* Re: [PATCH v2] x86/uaccess: Avoid check_object_size() in copy_from_user_nmi()
2022-09-19 20:16 [PATCH v2] x86/uaccess: Avoid check_object_size() in copy_from_user_nmi() Kees Cook
@ 2022-09-20 7:07 ` Florian Lehner
2022-09-20 7:38 ` Peter Zijlstra
2022-09-20 22:23 ` Yu Zhao
2 siblings, 0 replies; 6+ messages in thread
From: Florian Lehner @ 2022-09-20 7:07 UTC (permalink / raw)
To: Kees Cook
Cc: Matthew Wilcox, Yu Zhao, Andrew Morton, Peter Zijlstra,
Josh Poimboeuf, Dave Hansen, x86, stable, Thomas Gleixner,
Ingo Molnar, Borislav Petkov, H. Peter Anvin, Arnd Bergmann,
Al Viro, linux-kernel, linux-hardening
On Mon, Sep 19, 2022 at 01:16:48PM -0700, Kees Cook wrote:
> The check_object_size() helper under CONFIG_HARDENED_USERCOPY is
> designed to skip any checks where the length is known at compile time as
> a reasonable heuristic to avoid "likely known-good" cases. However, it can
> only do this when the copy_*_user() helpers are, themselves, inline too.
>
> Using find_vmap_area() requires taking a spinlock. The check_object_size()
> helper can call find_vmap_area() when the destination is in vmap memory.
> If show_regs() is called in interrupt context, it will attempt a call to
> copy_from_user_nmi(), which may call check_object_size() and then
> find_vmap_area(). If something in normal context happens to be in the
> middle of calling find_vmap_area() (with the spinlock held), the interrupt
> handler will hang forever.
>
> The copy_from_user_nmi() call is actually being called with a fixed-size
> length, so check_object_size() should never have been called in
> the first place. Given the narrow constraints, just replace the
> __copy_from_user_inatomic() call with an open-coded version that calls
> only into the sanitizers and not check_object_size(), followed by a call
> to raw_copy_from_user().
>
> Reported-by: Yu Zhao <yuzhao@google.com>
> Link: https://lore.kernel.org/all/CAOUHufaPshtKrTWOz7T7QFYUNVGFm0JBjvM700Nhf9qEL9b3EQ@mail.gmail.com
> Reported-by: dev@der-flo.net
> Suggested-by: Andrew Morton <akpm@linux-foundation.org>
> Cc: Matthew Wilcox <willy@infradead.org>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Josh Poimboeuf <jpoimboe@kernel.org>
> Cc: Dave Hansen <dave.hansen@linux.intel.com>
> Cc: x86@kernel.org
> Fixes: 0aef499f3172 ("mm/usercopy: Detect vmalloc overruns")
> Cc: stable@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> v2: drop the call explicitly instead of using inline to do it
> v1: https://lore.kernel.org/lkml/20220916135953.1320601-1-keescook@chromium.org
> ---
> arch/x86/lib/usercopy.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/lib/usercopy.c b/arch/x86/lib/usercopy.c
> index ad0139d25401..d2aff9b176cf 100644
> --- a/arch/x86/lib/usercopy.c
> +++ b/arch/x86/lib/usercopy.c
> @@ -44,7 +44,8 @@ copy_from_user_nmi(void *to, const void __user *from, unsigned long n)
> * called from other contexts.
> */
> pagefault_disable();
> - ret = __copy_from_user_inatomic(to, from, n);
> + instrument_copy_from_user(to, from, n);
> + ret = raw_copy_from_user(to, from, n);
> pagefault_enable();
>
> return ret;
> --
> 2.34.1
>
Thanks!
Tested-by: Florian Lehner <dev@der-flo.net>
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH v2] x86/uaccess: Avoid check_object_size() in copy_from_user_nmi()
2022-09-19 20:16 [PATCH v2] x86/uaccess: Avoid check_object_size() in copy_from_user_nmi() Kees Cook
2022-09-20 7:07 ` Florian Lehner
@ 2022-09-20 7:38 ` Peter Zijlstra
2022-09-20 22:23 ` Yu Zhao
2 siblings, 0 replies; 6+ messages in thread
From: Peter Zijlstra @ 2022-09-20 7:38 UTC (permalink / raw)
To: Kees Cook
Cc: Matthew Wilcox, Yu Zhao, dev, Andrew Morton, Josh Poimboeuf,
Dave Hansen, x86, stable, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, H. Peter Anvin, Arnd Bergmann, Al Viro,
linux-kernel, linux-hardening
On Mon, Sep 19, 2022 at 01:16:48PM -0700, Kees Cook wrote:
> The check_object_size() helper under CONFIG_HARDENED_USERCOPY is
> designed to skip any checks where the length is known at compile time as
> a reasonable heuristic to avoid "likely known-good" cases. However, it can
> only do this when the copy_*_user() helpers are, themselves, inline too.
>
> Using find_vmap_area() requires taking a spinlock. The check_object_size()
> helper can call find_vmap_area() when the destination is in vmap memory.
> If show_regs() is called in interrupt context, it will attempt a call to
> copy_from_user_nmi(), which may call check_object_size() and then
> find_vmap_area(). If something in normal context happens to be in the
> middle of calling find_vmap_area() (with the spinlock held), the interrupt
> handler will hang forever.
>
> The copy_from_user_nmi() call is actually being called with a fixed-size
> length, so check_object_size() should never have been called in
> the first place. Given the narrow constraints, just replace the
> __copy_from_user_inatomic() call with an open-coded version that calls
> only into the sanitizers and not check_object_size(), followed by a call
> to raw_copy_from_user().
>
> Reported-by: Yu Zhao <yuzhao@google.com>
> Link: https://lore.kernel.org/all/CAOUHufaPshtKrTWOz7T7QFYUNVGFm0JBjvM700Nhf9qEL9b3EQ@mail.gmail.com
> Reported-by: dev@der-flo.net
> Suggested-by: Andrew Morton <akpm@linux-foundation.org>
> Cc: Matthew Wilcox <willy@infradead.org>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Josh Poimboeuf <jpoimboe@kernel.org>
> Cc: Dave Hansen <dave.hansen@linux.intel.com>
> Cc: x86@kernel.org
> Fixes: 0aef499f3172 ("mm/usercopy: Detect vmalloc overruns")
> Cc: stable@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
> arch/x86/lib/usercopy.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/lib/usercopy.c b/arch/x86/lib/usercopy.c
> index ad0139d25401..d2aff9b176cf 100644
> --- a/arch/x86/lib/usercopy.c
> +++ b/arch/x86/lib/usercopy.c
> @@ -44,7 +44,8 @@ copy_from_user_nmi(void *to, const void __user *from, unsigned long n)
> * called from other contexts.
> */
> pagefault_disable();
> - ret = __copy_from_user_inatomic(to, from, n);
> + instrument_copy_from_user(to, from, n);
> + ret = raw_copy_from_user(to, from, n);
> pagefault_enable();
>
> return ret;
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH v2] x86/uaccess: Avoid check_object_size() in copy_from_user_nmi()
2022-09-19 20:16 [PATCH v2] x86/uaccess: Avoid check_object_size() in copy_from_user_nmi() Kees Cook
2022-09-20 7:07 ` Florian Lehner
2022-09-20 7:38 ` Peter Zijlstra
@ 2022-09-20 22:23 ` Yu Zhao
2022-09-20 22:30 ` Kees Cook
2 siblings, 1 reply; 6+ messages in thread
From: Yu Zhao @ 2022-09-20 22:23 UTC (permalink / raw)
To: Kees Cook
Cc: Matthew Wilcox, dev, Andrew Morton, Peter Zijlstra,
Josh Poimboeuf, Dave Hansen, the arch/x86 maintainers, stable,
Thomas Gleixner, Ingo Molnar, Borislav Petkov, H. Peter Anvin,
Arnd Bergmann, Al Viro, linux-kernel, linux-hardening
On Mon, Sep 19, 2022 at 2:16 PM Kees Cook <keescook@chromium.org> wrote:
>
> The check_object_size() helper under CONFIG_HARDENED_USERCOPY is
> designed to skip any checks where the length is known at compile time as
> a reasonable heuristic to avoid "likely known-good" cases. However, it can
> only do this when the copy_*_user() helpers are, themselves, inline too.
>
> Using find_vmap_area() requires taking a spinlock. The check_object_size()
> helper can call find_vmap_area() when the destination is in vmap memory.
> If show_regs() is called in interrupt context, it will attempt a call to
> copy_from_user_nmi(), which may call check_object_size() and then
> find_vmap_area(). If something in normal context happens to be in the
> middle of calling find_vmap_area() (with the spinlock held), the interrupt
> handler will hang forever.
>
> The copy_from_user_nmi() call is actually being called with a fixed-size
> length, so check_object_size() should never have been called in
> the first place. Given the narrow constraints, just replace the
> __copy_from_user_inatomic() call with an open-coded version that calls
> only into the sanitizers and not check_object_size(), followed by a call
> to raw_copy_from_user().
>
> Reported-by: Yu Zhao <yuzhao@google.com>
> Link: https://lore.kernel.org/all/CAOUHufaPshtKrTWOz7T7QFYUNVGFm0JBjvM700Nhf9qEL9b3EQ@mail.gmail.com
> Reported-by: dev@der-flo.net
> Suggested-by: Andrew Morton <akpm@linux-foundation.org>
> Cc: Matthew Wilcox <willy@infradead.org>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Josh Poimboeuf <jpoimboe@kernel.org>
> Cc: Dave Hansen <dave.hansen@linux.intel.com>
> Cc: x86@kernel.org
> Fixes: 0aef499f3172 ("mm/usercopy: Detect vmalloc overruns")
> Cc: stable@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> v2: drop the call explicitly instead of using inline to do it
> v1: https://lore.kernel.org/lkml/20220916135953.1320601-1-keescook@chromium.org
> ---
> arch/x86/lib/usercopy.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/lib/usercopy.c b/arch/x86/lib/usercopy.c
> index ad0139d25401..d2aff9b176cf 100644
> --- a/arch/x86/lib/usercopy.c
> +++ b/arch/x86/lib/usercopy.c
> @@ -44,7 +44,8 @@ copy_from_user_nmi(void *to, const void __user *from, unsigned long n)
> * called from other contexts.
> */
> pagefault_disable();
> - ret = __copy_from_user_inatomic(to, from, n);
> + instrument_copy_from_user(to, from, n);
Got a build error on top of mm-unstable:
arch/x86/lib/usercopy.c:47:2: error: call to undeclared function
'instrument_copy_from_user'; ISO C99 and later do not support implicit
function declarations [-Wimplicit-function-declaration]
instrument_copy_from_user(to, from, n);
^
arch/x86/lib/usercopy.c:47:2: note: did you mean 'instrument_copy_to_user'?
./include/linux/instrumented.h:117:1: note: 'instrument_copy_to_user'
declared here
instrument_copy_to_user(void __user *to, const void *from, unsigned long n)
^
1 error generated.
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH v2] x86/uaccess: Avoid check_object_size() in copy_from_user_nmi()
2022-09-20 22:23 ` Yu Zhao
@ 2022-09-20 22:30 ` Kees Cook
2022-09-20 22:40 ` Yu Zhao
0 siblings, 1 reply; 6+ messages in thread
From: Kees Cook @ 2022-09-20 22:30 UTC (permalink / raw)
To: Yu Zhao
Cc: Matthew Wilcox, dev, Andrew Morton, Peter Zijlstra,
Josh Poimboeuf, Dave Hansen, the arch/x86 maintainers, stable,
Thomas Gleixner, Ingo Molnar, Borislav Petkov, H. Peter Anvin,
Arnd Bergmann, Al Viro, linux-kernel, linux-hardening
On Tue, Sep 20, 2022 at 04:23:00PM -0600, Yu Zhao wrote:
> On Mon, Sep 19, 2022 at 2:16 PM Kees Cook <keescook@chromium.org> wrote:
> >
> > The check_object_size() helper under CONFIG_HARDENED_USERCOPY is
> > designed to skip any checks where the length is known at compile time as
> > a reasonable heuristic to avoid "likely known-good" cases. However, it can
> > only do this when the copy_*_user() helpers are, themselves, inline too.
> >
> > Using find_vmap_area() requires taking a spinlock. The check_object_size()
> > helper can call find_vmap_area() when the destination is in vmap memory.
> > If show_regs() is called in interrupt context, it will attempt a call to
> > copy_from_user_nmi(), which may call check_object_size() and then
> > find_vmap_area(). If something in normal context happens to be in the
> > middle of calling find_vmap_area() (with the spinlock held), the interrupt
> > handler will hang forever.
> >
> > The copy_from_user_nmi() call is actually being called with a fixed-size
> > length, so check_object_size() should never have been called in
> > the first place. Given the narrow constraints, just replace the
> > __copy_from_user_inatomic() call with an open-coded version that calls
> > only into the sanitizers and not check_object_size(), followed by a call
> > to raw_copy_from_user().
> >
> > Reported-by: Yu Zhao <yuzhao@google.com>
> > Link: https://lore.kernel.org/all/CAOUHufaPshtKrTWOz7T7QFYUNVGFm0JBjvM700Nhf9qEL9b3EQ@mail.gmail.com
> > Reported-by: dev@der-flo.net
> > Suggested-by: Andrew Morton <akpm@linux-foundation.org>
> > Cc: Matthew Wilcox <willy@infradead.org>
> > Cc: Peter Zijlstra <peterz@infradead.org>
> > Cc: Josh Poimboeuf <jpoimboe@kernel.org>
> > Cc: Dave Hansen <dave.hansen@linux.intel.com>
> > Cc: x86@kernel.org
> > Fixes: 0aef499f3172 ("mm/usercopy: Detect vmalloc overruns")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > ---
> > v2: drop the call explicitly instead of using inline to do it
> > v1: https://lore.kernel.org/lkml/20220916135953.1320601-1-keescook@chromium.org
> > ---
> > arch/x86/lib/usercopy.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/arch/x86/lib/usercopy.c b/arch/x86/lib/usercopy.c
> > index ad0139d25401..d2aff9b176cf 100644
> > --- a/arch/x86/lib/usercopy.c
> > +++ b/arch/x86/lib/usercopy.c
> > @@ -44,7 +44,8 @@ copy_from_user_nmi(void *to, const void __user *from, unsigned long n)
> > * called from other contexts.
> > */
> > pagefault_disable();
> > - ret = __copy_from_user_inatomic(to, from, n);
> > + instrument_copy_from_user(to, from, n);
>
> Got a build error on top of mm-unstable:
>
> arch/x86/lib/usercopy.c:47:2: error: call to undeclared function
> 'instrument_copy_from_user'; ISO C99 and later do not support implicit
> function declarations [-Wimplicit-function-declaration]
> instrument_copy_from_user(to, from, n);
> ^
> arch/x86/lib/usercopy.c:47:2: note: did you mean 'instrument_copy_to_user'?
> ./include/linux/instrumented.h:117:1: note: 'instrument_copy_to_user'
> declared here
> instrument_copy_to_user(void __user *to, const void *from, unsigned long n)
> ^
> 1 error generated.
Hm, I did test builds of this before sending. I wonder why this passed
for me. I suppose this is needed explicitly in arch/x86/lib/usercopy.c:
#include <linux/instrumented.h>
?
--
Kees Cook
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH v2] x86/uaccess: Avoid check_object_size() in copy_from_user_nmi()
2022-09-20 22:30 ` Kees Cook
@ 2022-09-20 22:40 ` Yu Zhao
0 siblings, 0 replies; 6+ messages in thread
From: Yu Zhao @ 2022-09-20 22:40 UTC (permalink / raw)
To: Kees Cook, Alexander Potapenko
Cc: Matthew Wilcox, dev, Andrew Morton, Peter Zijlstra,
Josh Poimboeuf, Dave Hansen, the arch/x86 maintainers, stable,
Thomas Gleixner, Ingo Molnar, Borislav Petkov, H. Peter Anvin,
Arnd Bergmann, Al Viro, linux-kernel, linux-hardening
On Tue, Sep 20, 2022 at 4:30 PM Kees Cook <keescook@chromium.org> wrote:
>
> On Tue, Sep 20, 2022 at 04:23:00PM -0600, Yu Zhao wrote:
> > On Mon, Sep 19, 2022 at 2:16 PM Kees Cook <keescook@chromium.org> wrote:
> > >
> > > The check_object_size() helper under CONFIG_HARDENED_USERCOPY is
> > > designed to skip any checks where the length is known at compile time as
> > > a reasonable heuristic to avoid "likely known-good" cases. However, it can
> > > only do this when the copy_*_user() helpers are, themselves, inline too.
> > >
> > > Using find_vmap_area() requires taking a spinlock. The check_object_size()
> > > helper can call find_vmap_area() when the destination is in vmap memory.
> > > If show_regs() is called in interrupt context, it will attempt a call to
> > > copy_from_user_nmi(), which may call check_object_size() and then
> > > find_vmap_area(). If something in normal context happens to be in the
> > > middle of calling find_vmap_area() (with the spinlock held), the interrupt
> > > handler will hang forever.
> > >
> > > The copy_from_user_nmi() call is actually being called with a fixed-size
> > > length, so check_object_size() should never have been called in
> > > the first place. Given the narrow constraints, just replace the
> > > __copy_from_user_inatomic() call with an open-coded version that calls
> > > only into the sanitizers and not check_object_size(), followed by a call
> > > to raw_copy_from_user().
> > >
> > > Reported-by: Yu Zhao <yuzhao@google.com>
> > > Link: https://lore.kernel.org/all/CAOUHufaPshtKrTWOz7T7QFYUNVGFm0JBjvM700Nhf9qEL9b3EQ@mail.gmail.com
> > > Reported-by: dev@der-flo.net
> > > Suggested-by: Andrew Morton <akpm@linux-foundation.org>
> > > Cc: Matthew Wilcox <willy@infradead.org>
> > > Cc: Peter Zijlstra <peterz@infradead.org>
> > > Cc: Josh Poimboeuf <jpoimboe@kernel.org>
> > > Cc: Dave Hansen <dave.hansen@linux.intel.com>
> > > Cc: x86@kernel.org
> > > Fixes: 0aef499f3172 ("mm/usercopy: Detect vmalloc overruns")
> > > Cc: stable@vger.kernel.org
> > > Signed-off-by: Kees Cook <keescook@chromium.org>
> > > ---
> > > v2: drop the call explicitly instead of using inline to do it
> > > v1: https://lore.kernel.org/lkml/20220916135953.1320601-1-keescook@chromium.org
> > > ---
> > > arch/x86/lib/usercopy.c | 3 ++-
> > > 1 file changed, 2 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/arch/x86/lib/usercopy.c b/arch/x86/lib/usercopy.c
> > > index ad0139d25401..d2aff9b176cf 100644
> > > --- a/arch/x86/lib/usercopy.c
> > > +++ b/arch/x86/lib/usercopy.c
> > > @@ -44,7 +44,8 @@ copy_from_user_nmi(void *to, const void __user *from, unsigned long n)
> > > * called from other contexts.
> > > */
> > > pagefault_disable();
> > > - ret = __copy_from_user_inatomic(to, from, n);
> > > + instrument_copy_from_user(to, from, n);
> >
> > Got a build error on top of mm-unstable:
> >
> > arch/x86/lib/usercopy.c:47:2: error: call to undeclared function
> > 'instrument_copy_from_user'; ISO C99 and later do not support implicit
> > function declarations [-Wimplicit-function-declaration]
> > instrument_copy_from_user(to, from, n);
> > ^
> > arch/x86/lib/usercopy.c:47:2: note: did you mean 'instrument_copy_to_user'?
> > ./include/linux/instrumented.h:117:1: note: 'instrument_copy_to_user'
> > declared here
> > instrument_copy_to_user(void __user *to, const void *from, unsigned long n)
> > ^
> > 1 error generated.
>
> Hm, I did test builds of this before sending. I wonder why this passed
> for me. I suppose this is needed explicitly in arch/x86/lib/usercopy.c:
>instrument_copy_to_user()
> #include <linux/instrumented.h>
It seems mm-unstable has switched to instrument_copy_from_user_{before,after}().
Adding Alex.
^ permalink raw reply [flat|nested] 6+ messages in thread