| Message ID | 20200903142242.925828-13-hch@lst.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [01/14] proc: remove a level of indentation in proc_get_inode | expand |
From: Christoph Hellwig > Sent: 03 September 2020 15:23 > > Stop providing the possibility to override the address space using > set_fs() now that there is no need for that any more. To properly > handle the TASK_SIZE_MAX checking for 4 vs 5-level page tables on > x86 a new alternative is introduced, which just like the one in > entry_64.S has to use the hardcoded virtual address bits to escape > the fact that TASK_SIZE_MAX isn't actually a constant when 5-level > page tables are enabled. Why does it matter whether 4 or 5 level page tables are in use? Surely all access_ok() needs to do is ensure that a valid kernel address isn't supplied. A non-canonical (is that the right term) address between the highest valid user address and the lowest valid kernel address (7ffe to fffe?) will fault anyway. So any limit between the valid user and kernel addresses should work? So a limit of 1<<63 would seem appropriate. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
On Thu, Sep 3, 2020 at 2:30 PM David Laight <David.Laight@aculab.com> wrote: > > A non-canonical (is that the right term) address between the highest > valid user address and the lowest valid kernel address (7ffe to fffe?) > will fault anyway. Yes. But we actually warn against that fault, because it's been a good way to catch places that didn't use the proper "access_ok()" pattern. See ex_handler_uaccess() and the WARN_ONCE(trapnr == X86_TRAP_GP, "General protection fault in user access. Non-canonical address?"); warning. It's been good for randomized testing - a missing range check on a user address will often hit this. Of course, you should never see it in real life (and hopefully not in testing either any more). But belt-and-suspenders.. Linus
On Thu, Sep 03, 2020 at 04:22:40PM +0200, Christoph Hellwig wrote: > diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S > index c8a85b512796e1..94f7be4971ed04 100644 > --- a/arch/x86/lib/getuser.S > +++ b/arch/x86/lib/getuser.S > @@ -35,10 +35,19 @@ > #include <asm/smap.h> > #include <asm/export.h> > > +#ifdef CONFIG_X86_5LEVEL > +#define LOAD_TASK_SIZE_MINUS_N(n) \ > + ALTERNATIVE "mov $((1 << 47) - 4096 - (n)),%rdx", \ > + "mov $((1 << 56) - 4096 - (n)),%rdx", X86_FEATURE_LA57 > +#else > +#define LOAD_TASK_SIZE_MINUS_N(n) \ > + mov $(TASK_SIZE_MAX - (n)),%_ASM_DX > +#endif Wait a sec... how is that supposed to build with X86_5LEVEL? Do you mean #define LOAD_TASK_SIZE_MINUS_N(n) \ ALTERNATIVE __stringify(mov $((1 << 47) - 4096 - (n)),%rdx), \ __stringify(mov $((1 << 56) - 4096 - (n)),%rdx), X86_FEATURE_LA57 there?
On Fri, Sep 04, 2020 at 03:55:10AM +0100, Al Viro wrote: > On Thu, Sep 03, 2020 at 04:22:40PM +0200, Christoph Hellwig wrote: > > > diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S > > index c8a85b512796e1..94f7be4971ed04 100644 > > --- a/arch/x86/lib/getuser.S > > +++ b/arch/x86/lib/getuser.S > > @@ -35,10 +35,19 @@ > > #include <asm/smap.h> > > #include <asm/export.h> > > > > +#ifdef CONFIG_X86_5LEVEL > > +#define LOAD_TASK_SIZE_MINUS_N(n) \ > > + ALTERNATIVE "mov $((1 << 47) - 4096 - (n)),%rdx", \ > > + "mov $((1 << 56) - 4096 - (n)),%rdx", X86_FEATURE_LA57 > > +#else > > +#define LOAD_TASK_SIZE_MINUS_N(n) \ > > + mov $(TASK_SIZE_MAX - (n)),%_ASM_DX > > +#endif > > Wait a sec... how is that supposed to build with X86_5LEVEL? Do you mean > > #define LOAD_TASK_SIZE_MINUS_N(n) \ > ALTERNATIVE __stringify(mov $((1 << 47) - 4096 - (n)),%rdx), \ > __stringify(mov $((1 << 56) - 4096 - (n)),%rdx), X86_FEATURE_LA57 > > there? Pushed out with the following folded in. diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S index 94f7be4971ed..2f052bc96866 100644 --- a/arch/x86/lib/getuser.S +++ b/arch/x86/lib/getuser.S @@ -37,8 +37,8 @@ #ifdef CONFIG_X86_5LEVEL #define LOAD_TASK_SIZE_MINUS_N(n) \ - ALTERNATIVE "mov $((1 << 47) - 4096 - (n)),%rdx", \ - "mov $((1 << 56) - 4096 - (n)),%rdx", X86_FEATURE_LA57 + ALTERNATIVE __stringify(mov $((1 << 47) - 4096 - (n)),%rdx), \ + __stringify(mov $((1 << 56) - 4096 - (n)),%rdx), X86_FEATURE_LA57 #else #define LOAD_TASK_SIZE_MINUS_N(n) \ mov $(TASK_SIZE_MAX - (n)),%_ASM_DX diff --git a/arch/x86/lib/putuser.S b/arch/x86/lib/putuser.S index 445374885153..358239d77dff 100644 --- a/arch/x86/lib/putuser.S +++ b/arch/x86/lib/putuser.S @@ -33,8 +33,8 @@ #ifdef CONFIG_X86_5LEVEL #define LOAD_TASK_SIZE_MINUS_N(n) \ - ALTERNATIVE "mov $((1 << 47) - 4096 - (n)),%rbx", \ - "mov $((1 << 56) - 4096 - (n)),%rbx", X86_FEATURE_LA57 + ALTERNATIVE __stringify(mov $((1 << 47) - 4096 - (n)),%rbx), \ + __stringify(mov $((1 << 56) - 4096 - (n)),%rbx), X86_FEATURE_LA57 #else #define LOAD_TASK_SIZE_MINUS_N(n) \ mov $(TASK_SIZE_MAX - (n)),%_ASM_BX
On Fri, Sep 04, 2020 at 03:55:10AM +0100, Al Viro wrote: > On Thu, Sep 03, 2020 at 04:22:40PM +0200, Christoph Hellwig wrote: > > > diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S > > index c8a85b512796e1..94f7be4971ed04 100644 > > --- a/arch/x86/lib/getuser.S > > +++ b/arch/x86/lib/getuser.S > > @@ -35,10 +35,19 @@ > > #include <asm/smap.h> > > #include <asm/export.h> > > > > +#ifdef CONFIG_X86_5LEVEL > > +#define LOAD_TASK_SIZE_MINUS_N(n) \ > > + ALTERNATIVE "mov $((1 << 47) - 4096 - (n)),%rdx", \ > > + "mov $((1 << 56) - 4096 - (n)),%rdx", X86_FEATURE_LA57 > > +#else > > +#define LOAD_TASK_SIZE_MINUS_N(n) \ > > + mov $(TASK_SIZE_MAX - (n)),%_ASM_DX > > +#endif > > Wait a sec... how is that supposed to build with X86_5LEVEL? Do you mean > > #define LOAD_TASK_SIZE_MINUS_N(n) \ > ALTERNATIVE __stringify(mov $((1 << 47) - 4096 - (n)),%rdx), \ > __stringify(mov $((1 << 56) - 4096 - (n)),%rdx), X86_FEATURE_LA57 > > there? Don't ask me about the how, but it builds and works with X86_5LEVEL, and the style is copied from elsewhere..
On Fri, Sep 04, 2020 at 08:38:13AM +0200, Christoph Hellwig wrote: > > Wait a sec... how is that supposed to build with X86_5LEVEL? Do you mean > > > > #define LOAD_TASK_SIZE_MINUS_N(n) \ > > ALTERNATIVE __stringify(mov $((1 << 47) - 4096 - (n)),%rdx), \ > > __stringify(mov $((1 << 56) - 4096 - (n)),%rdx), X86_FEATURE_LA57 > > > > there? > > Don't ask me about the how, but it builds and works with X86_5LEVEL, > and the style is copied from elsewhere.. Actually, it doesn't any more. Looks like the change to pass the n parameter as suggested by Linus broke the previously working version.
From: Linus Torvalds > Sent: 04 September 2020 00:26 > > On Thu, Sep 3, 2020 at 2:30 PM David Laight <David.Laight@aculab.com> wrote: > > > > A non-canonical (is that the right term) address between the highest > > valid user address and the lowest valid kernel address (7ffe to fffe?) > > will fault anyway. > > Yes. > > But we actually warn against that fault, because it's been a good way > to catch places that didn't use the proper "access_ok()" pattern. > > See ex_handler_uaccess() and the > > WARN_ONCE(trapnr == X86_TRAP_GP, "General protection fault in > user access. Non-canonical address?"); > > warning. It's been good for randomized testing - a missing range check > on a user address will often hit this. > > Of course, you should never see it in real life (and hopefully not in > testing either any more). But belt-and-suspenders.. That could still be effective, just pick an address limit that is appropriate for the one access_ok() is using. Even if access_ok() uses 1<<63 there are plenty of addresses above it that fault. But the upper limit for 5-level page tables could be used all the time. One option is to test '(address | length) < (3<<62)' in access_ok(). That is also moderately suitable for masking invalid addresses to 0. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index f85c13355732fe..7101ac64bb209d 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -237,7 +237,6 @@ config X86 select HAVE_ARCH_KCSAN if X86_64 select X86_FEATURE_NAMES if PROC_FS select PROC_PID_ARCH_STATUS if PROC_FS - select SET_FS imply IMA_SECURE_AND_OR_TRUSTED_BOOT if EFI config INSTRUCTION_DECODER diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c index ca8a657edf5977..a09fc37ead9d47 100644 --- a/arch/x86/ia32/ia32_aout.c +++ b/arch/x86/ia32/ia32_aout.c @@ -239,7 +239,6 @@ static int load_aout_binary(struct linux_binprm *bprm) (regs)->ss = __USER32_DS; regs->r8 = regs->r9 = regs->r10 = regs->r11 = regs->r12 = regs->r13 = regs->r14 = regs->r15 = 0; - set_fs(USER_DS); return 0; } diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h index 1618eeb08361a9..189573d95c3af6 100644 --- a/arch/x86/include/asm/processor.h +++ b/arch/x86/include/asm/processor.h @@ -482,10 +482,6 @@ extern unsigned int fpu_user_xstate_size; struct perf_event; -typedef struct { - unsigned long seg; -} mm_segment_t; - struct thread_struct { /* Cached TLS descriptors: */ struct desc_struct tls_array[GDT_ENTRY_TLS_ENTRIES]; @@ -538,8 +534,6 @@ struct thread_struct { */ unsigned long iopl_emul; - mm_segment_t addr_limit; - unsigned int sig_on_uaccess_err:1; /* Floating point and extended processor state */ @@ -785,15 +779,12 @@ static inline void spin_lock_prefetch(const void *x) #define INIT_THREAD { \ .sp0 = TOP_OF_INIT_STACK, \ .sysenter_cs = __KERNEL_CS, \ - .addr_limit = KERNEL_DS, \ } #define KSTK_ESP(task) (task_pt_regs(task)->sp) #else -#define INIT_THREAD { \ - .addr_limit = KERNEL_DS, \ -} +#define INIT_THREAD { } extern unsigned long KSTK_ESP(struct task_struct *task); diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h index 267701ae3d86dd..44733a4bfc4294 100644 --- a/arch/x86/include/asm/thread_info.h +++ b/arch/x86/include/asm/thread_info.h @@ -102,7 +102,6 @@ struct thread_info { #define TIF_SYSCALL_TRACEPOINT 28 /* syscall tracepoint instrumentation */ #define TIF_ADDR32 29 /* 32-bit address space on 64 bits */ #define TIF_X32 30 /* 32-bit native x86-64 binary */ -#define TIF_FSCHECK 31 /* Check FS is USER_DS on return */ #define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE) #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME) @@ -131,7 +130,6 @@ struct thread_info { #define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT) #define _TIF_ADDR32 (1 << TIF_ADDR32) #define _TIF_X32 (1 << TIF_X32) -#define _TIF_FSCHECK (1 << TIF_FSCHECK) /* flags to check in __switch_to() */ #define _TIF_WORK_CTXSW_BASE \ diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index ecefaffd15d4c8..a4ceda0510ea87 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -12,30 +12,6 @@ #include <asm/smap.h> #include <asm/extable.h> -/* - * The fs value determines whether argument validity checking should be - * performed or not. If get_fs() == USER_DS, checking is performed, with - * get_fs() == KERNEL_DS, checking is bypassed. - * - * For historical reasons, these macros are grossly misnamed. - */ - -#define MAKE_MM_SEG(s) ((mm_segment_t) { (s) }) - -#define KERNEL_DS MAKE_MM_SEG(-1UL) -#define USER_DS MAKE_MM_SEG(TASK_SIZE_MAX) - -#define get_fs() (current->thread.addr_limit) -static inline void set_fs(mm_segment_t fs) -{ - current->thread.addr_limit = fs; - /* On user-mode return, check fs is correct */ - set_thread_flag(TIF_FSCHECK); -} - -#define uaccess_kernel() (get_fs().seg == KERNEL_DS.seg) -#define user_addr_max() (current->thread.addr_limit.seg) - /* * Test whether a block of memory is a valid user space address. * Returns 0 if the range is valid, nonzero otherwise. @@ -93,7 +69,7 @@ static inline bool pagefault_disabled(void); #define access_ok(addr, size) \ ({ \ WARN_ON_IN_IRQ(); \ - likely(!__range_not_ok(addr, size, user_addr_max())); \ + likely(!__range_not_ok(addr, size, TASK_SIZE_MAX)); \ }) /* diff --git a/arch/x86/kernel/asm-offsets.c b/arch/x86/kernel/asm-offsets.c index 3ca07ad552ae0c..70b7154f4bdd62 100644 --- a/arch/x86/kernel/asm-offsets.c +++ b/arch/x86/kernel/asm-offsets.c @@ -37,9 +37,6 @@ static void __used common(void) OFFSET(TASK_stack_canary, task_struct, stack_canary); #endif - BLANK(); - OFFSET(TASK_addr_limit, task_struct, thread.addr_limit); - BLANK(); OFFSET(crypto_tfm_ctx_offset, crypto_tfm, __crt_ctx); diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S index c8a85b512796e1..94f7be4971ed04 100644 --- a/arch/x86/lib/getuser.S +++ b/arch/x86/lib/getuser.S @@ -35,10 +35,19 @@ #include <asm/smap.h> #include <asm/export.h> +#ifdef CONFIG_X86_5LEVEL +#define LOAD_TASK_SIZE_MINUS_N(n) \ + ALTERNATIVE "mov $((1 << 47) - 4096 - (n)),%rdx", \ + "mov $((1 << 56) - 4096 - (n)),%rdx", X86_FEATURE_LA57 +#else +#define LOAD_TASK_SIZE_MINUS_N(n) \ + mov $(TASK_SIZE_MAX - (n)),%_ASM_DX +#endif + .text SYM_FUNC_START(__get_user_1) - mov PER_CPU_VAR(current_task), %_ASM_DX - cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX + LOAD_TASK_SIZE_MINUS_N(0) + cmp %_ASM_DX,%_ASM_AX jae bad_get_user sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ and %_ASM_DX, %_ASM_AX @@ -51,15 +60,13 @@ SYM_FUNC_END(__get_user_1) EXPORT_SYMBOL(__get_user_1) SYM_FUNC_START(__get_user_2) - add $1,%_ASM_AX - jc bad_get_user - mov PER_CPU_VAR(current_task), %_ASM_DX - cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX + LOAD_TASK_SIZE_MINUS_N(1) + cmp %_ASM_DX,%_ASM_AX jae bad_get_user sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ and %_ASM_DX, %_ASM_AX ASM_STAC -2: movzwl -1(%_ASM_AX),%edx +2: movzwl (%_ASM_AX),%edx xor %eax,%eax ASM_CLAC ret @@ -67,15 +74,13 @@ SYM_FUNC_END(__get_user_2) EXPORT_SYMBOL(__get_user_2) SYM_FUNC_START(__get_user_4) - add $3,%_ASM_AX - jc bad_get_user - mov PER_CPU_VAR(current_task), %_ASM_DX - cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX + LOAD_TASK_SIZE_MINUS_N(3) + cmp %_ASM_DX,%_ASM_AX jae bad_get_user sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ and %_ASM_DX, %_ASM_AX ASM_STAC -3: movl -3(%_ASM_AX),%edx +3: movl (%_ASM_AX),%edx xor %eax,%eax ASM_CLAC ret @@ -84,29 +89,25 @@ EXPORT_SYMBOL(__get_user_4) SYM_FUNC_START(__get_user_8) #ifdef CONFIG_X86_64 - add $7,%_ASM_AX - jc bad_get_user - mov PER_CPU_VAR(current_task), %_ASM_DX - cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX + LOAD_TASK_SIZE_MINUS_N(7) + cmp %_ASM_DX,%_ASM_AX jae bad_get_user sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ and %_ASM_DX, %_ASM_AX ASM_STAC -4: movq -7(%_ASM_AX),%rdx +4: movq (%_ASM_AX),%rdx xor %eax,%eax ASM_CLAC ret #else - add $7,%_ASM_AX - jc bad_get_user_8 - mov PER_CPU_VAR(current_task), %_ASM_DX - cmp TASK_addr_limit(%_ASM_DX),%_ASM_AX + LOAD_TASK_SIZE_MINUS_N(7) + cmp %_ASM_DX,%_ASM_AX jae bad_get_user_8 sbb %_ASM_DX, %_ASM_DX /* array_index_mask_nospec() */ and %_ASM_DX, %_ASM_AX ASM_STAC -4: movl -7(%_ASM_AX),%edx -5: movl -3(%_ASM_AX),%ecx +4: movl (%_ASM_AX),%edx +5: movl 4(%_ASM_AX),%ecx xor %eax,%eax ASM_CLAC ret diff --git a/arch/x86/lib/putuser.S b/arch/x86/lib/putuser.S index 7c7c92db8497af..445374885153bf 100644 --- a/arch/x86/lib/putuser.S +++ b/arch/x86/lib/putuser.S @@ -31,12 +31,19 @@ * as they get called from within inline assembly. */ -#define ENTER mov PER_CPU_VAR(current_task), %_ASM_BX +#ifdef CONFIG_X86_5LEVEL +#define LOAD_TASK_SIZE_MINUS_N(n) \ + ALTERNATIVE "mov $((1 << 47) - 4096 - (n)),%rbx", \ + "mov $((1 << 56) - 4096 - (n)),%rbx", X86_FEATURE_LA57 +#else +#define LOAD_TASK_SIZE_MINUS_N(n) \ + mov $(TASK_SIZE_MAX - (n)),%_ASM_BX +#endif .text SYM_FUNC_START(__put_user_1) - ENTER - cmp TASK_addr_limit(%_ASM_BX),%_ASM_CX + LOAD_TASK_SIZE_MINUS_N(0) + cmp %_ASM_BX,%_ASM_CX jae .Lbad_put_user ASM_STAC 1: movb %al,(%_ASM_CX) @@ -47,9 +54,7 @@ SYM_FUNC_END(__put_user_1) EXPORT_SYMBOL(__put_user_1) SYM_FUNC_START(__put_user_2) - ENTER - mov TASK_addr_limit(%_ASM_BX),%_ASM_BX - sub $1,%_ASM_BX + LOAD_TASK_SIZE_MINUS_N(1) cmp %_ASM_BX,%_ASM_CX jae .Lbad_put_user ASM_STAC @@ -61,9 +66,7 @@ SYM_FUNC_END(__put_user_2) EXPORT_SYMBOL(__put_user_2) SYM_FUNC_START(__put_user_4) - ENTER - mov TASK_addr_limit(%_ASM_BX),%_ASM_BX - sub $3,%_ASM_BX + LOAD_TASK_SIZE_MINUS_N(3) cmp %_ASM_BX,%_ASM_CX jae .Lbad_put_user ASM_STAC @@ -75,9 +78,7 @@ SYM_FUNC_END(__put_user_4) EXPORT_SYMBOL(__put_user_4) SYM_FUNC_START(__put_user_8) - ENTER - mov TASK_addr_limit(%_ASM_BX),%_ASM_BX - sub $7,%_ASM_BX + LOAD_TASK_SIZE_MINUS_N(7) cmp %_ASM_BX,%_ASM_CX jae .Lbad_put_user ASM_STAC