From patchwork Mon Mar 7 16:43:19 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Morse X-Patchwork-Id: 8521161 Return-Path: X-Original-To: patchwork-linux-arm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id EBE389F2B4 for ; Mon, 7 Mar 2016 16:46:33 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 09583202A1 for ; Mon, 7 Mar 2016 16:46:33 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.9]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id E72392028D for ; Mon, 7 Mar 2016 16:46:31 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1acyHN-0008Lh-Jy; Mon, 07 Mar 2016 16:45:09 +0000 Received: from foss.arm.com ([217.140.101.70]) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1acyHJ-0007eZ-L1 for linux-arm-kernel@lists.infradead.org; Mon, 07 Mar 2016 16:45:06 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 6CDBF49; Mon, 7 Mar 2016 08:43:45 -0800 (PST) Received: from [10.1.209.158] (melchizedek.cambridge.arm.com [10.1.209.158]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 57BFE3F246; Mon, 7 Mar 2016 08:44:42 -0800 (PST) Message-ID: <56DDAFA7.4090207@arm.com> Date: Mon, 07 Mar 2016 16:43:19 +0000 From: James Morse User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.6.0 MIME-Version: 1.0 To: Catalin Marinas Subject: Re: [PATCH v2 0/5] arm64: kernel: Add support for User Access Override References: <1454684330-892-1-git-send-email-james.morse@arm.com> In-Reply-To: <1454684330-892-1-git-send-email-james.morse@arm.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20160307_084505_743152_E745E4FE X-CRM114-Status: GOOD ( 11.37 ) X-Spam-Score: -6.9 (------) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Will Deacon , linux-arm-kernel@lists.infradead.org, Suzuki Poulose Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Hi Catalin, I've just spotted UAO causes the test_user_copy module (CONFIG_TEST_USER_COPY) to fail. Who to blame is up for discussion. The test is passing a user pointer as the 'to' field of copy_from_user(), which it expects to fail gracefully: lib/test_user_copy.c:75 > /* Invalid usage: none of these should succeed. */ [ ... ] > ret |= test(!copy_from_user(bad_usermem, (char __user *)kmem, > PAGE_SIZE), > "illegal reversed copy_from_user passed"); > access_ok() catches the "(char __user *)kmem", causing copy_from_user() to pass bad_usermem to memset(): arch/arm64/include/asm/uaccess.h:279 > if (access_ok(VERIFY_READ, from, n)) > n = __copy_from_user(to, from, n); > else /* security hole - plug it */ > memset(to, 0, n); This (correctly) trips UAO's "Accessing user space memory outside uaccess.h routines" message, which is a little confusing to debug, and stops the rest of the module's tests from being run. As far as I can see, this would only affect arm64. I can't find an equivalent memset() for x86_64. The below ugly hack [0], handles this more gracefully. I can send this as a fix sooner/later if you think its the right thing to do. Thanks, James [0] -----------------%<----------------- -----------------%<----------------- diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index 0685d74572af..049a82e8dd9e 100644 --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -278,8 +278,8 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u { if (access_ok(VERIFY_READ, from, n)) n = __copy_from_user(to, from, n); - else /* security hole - plug it */ - memset(to, 0, n); + else if ((unsigned long)to > USER_DS) /* swapped from/to args? */ + memset(to, 0, n); /* security hole - plug it */ return n; }