From patchwork Fri Feb 10 19:22:42 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Russell King (Oracle)" X-Patchwork-Id: 9567345 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A5B9760216 for ; Fri, 10 Feb 2017 19:23:59 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 955CA285B7 for ; Fri, 10 Feb 2017 19:23:59 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 89705285BC; Fri, 10 Feb 2017 19:23:59 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID autolearn=unavailable version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 11B48285B7 for ; Fri, 10 Feb 2017 19:23:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=LEvuWJxm8a3KGqprPe1nv69tLSR8GRWMXhPMet5vuJc=; b=pvLQ7H/toWbQOF bv2ZYQ+7ZQn+qTjrodSpEWq9OyzPqAySokLh0J8N1/IMQhzstgXpF/3Lk0z+grNrC9ewBmunFh3Qg 1EHRpicXI0deR4BEpv7QNg9nr8pkR/RCGIvr7yLbGrGyedZ0tuDwhH1DPmXye0t6DqtiHrcspmWGo Fo+AioveECRSiJRKeZ9e5BPjwWpwTT0PbwTO5OrEC86Dy5v8uQ7DJ/kepRZavXIYVrri0IjnlnMKM 0sTNxo9KCSGJx/fWCgiCwiQrnuYfrddVM54iFaQHk9ecN5AbrvbFcI22VqcKU/qUw843uLMmOp5i5 Fez9BSfjzIZpvtDFAvPw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1ccGnS-0002Pc-Ie; Fri, 10 Feb 2017 19:23:54 +0000 Received: from pandora.armlinux.org.uk ([2001:4d48:ad52:3201:214:fdff:fe10:1be6]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1ccGnJ-0002LD-Sz for linux-arm-kernel@lists.infradead.org; Fri, 10 Feb 2017 19:23:51 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=armlinux.org.uk; s=pandora-2014; h=Sender:In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=qf5ROMzd0UlzDQ6bTXz8bsorj03wkHjGLuipO/soRrU=; b=im1IWSD/QogQlDZ+9Atn/+7dO0XXj6/MaCDTQ3Rg6FuNmIneE619/FPQjhF/I8JKTf/3xYETZjMS6+bE1hfpT2AYUAJfq4r3SYYrUj7fFx5jnEgGqVuhEY7HYhKqkV/JRWj+PnBIiZyyCl7ETvLMzCxPG7oxRn3bzLHLjaaOrZk=; Received: from n2100.armlinux.org.uk ([2002:4e20:1eda:1:214:fdff:fe10:4f86]:54940) by pandora.armlinux.org.uk with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1ccGmN-0003Ua-1Y; Fri, 10 Feb 2017 19:22:47 +0000 Received: from linux by n2100.armlinux.org.uk with local (Exim 4.76) (envelope-from ) id 1ccGmJ-0003Cc-33; Fri, 10 Feb 2017 19:22:43 +0000 Date: Fri, 10 Feb 2017 19:22:42 +0000 From: Russell King - ARM Linux To: Andy Lutomirski Subject: Re: [RFC] syscalls: Restore address limit after a syscall Message-ID: <20170210192242.GM27312@n2100.armlinux.org.uk> References: <20170209183358.103094-1-thgarnie@google.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170210_112346_388118_DD7A9CF8 X-CRM114-Status: GOOD ( 17.62 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Stephen Bates , "linux-s390@vger.kernel.org" , Kees Cook , Arnd Bergmann , "kernel-hardening@lists.openwall.com" , Linux API , Will Deacon , LKML , Dave Hansen , Jeff Moyer , =?iso-8859-1?Q?Ren=E9?= Nyffenegger , Milosz Tanski , Thomas Garnier , "linux-arm-kernel@lists.infradead.org" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP On Thu, Feb 09, 2017 at 06:42:34PM -0800, Andy Lutomirski wrote: > On Thu, Feb 9, 2017 at 3:41 PM, Thomas Garnier wrote: > > So by default it is in the wrapper. If selected, an architecture can > > disable the wrapper put it in the best places. Understood correctly? > > Sounds good to me. > > Presumably the result should go through -mm. Want to cc: akpm and > linux-arch@ on the next version? > > I've also cc'd arm and s390 folks -- those are the other arches that > try to be on top of hardening. The best place for this on ARM is in the assembly code, rather than in the hundreds of system calls - having it in one place is surely better for reducing the cache impact. This (untested) patch should be sufficient for ARM - there's two choices which I think make sense to do this: 1. Immediately after returning the syscall 2. Immediately before any returning to userspace (1) has the advantage that the address limit will be forced for the exit-path works that we do, preventing those making accesses to kernel space. (2) has the advantage that we'd guarantee that the address limit will be forced while userspace is running for the next entry into kernel space. There's actually a third option as well: (3) forcing the address limit on entry to the kernel from userspace. This patch implements option 1. arch/arm/kernel/entry-common.S | 6 ++++++ 1 files changed, 6 insertions(+) diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S index eb5cd77bf1d8..6a717a2ccb88 100644 --- a/arch/arm/kernel/entry-common.S +++ b/arch/arm/kernel/entry-common.S @@ -39,6 +39,8 @@ ret_fast_syscall: UNWIND(.fnstart ) UNWIND(.cantunwind ) + mov r1, #TASK_SIZE + str r1, [tsk, #TI_ADDR_LIMIT] disable_irq_notrace @ disable interrupts ldr r1, [tsk, #TI_FLAGS] @ re-check for syscall tracing tst r1, #_TIF_SYSCALL_WORK | _TIF_WORK_MASK @@ -64,6 +66,8 @@ ENDPROC(ret_fast_syscall) ret_fast_syscall: UNWIND(.fnstart ) UNWIND(.cantunwind ) + mov r1, #TASK_SIZE + str r1, [tsk, #TI_ADDR_LIMIT] str r0, [sp, #S_R0 + S_OFF]! @ save returned r0 disable_irq_notrace @ disable interrupts ldr r1, [tsk, #TI_FLAGS] @ re-check for syscall tracing @@ -262,6 +266,8 @@ ENDPROC(vector_swi) b ret_slow_syscall __sys_trace_return: + mov r1, #TASK_SIZE + str r1, [tsk, #TI_ADDR_LIMIT] str r0, [sp, #S_R0 + S_OFF]! @ save returned r0 mov r0, sp bl syscall_trace_exit