| Message ID | 20210329095749.998940-1-ben.dooks@codethink.co.uk (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v4] riscv: evaluate put_user() arg before enabling user access | expand |
On Mon, 29 Mar 2021 02:57:49 PDT (-0700), ben.dooks@codethink.co.uk wrote: > The <asm/uaccess.h> header has a problem with put_user(a, ptr) if > the 'a' is not a simple variable, such as a function. This can lead > to the compiler producing code as so: > > 1: enable_user_access() > 2: evaluate 'a' into register 'r' > 3: put 'r' to 'ptr' > 4: disable_user_acess() > > The issue is that 'a' is now being evaluated with the user memory > protections disabled. So we try and force the evaulation by assigning > 'x' to __val at the start, and hoping the compiler barriers in > enable_user_access() do the job of ordering step 2 before step 1. > > This has shown up in a bug where 'a' sleeps and thus schedules out > and loses the SR_SUM flag. This isn't sufficient to fully fix, but > should reduce the window of opportunity. The first instance of this > we found is in scheudle_tail() where the code does: > > $ less -N kernel/sched/core.c > > 4263 if (current->set_child_tid) > 4264 put_user(task_pid_vnr(current), current->set_child_tid); > > Here, the task_pid_vnr(current) is called within the block that has > enabled the user memory access. This can be made worse with KASAN > which makes task_pid_vnr() a rather large call with plenty of > opportunity to sleep. > > Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk> > Reported-by: syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com > Suggested-by: Arnd Bergman <arnd@arndb.de> Thanks, this is on fixes.
On 30/03/2021 06:47, Palmer Dabbelt wrote: > On Mon, 29 Mar 2021 02:57:49 PDT (-0700), ben.dooks@codethink.co.uk wrote: >> The <asm/uaccess.h> header has a problem with put_user(a, ptr) if >> the 'a' is not a simple variable, such as a function. This can lead >> to the compiler producing code as so: >> >> 1: enable_user_access() >> 2: evaluate 'a' into register 'r' >> 3: put 'r' to 'ptr' >> 4: disable_user_acess() >> >> The issue is that 'a' is now being evaluated with the user memory >> protections disabled. So we try and force the evaulation by assigning >> 'x' to __val at the start, and hoping the compiler barriers in >> enable_user_access() do the job of ordering step 2 before step 1. >> >> This has shown up in a bug where 'a' sleeps and thus schedules out >> and loses the SR_SUM flag. This isn't sufficient to fully fix, but >> should reduce the window of opportunity. The first instance of this >> we found is in scheudle_tail() where the code does: >> >> $ less -N kernel/sched/core.c >> >> 4263 if (current->set_child_tid) >> 4264 put_user(task_pid_vnr(current), current->set_child_tid); >> >> Here, the task_pid_vnr(current) is called within the block that has >> enabled the user memory access. This can be made worse with KASAN >> which makes task_pid_vnr() a rather large call with plenty of >> opportunity to sleep. >> >> Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk> >> Reported-by: syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com >> Suggested-by: Arnd Bergman <arnd@arndb.de> > > Thanks, this is on fixes. Great. I still think we need a discussion on whether __switch_to() also needs to save some of the flags from sstatus. I did some basic tests and so far I think the SR_SUM is the only thing that should be saved. I'll try and finish writing this bug-trail up and seeing what else needs to be done. I expect there may be other architectures that have similar issues with put_user() and friends At least the riscv stress testing can move forward with this in place.
diff --git a/arch/riscv/include/asm/uaccess.h b/arch/riscv/include/asm/uaccess.h index 824b2c9da75b..f944062c9d99 100644 --- a/arch/riscv/include/asm/uaccess.h +++ b/arch/riscv/include/asm/uaccess.h @@ -306,7 +306,9 @@ do { \ * data types like structures or arrays. * * @ptr must have pointer-to-simple-variable type, and @x must be assignable - * to the result of dereferencing @ptr. + * to the result of dereferencing @ptr. The value of @x is copied to avoid + * re-ordering where @x is evaluated inside the block that enables user-space + * access (thus bypassing user space protection if @x is a function). * * Caller must check the pointer with access_ok() before calling this * function. @@ -316,12 +318,13 @@ do { \ #define __put_user(x, ptr) \ ({ \ __typeof__(*(ptr)) __user *__gu_ptr = (ptr); \ + __typeof__(*__gu_ptr) __val = (x); \ long __pu_err = 0; \ \ __chk_user_ptr(__gu_ptr); \ \ __enable_user_access(); \ - __put_user_nocheck(x, __gu_ptr, __pu_err); \ + __put_user_nocheck(__val, __gu_ptr, __pu_err); \ __disable_user_access(); \ \ __pu_err; \
The <asm/uaccess.h> header has a problem with put_user(a, ptr) if the 'a' is not a simple variable, such as a function. This can lead to the compiler producing code as so: 1: enable_user_access() 2: evaluate 'a' into register 'r' 3: put 'r' to 'ptr' 4: disable_user_acess() The issue is that 'a' is now being evaluated with the user memory protections disabled. So we try and force the evaulation by assigning 'x' to __val at the start, and hoping the compiler barriers in enable_user_access() do the job of ordering step 2 before step 1. This has shown up in a bug where 'a' sleeps and thus schedules out and loses the SR_SUM flag. This isn't sufficient to fully fix, but should reduce the window of opportunity. The first instance of this we found is in scheudle_tail() where the code does: $ less -N kernel/sched/core.c 4263 if (current->set_child_tid) 4264 put_user(task_pid_vnr(current), current->set_child_tid); Here, the task_pid_vnr(current) is called within the block that has enabled the user memory access. This can be made worse with KASAN which makes task_pid_vnr() a rather large call with plenty of opportunity to sleep. Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk> Reported-by: syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com Suggested-by: Arnd Bergman <arnd@arndb.de> -- Changes since v1: - fixed formatting and updated the patch description with more info Changes since v2: - fixed commenting on __put_user() (schwab@linux-m68k.org) Change since v3: - fixed RFC in patch title. Should be ready to merge. Cc: schwab@linux-m68k.org Cc: dvyukov@google.com Cc: linux-riscv@lists.infradead.org Cc: paul.walmsley@sifive.com Cc: palmer@dabbelt.com Cc: alex@ghiti.fr Cc: linux-kernel@lists.codethink.co.uk --- arch/riscv/include/asm/uaccess.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)