From: "Michael S. Tsirkin" <mst@redhat.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
Jason Wang <jasowang@redhat.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Netdev <netdev@vger.kernel.org>
Subject: Re: [PATCH RFC] uaccess: user_access_begin_after_access_ok()
Date: Tue, 2 Jun 2020 16:32:55 -0400 [thread overview]
Message-ID: <20200602162931-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <CAHk-=wjgg0bpD0qjYF=twJNXmRXYPjXqO1EFLL-mS8qUphe0AQ@mail.gmail.com>
On Tue, Jun 02, 2020 at 10:18:09AM -0700, Linus Torvalds wrote:
> On Tue, Jun 2, 2020 at 9:33 AM Al Viro <viro@zeniv.linux.org.uk> wrote:
> >
> > >
> > > It's not clear whether we need a new API, I think __uaccess_being() has the
> > > assumption that the address has been validated by access_ok().
> >
> > __uaccess_begin() is a stopgap, not a public API.
>
> Correct. It's just an x86 implementation detail.
>
> > The problem is real, but "let's add a public API that would do user_access_begin()
> > with access_ok() already done" is no-go.
>
> Yeah, it's completely pointless.
>
> The solution to this is easy: remove the incorrect and useless early
> "access_ok()". Boom, done.
Hmm are you sure we can drop it? access_ok is done in the context
of the process. Access itself in the context of a kernel thread
that borrows the same mm. IIUC if the process can be 32 bit
while the kernel is 64 bit, access_ok in the context of the
kernel thread will not DTRT.
> Then use user_access_begin() and the appropriate unsage_get/put_user()
> sequence, and user_access_end().
>
> The range test that user-access-begin does is not just part of the
> ABI, it's just required in general. We have almost thirty years of
> history of trying to avoid it, AND IT WAS ALL BOGUS.
>
> The fact is, the range check is pretty damn cheap, and not doing the
> range check has always been a complete and utter disaster.
>
> You have exactly two cases:
>
> (a) the access_ok() would be right above the code and can't be missed
>
> (b) not
>
> and in (a) the solution is: remove the access_ok() and let
> user_access_begin() do the range check.
>
> In (b), the solution is literally "DON'T DO THAT!"
>
> Because EVERY SINGLE TIME people have eventually noticed (possibly
> after code movement) that "oops, we never did the access_ok at all,
> and now we can be fooled into kernel corruption and a security issue".
>
> And even if that didn't happen, the worry was there.
>
> End result: use user_access_begin() and stop trying to remove the two
> cycles or whatever of the limit checking cost. The "upside" of
> removing that limit check just isn't. It's a downside.
>
> Linus
That's true. Limit check cost is measureable but very small.
It's the speculation barrier that's costly.
--
MST
next prev parent reply other threads:[~2020-06-02 20:33 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-02 8:45 [PATCH RFC] uaccess: user_access_begin_after_access_ok() Michael S. Tsirkin
2020-06-02 10:15 ` Jason Wang
2020-06-02 16:33 ` Al Viro
2020-06-02 17:18 ` Linus Torvalds
2020-06-02 17:44 ` Al Viro
2020-06-02 17:46 ` Al Viro
2020-06-02 20:32 ` Michael S. Tsirkin [this message]
2020-06-02 20:41 ` David Laight
2020-06-02 21:58 ` Al Viro
2020-06-03 8:08 ` David Laight
2020-06-02 20:43 ` Linus Torvalds
2020-06-03 6:01 ` Michael S. Tsirkin
[not found] ` <CAHk-=wi3=QuD30fRq8fYYTj9WmkgeZ0VR_Sh3DQHU+nmwj-jMg@mail.gmail.com>
2020-06-03 16:59 ` Linus Torvalds
2020-06-02 16:30 ` Al Viro
2020-06-02 20:42 ` Michael S. Tsirkin
2020-06-02 22:10 ` Al Viro
2020-06-03 5:17 ` Michael S. Tsirkin
2020-06-03 1:48 ` Al Viro
2020-06-03 3:57 ` Jason Wang
2020-06-03 4:18 ` Al Viro
2020-06-03 5:18 ` Jason Wang
2020-06-03 5:46 ` Michael S. Tsirkin
2020-06-03 6:23 ` Jason Wang
2020-06-03 6:30 ` Michael S. Tsirkin
2020-06-03 6:36 ` Jason Wang
2020-06-04 16:49 ` Michael S. Tsirkin
2020-06-05 10:03 ` Jason Wang
2020-06-06 20:08 ` Michael S. Tsirkin
2020-06-03 6:25 ` Michael S. Tsirkin
2020-06-03 5:29 ` Michael S. Tsirkin
2020-06-03 16:52 ` Al Viro
2020-06-04 6:10 ` Jason Wang
2020-06-04 14:59 ` Al Viro
2020-06-04 16:46 ` Michael S. Tsirkin
2020-06-04 10:10 ` Michael S. Tsirkin
2020-06-04 15:03 ` Al Viro
2020-06-04 16:47 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200602162931-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=jasowang@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).