[v2,1/2] Add UFFD_USER_MODE_ONLY

Message ID	20200822014018.913868-2-lokeshgidra@google.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=5B1E=CA=vger.kernel.org=linux-fsdevel-owner@kernel.org> Date: Fri, 21 Aug 2020 18:40:17 -0700 In-Reply-To: <20200822014018.913868-1-lokeshgidra@google.com> Message-Id: <20200822014018.913868-2-lokeshgidra@google.com> Mime-Version: 1.0 References: <20200822014018.913868-1-lokeshgidra@google.com> Subject: [PATCH v2 1/2] Add UFFD_USER_MODE_ONLY From: Lokesh Gidra <lokeshgidra@google.com> To: Kees Cook <keescook@chromium.org>, Jonathan Corbet <corbet@lwn.net>, Peter Xu <peterx@redhat.com>, Andrea Arcangeli <aarcange@redhat.com>, Andrew Morton <akpm@linux-foundation.org> Cc: Alexander Viro <viro@zeniv.linux.org.uk>, Stephen Smalley <stephen.smalley.work@gmail.com>, Eric Biggers <ebiggers@kernel.com>, Lokesh Gidra <lokeshgidra@google.com>, Daniel Colascione <dancol@dancol.org>, "Joel Fernandes (Google)" <joel@joelfernandes.org>, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, kaleshsingh@google.com, calin@google.com, surenb@google.com, nnk@google.com, jeffv@google.com, kernel-team@android.com, Mike Rapoport <rppt@linux.vnet.ibm.com>, Shaohua Li <shli@fb.com>, Jerome Glisse <jglisse@redhat.com>, Sebastian Andrzej Siewior <bigeasy@linutronix.de>, Mauro Carvalho Chehab <mchehab+huawei@kernel.org>, Johannes Weiner <hannes@cmpxchg.org>, Mel Gorman <mgorman@techsingularity.net>, Nitin Gupta <nigupta@nvidia.com>, Vlastimil Babka <vbabka@suse.cz>, Iurii Zaikin <yzaikin@google.com>, Luis Chamberlain <mcgrof@kernel.org>, Daniel Colascione <dancol@google.com> Content-Type: text/plain; charset="UTF-8" Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk
Series	Control over userfaultfd kernel-fault handling \| expand [v2,0/2] Control over userfaultfd kernel-fault handling [v2,1/2] Add UFFD_USER_MODE_ONLY [v2,2/2] Add user-mode only option to unprivileged_userfaultfd sysctl knob

Message ID

20200822014018.913868-2-lokeshgidra@google.com (mailing list archive)

State

New, archived

Headers

Date: Fri, 21 Aug 2020 18:40:17 -0700
In-Reply-To: <20200822014018.913868-1-lokeshgidra@google.com>
Message-Id: <20200822014018.913868-2-lokeshgidra@google.com>
Mime-Version: 1.0
References: <20200822014018.913868-1-lokeshgidra@google.com>
Subject: [PATCH v2 1/2] Add UFFD_USER_MODE_ONLY
From: Lokesh Gidra <lokeshgidra@google.com>
To: Kees Cook <keescook@chromium.org>,
        Jonathan Corbet <corbet@lwn.net>, Peter Xu <peterx@redhat.com>,
        Andrea Arcangeli <aarcange@redhat.com>,
        Andrew Morton <akpm@linux-foundation.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
        Stephen Smalley <stephen.smalley.work@gmail.com>,
        Eric Biggers <ebiggers@kernel.com>,
        Lokesh Gidra <lokeshgidra@google.com>,
        Daniel Colascione <dancol@dancol.org>,
        "Joel Fernandes (Google)" <joel@joelfernandes.org>,
        linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-doc@vger.kernel.org, kaleshsingh@google.com,
        calin@google.com, surenb@google.com, nnk@google.com,
        jeffv@google.com, kernel-team@android.com,
        Mike Rapoport <rppt@linux.vnet.ibm.com>,
        Shaohua Li <shli@fb.com>, Jerome Glisse <jglisse@redhat.com>,
        Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
        Mauro Carvalho Chehab <mchehab+huawei@kernel.org>,
        Johannes Weiner <hannes@cmpxchg.org>,
        Mel Gorman <mgorman@techsingularity.net>,
        Nitin Gupta <nigupta@nvidia.com>,
        Vlastimil Babka <vbabka@suse.cz>,
        Iurii Zaikin <yzaikin@google.com>,
        Luis Chamberlain <mcgrof@kernel.org>,
        Daniel Colascione <dancol@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk

Series

Control over userfaultfd kernel-fault handling | expand

Commit Message

Lokesh Gidra Aug. 22, 2020, 1:40 a.m. UTC

userfaultfd handles page faults from both user and kernel code.
Add a new UFFD_USER_MODE_ONLY flag for userfaultfd(2) that makes
the resulting userfaultfd object refuse to handle faults from kernel
mode, treating these faults as if SIGBUS were always raised, causing
the kernel code to fail with EFAULT.

A future patch adds a knob allowing administrators to give some
processes the ability to create userfaultfd file objects only if they
pass UFFD_USER_MODE_ONLY, reducing the likelihood that these processes
will exploit userfaultfd's ability to delay kernel page faults to open
timing windows for future exploits.

Signed-off-by: Daniel Colascione <dancol@google.com>
Signed-off-by: Lokesh Gidra <lokeshgidra@google.com>
---
 fs/userfaultfd.c                 | 7 ++++++-
 include/uapi/linux/userfaultfd.h | 9 +++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

Comments

Sebastian Andrzej Siewior Aug. 24, 2020, 12:32 p.m. UTC | #1

On 2020-08-21 18:40:17 [-0700], Lokesh Gidra wrote:
> --- a/fs/userfaultfd.c
> +++ b/fs/userfaultfd.c
> @@ -1966,6 +1969,7 @@ static void init_once_userfaultfd_ctx(void *mem)
>  
>  SYSCALL_DEFINE1(userfaultfd, int, flags)
>  {
> +	static const int uffd_flags = UFFD_USER_MODE_ONLY;
>  	struct userfaultfd_ctx *ctx;
>  	int fd;
Why?

Sebastian

Lokesh Gidra Aug. 26, 2020, 12:24 a.m. UTC | #2

On Mon, Aug 24, 2020 at 5:32 AM Sebastian Andrzej Siewior
<bigeasy@linutronix.de> wrote:
>
> On 2020-08-21 18:40:17 [-0700], Lokesh Gidra wrote:
> > --- a/fs/userfaultfd.c
> > +++ b/fs/userfaultfd.c
> > @@ -1966,6 +1969,7 @@ static void init_once_userfaultfd_ctx(void *mem)
> >
> >  SYSCALL_DEFINE1(userfaultfd, int, flags)
> >  {
> > +     static const int uffd_flags = UFFD_USER_MODE_ONLY;
> >       struct userfaultfd_ctx *ctx;
> >       int fd;
> Why?

Not sure! I guess Daniel didn't want to repeat the long flag name twice.

Thanks for catching that. I'll send another version fixing this.
>
> Sebastian

diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index 0e4a3837da52..3e4ae6145112 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -405,6 +405,9 @@  vm_fault_t handle_userfault(struct vm_fault *vmf, unsigned long reason)
 
 	if (ctx->features & UFFD_FEATURE_SIGBUS)
 		goto out;
+	if ((vmf->flags & FAULT_FLAG_USER) == 0 &&
+	    ctx->flags & UFFD_USER_MODE_ONLY)
+		goto out;
 
 	/*
 	 * If it's already released don't get it. This avoids to loop
@@ -1966,6 +1969,7 @@  static void init_once_userfaultfd_ctx(void *mem)
 
 SYSCALL_DEFINE1(userfaultfd, int, flags)
 {
+	static const int uffd_flags = UFFD_USER_MODE_ONLY;
 	struct userfaultfd_ctx *ctx;
 	int fd;
 
@@ -1975,10 +1979,11 @@  SYSCALL_DEFINE1(userfaultfd, int, flags)
 	BUG_ON(!current->mm);
 
 	/* Check the UFFD_* constants for consistency.  */
+	BUILD_BUG_ON(uffd_flags & UFFD_SHARED_FCNTL_FLAGS);
 	BUILD_BUG_ON(UFFD_CLOEXEC != O_CLOEXEC);
 	BUILD_BUG_ON(UFFD_NONBLOCK != O_NONBLOCK);
 
-	if (flags & ~UFFD_SHARED_FCNTL_FLAGS)
+	if (flags & ~(UFFD_SHARED_FCNTL_FLAGS | uffd_flags))
 		return -EINVAL;
 
 	ctx = kmem_cache_alloc(userfaultfd_ctx_cachep, GFP_KERNEL);
diff --git a/include/uapi/linux/userfaultfd.h b/include/uapi/linux/userfaultfd.h
index e7e98bde221f..5f2d88212f7c 100644
--- a/include/uapi/linux/userfaultfd.h
+++ b/include/uapi/linux/userfaultfd.h
@@ -257,4 +257,13 @@  struct uffdio_writeprotect {
 	__u64 mode;
 };
 
+/*
+ * Flags for the userfaultfd(2) system call itself.
+ */
+
+/*
+ * Create a userfaultfd that can handle page faults only in user mode.
+ */
+#define UFFD_USER_MODE_ONLY 1
+
 #endif /* _LINUX_USERFAULTFD_H */

[v2,1/2] Add UFFD_USER_MODE_ONLY

Commit Message

Comments

Patch