From: Ingo Molnar <mingo@kernel.org>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
x86@kernel.org, linux-kernel@vger.kernel.org,
Borislav Petkov <bp@alien8.de>
Subject: Re: [RFC][PATCH 01/22] x86 user stack frame reads: switch to explicit __get_user()
Date: Sun, 29 Mar 2020 11:26:02 +0200 [thread overview]
Message-ID: <20200329092602.GB93574@gmail.com> (raw)
In-Reply-To: <20200328115936.GA23230@ZenIV.linux.org.uk>
* Al Viro <viro@zeniv.linux.org.uk> wrote:
> > but the __get_user() API doesn't carry the 'unsafe' tag yet.
> >
> > Should we add an __unsafe_get_user() alias to it perhaps, and use it
> > in all code that adds it, like the chunk above? Or rename it to
> > __unsafe_get_user() outright? No change to the logic, but it would be
> > more obvious what code has inherited old __get_user() uses and which
> > code uses __unsafe_get_user() intentionally.
> >
> > Even after your series there's 700 uses of __get_user(), so it would
> > make sense to make a distinction in name at least and tag all unsafe
> > APIs with an 'unsafe_' prefix.
>
> "unsafe" != "lacks access_ok", it's "done under user_access_begin".
Well, I thought the principle was that we'd mark generic APIs that had
*either* a missing access_ok() check or a missing
user_access_begin()/end() wrapping marked unsafe_*(), right?
__get_user() has __uaccess_begin()/end() on the inside, but doesn't have
the access_ok() check, so those calls are 'unsafe' with regard to not
being safe to untrusted (ptr,size) ranges.
I agree that all of these topics need equal attention:
- leaking of cleared SMAP state (CLAC), which results in a silent
failure.
- running user accesses without STAC, which results in a crash.
- not doing an access_ok() check on untrusted (pointer,size) ranges,
which results in a silent failure as well.
I just think that any API that doesn't guarantee all of these are handled
right probably needs to be unsafe_*() tagged.
> FWIW, with the currently linearized part I see 26 users in arch/x86 and
> 108 - outside of arch/*. With 43 of the latter supplied by the sodding
> comedi_compat32.c, which needs to be rewritten anyway (or git rm'ed,
> for that matter)...
>
> We'll get there; the tricky part is the ones that come in pair with
> something other than access_ok() in the first place (many of those are
> KVM-related, but not all such are).
>
> This part had been more about untangling uaccess_try stuff,,,
It's much appreciated! In my previous mail I just wanted to inquire about
the long term plan, whether we are going to get rid of all uses of
__get_user() - to which the answer appears to be "yes". :-)
Thanks,
Ingo
next prev parent reply other threads:[~2020-03-29 9:26 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-23 18:36 [RFC][PATCHSET] x86 uaccess cleanups Al Viro
2020-03-23 18:37 ` [RFC][PATCH 01/22] x86 user stack frame reads: switch to explicit __get_user() Al Viro
2020-03-23 18:37 ` [RFC][PATCH 02/22] x86 kvm page table walks: " Al Viro
2020-03-23 18:38 ` [RFC][PATCH 03/22] x86: switch sigframe sigset handling to explict __get_user()/__put_user() Al Viro
2020-03-23 18:38 ` [RFC][PATCH 04/22] x86: get rid of small constant size cases in raw_copy_{to,from}_user() Al Viro
2020-03-23 18:38 ` [RFC][PATCH 05/22] vm86: get rid of get_user_ex() use Al Viro
2020-03-23 18:38 ` [RFC][PATCH 06/22] x86: get rid of get_user_ex() in ia32_restore_sigcontext() Al Viro
2020-03-23 18:38 ` [RFC][PATCH 07/22] x86: get rid of get_user_ex() in restore_sigcontext() Al Viro
2020-03-23 18:38 ` [RFC][PATCH 08/22] x86: kill get_user_{try,catch,ex} Al Viro
2020-03-23 18:38 ` [RFC][PATCH 09/22] x86: switch save_v86_state() to unsafe_put_user() Al Viro
2020-03-23 18:38 ` [RFC][PATCH 10/22] x86: switch setup_sigcontext() " Al Viro
2020-03-23 18:38 ` [RFC][PATCH 11/22] x86: switch ia32_setup_sigcontext() " Al Viro
2020-03-23 18:38 ` [RFC][PATCH 12/22] x86: get rid of put_user_try in {ia32,x32}_setup_rt_frame() Al Viro
2020-03-23 18:38 ` [RFC][PATCH 13/22] x86: ia32_setup_sigcontext(): lift user_access_{begin,end}() into the callers Al Viro
2020-03-23 18:53 ` Linus Torvalds
2020-03-23 21:42 ` Al Viro
2020-03-23 18:38 ` [RFC][PATCH 14/22] x86: ia32_setup_frame(): consolidate uaccess areas Al Viro
2020-03-23 18:38 ` [RFC][PATCH 15/22] x86: ia32_setup_rt_frame(): " Al Viro
2020-03-23 18:38 ` [RFC][PATCH 16/22] x86: get rid of put_user_try in __setup_rt_frame() (both 32bit and 64bit) Al Viro
2020-03-23 18:38 ` [RFC][PATCH 17/22] x86: setup_sigcontext(): list user_access_{begin,end}() into callers Al Viro
2020-03-23 18:56 ` Linus Torvalds
2020-03-23 18:38 ` [RFC][PATCH 18/22] x86: __setup_frame(): consolidate uaccess areas Al Viro
2020-03-23 18:38 ` [RFC][PATCH 19/22] x86: __setup_rt_frame(): " Al Viro
2020-03-23 18:38 ` [RFC][PATCH 20/22] x86: x32_setup_rt_frame(): " Al Viro
2020-03-23 18:38 ` [RFC][PATCH 21/22] x86: unsafe_put_... macros for sigcontext and sigmask Al Viro
2020-03-23 18:38 ` [RFC][PATCH 22/22] kill uaccess_try() Al Viro
2020-03-24 15:15 ` [RFC][PATCH 01/22] x86 user stack frame reads: switch to explicit __get_user() Peter Zijlstra
2020-03-28 10:48 ` Ingo Molnar
2020-03-28 11:59 ` Al Viro
2020-03-29 9:26 ` Ingo Molnar [this message]
2020-03-29 16:50 ` Andy Lutomirski
2020-03-29 17:05 ` Linus Torvalds
2020-03-29 17:41 ` David Laight
2020-03-29 17:56 ` Linus Torvalds
2020-03-29 18:03 ` David Laight
2020-03-29 18:16 ` Linus Torvalds
2020-03-29 18:32 ` David Laight
2020-03-29 18:55 ` Linus Torvalds
2020-03-29 21:21 ` Andy Lutomirski
2020-03-29 22:06 ` Linus Torvalds
2020-03-29 22:12 ` Linus Torvalds
2020-03-29 18:16 ` Al Viro
2020-03-29 18:19 ` Linus Torvalds
2020-03-29 17:57 ` Al Viro
2020-03-30 15:54 ` David Laight
2020-03-23 19:16 ` [RFC][PATCHSET] x86 uaccess cleanups Linus Torvalds
2020-03-27 2:24 ` [RFC][PATCHSET v2] " Al Viro
2020-03-27 2:26 ` Al Viro
2020-03-27 2:30 ` Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 01/22] x86 user stack frame reads: switch to explicit __get_user() Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 02/22] x86 kvm page table walks: " Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 03/22] x86: switch sigframe sigset handling to explict __get_user()/__put_user() Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 04/22] x86: get rid of small constant size cases in raw_copy_{to,from}_user() Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 05/22] vm86: get rid of get_user_ex() use Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 06/22] x86: get rid of get_user_ex() in ia32_restore_sigcontext() Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 07/22] x86: get rid of get_user_ex() in restore_sigcontext() Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 08/22] x86: kill get_user_{try,catch,ex} Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 09/22] x86: switch save_v86_state() to unsafe_put_user() Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 10/22] x86: switch setup_sigcontext() " Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 11/22] x86: switch ia32_setup_sigcontext() " Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 12/22] x86: get rid of put_user_try in {ia32,x32}_setup_rt_frame() Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 13/22] x86: ia32_setup_sigcontext(): lift user_access_{begin,end}() into the callers Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 14/22] x86: ia32_setup_frame(): consolidate uaccess areas Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 15/22] x86: ia32_setup_rt_frame(): " Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 16/22] x86: get rid of put_user_try in __setup_rt_frame() (both 32bit and 64bit) Al Viro
2020-03-27 2:32 ` [RFC][PATCH v2 17/22] x86: setup_sigcontext(): list user_access_{begin,end}() into callers Al Viro
2020-03-27 2:32 ` [RFC][PATCH v2 18/22] x86: __setup_frame(): consolidate uaccess areas Al Viro
2020-03-27 2:32 ` [RFC][PATCH v2 19/22] x86: __setup_rt_frame(): " Al Viro
2020-03-27 2:32 ` [RFC][PATCH v2 20/22] x86: x32_setup_rt_frame(): " Al Viro
2020-03-27 2:32 ` [RFC][PATCH v2 21/22] x86: unsafe_put-style macro for sigmask Al Viro
2020-03-27 2:32 ` [RFC][PATCH v2 22/22] kill uaccess_try() Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200329092602.GB93574@gmail.com \
--to=mingo@kernel.org \
--cc=bp@alien8.de \
--cc=linux-kernel@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox