0; >> } >> >> aarch64-linux-gnu-gcc --static test.c -o test >> arm-linux-gnueabi-gcc --static test.c -o test32 >> >> Before applying this patch, userspace 32-bit program return 1112 if the >> write size = -1 as below: >> /root # ./test >> [INFO][test.c][32][main]:ret=-1 >> [INFO][test.c][33][main]:size_max=-1 >> [INFO][test.c][36][main]:INFO: end >> /root # ./test32 >> [INFO][test.c][32][main]:ret=1112 >> [INFO][test.c][33][main]:size_max=-1 >> test32: test.c:34: main: Assertion `ret==-1' failed. >> Aborted >> >> After applying this patch, userspace 32-bit program return -1 if the write >> size = -1 as expected as below: >> /root # ./test >> [INFO][test.c][32][main]:ret=-1 >> [INFO][test.c][33][main]:size_max=-1 >> [INFO][test.c][36][main]:INFO: end >> /root # ./test32 >> [INFO][test.c][32][main]:ret=-1 >> [INFO][test.c][33][main]:size_max=-1 >> [INFO][test.c][36][main]:INFO: end >> >> Fixes: 967747bbc084 ("uaccess: remove CONFIG_SET_FS") > > As above, this is *not* a fix. This is the intended behaviour. > > AFAICT, the behaviour didn't change on arm64 in that commit either; we were > unconditionally using TASK_SIZE_MAX many commits earlier, e.g. in commit: > > 3d2403fd10a1dbb3 ("arm64: uaccess: remove set_fs()") > > ... so the fixes tag is bogus on both fronts. Thank you! > >> Signed-off-by: Jinjie Ruan >> --- >> arch/arm64/include/asm/processor.h | 5 +++++ >> 1 file changed, 5 insertions(+) >> >> diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h >> index e5bc54522e71..6a087d58a90a 100644 >> --- a/arch/arm64/include/asm/processor.h >> +++ b/arch/arm64/include/asm/processor.h >> @@ -52,7 +52,12 @@ >> >> #define DEFAULT_MAP_WINDOW_64 (UL(1) << VA_BITS_MIN) >> #define TASK_SIZE_64 (UL(1) << vabits_actual) >> +#ifdef CONFIG_COMPAT >> +#define TASK_SIZE_MAX (test_thread_flag(TIF_32BIT) ? \ >> + UL(0x100000000) : (UL(1) << VA_BITS)) >> +#else >> #define TASK_SIZE_MAX (UL(1) << VA_BITS) >> +#endif > > This isn't even the same as on 32-bit. On 32-bit arm, the task size split can > be 1G/3G, 2G/2G, or 3G/1G depending on configuration, and 4G/4G isn't currently > an option. > > I don't believe that userspace is actually dependent upon this for functional > reasons, and I don't believe that there's a security issue here. Even if > access_ok() allows addr+size to go past 4G, the kernel address calculations are > 64-bit and won't wrap. > > For all the reasons above, I don't beleive this is correct nor do I believe > this is necesssary. Given that, NAK to this patch. > > Thanks, > Mark. > >> >> #ifdef CONFIG_COMPAT >> #if defined(CONFIG_ARM64_64K_PAGES) && defined(CONFIG_KUSER_HELPERS) >> -- >> 2.34.1 >> > _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel