| Message ID | 20221003222133.20948-6-aliraza@bu.edu (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Unikernel Linux (UKL) | expand |
On Mon, Oct 3, 2022, at 3:21 PM, Ali Raza wrote: > When configured for UKL, access_ok needs to account for the unified address > space that is used by the kernel and the process being run. To do this, > they need to check the task struct field added earlier to determine where > the execution that is making the check is running. For a zero value, the > normal boundary definitions apply, but non-zero value indicates a UKL > thread and a shared address space should be assumed. I think this is just wrong. Why should a UKL process be able to read() to kernel (high-half) memory? set_fs() is gone. Please keep it gone. > > Cc: Jonathan Corbet <corbet@lwn.net> > Cc: Masahiro Yamada <masahiroy@kernel.org> > Cc: Michal Marek <michal.lkml@markovi.net> > Cc: Nick Desaulniers <ndesaulniers@google.com> > Cc: Thomas Gleixner <tglx@linutronix.de> > Cc: Ingo Molnar <mingo@redhat.com> > Cc: Borislav Petkov <bp@alien8.de> > Cc: Dave Hansen <dave.hansen@linux.intel.com> > Cc: "H. Peter Anvin" <hpa@zytor.com> > Cc: Andy Lutomirski <luto@kernel.org> > Cc: Eric Biederman <ebiederm@xmission.com> > Cc: Kees Cook <keescook@chromium.org> > Cc: Peter Zijlstra <peterz@infradead.org> > Cc: Alexander Viro <viro@zeniv.linux.org.uk> > Cc: Arnd Bergmann <arnd@arndb.de> > Cc: Juri Lelli <juri.lelli@redhat.com> > Cc: Vincent Guittot <vincent.guittot@linaro.org> > Cc: Dietmar Eggemann <dietmar.eggemann@arm.com> > Cc: Steven Rostedt <rostedt@goodmis.org> > Cc: Ben Segall <bsegall@google.com> > Cc: Mel Gorman <mgorman@suse.de> > Cc: Daniel Bristot de Oliveira <bristot@redhat.com> > Cc: Valentin Schneider <vschneid@redhat.com> > Cc: Paolo Bonzini <pbonzini@redhat.com> > Cc: Josh Poimboeuf <jpoimboe@kernel.org> > > Signed-off-by: Ali Raza <aliraza@bu.edu> > --- > arch/x86/include/asm/uaccess.h | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h > index 913e593a3b45..adef521b2e59 100644 > --- a/arch/x86/include/asm/uaccess.h > +++ b/arch/x86/include/asm/uaccess.h > @@ -37,11 +37,19 @@ static inline bool pagefault_disabled(void); > * Return: true (nonzero) if the memory block may be valid, false (zero) > * if it is definitely invalid. > */ > +#ifdef CONFIG_UNIKERNEL_LINUX > +#define access_ok(addr, size) \ > +({ \ > + WARN_ON_IN_IRQ(); \ > + (is_ukl_thread() ? 1 : likely(__access_ok(addr, size))); \ > +}) > +#else > #define access_ok(addr, size) \ > ({ \ > WARN_ON_IN_IRQ(); \ > likely(__access_ok(addr, size)); \ > }) > +#endif > > #include <asm-generic/access_ok.h> > > -- > 2.21.3
On 10/4/22 13:36, Andy Lutomirski wrote: > > > On Mon, Oct 3, 2022, at 3:21 PM, Ali Raza wrote: >> When configured for UKL, access_ok needs to account for the unified address >> space that is used by the kernel and the process being run. To do this, >> they need to check the task struct field added earlier to determine where >> the execution that is making the check is running. For a zero value, the >> normal boundary definitions apply, but non-zero value indicates a UKL >> thread and a shared address space should be assumed. > > I think this is just wrong. Why should a UKL process be able to read() to kernel (high-half) memory? > > set_fs() is gone. Please keep it gone. UKL needs access to kernel memory because the UKL application is linked with the kernel, so its data lives along with kernel data in the kernel half of memory. So any thing which involves a check to see if user pointer indeed lives in user part of memory would fail. For example, anything which invokes copy_to_user or copy_from_user would involve a call to access_ok. This would fail because the UKL user pointer will have a kernel address. > >> >> Cc: Jonathan Corbet <corbet@lwn.net> >> Cc: Masahiro Yamada <masahiroy@kernel.org> >> Cc: Michal Marek <michal.lkml@markovi.net> >> Cc: Nick Desaulniers <ndesaulniers@google.com> >> Cc: Thomas Gleixner <tglx@linutronix.de> >> Cc: Ingo Molnar <mingo@redhat.com> >> Cc: Borislav Petkov <bp@alien8.de> >> Cc: Dave Hansen <dave.hansen@linux.intel.com> >> Cc: "H. Peter Anvin" <hpa@zytor.com> >> Cc: Andy Lutomirski <luto@kernel.org> >> Cc: Eric Biederman <ebiederm@xmission.com> >> Cc: Kees Cook <keescook@chromium.org> >> Cc: Peter Zijlstra <peterz@infradead.org> >> Cc: Alexander Viro <viro@zeniv.linux.org.uk> >> Cc: Arnd Bergmann <arnd@arndb.de> >> Cc: Juri Lelli <juri.lelli@redhat.com> >> Cc: Vincent Guittot <vincent.guittot@linaro.org> >> Cc: Dietmar Eggemann <dietmar.eggemann@arm.com> >> Cc: Steven Rostedt <rostedt@goodmis.org> >> Cc: Ben Segall <bsegall@google.com> >> Cc: Mel Gorman <mgorman@suse.de> >> Cc: Daniel Bristot de Oliveira <bristot@redhat.com> >> Cc: Valentin Schneider <vschneid@redhat.com> >> Cc: Paolo Bonzini <pbonzini@redhat.com> >> Cc: Josh Poimboeuf <jpoimboe@kernel.org> >> >> Signed-off-by: Ali Raza <aliraza@bu.edu> >> --- >> arch/x86/include/asm/uaccess.h | 8 ++++++++ >> 1 file changed, 8 insertions(+) >> >> diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h >> index 913e593a3b45..adef521b2e59 100644 >> --- a/arch/x86/include/asm/uaccess.h >> +++ b/arch/x86/include/asm/uaccess.h >> @@ -37,11 +37,19 @@ static inline bool pagefault_disabled(void); >> * Return: true (nonzero) if the memory block may be valid, false (zero) >> * if it is definitely invalid. >> */ >> +#ifdef CONFIG_UNIKERNEL_LINUX >> +#define access_ok(addr, size) \ >> +({ \ >> + WARN_ON_IN_IRQ(); \ >> + (is_ukl_thread() ? 1 : likely(__access_ok(addr, size))); \ >> +}) >> +#else >> #define access_ok(addr, size) \ >> ({ \ >> WARN_ON_IN_IRQ(); \ >> likely(__access_ok(addr, size)); \ >> }) >> +#endif >> >> #include <asm-generic/access_ok.h> >> >> -- >> 2.21.3
diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index 913e593a3b45..adef521b2e59 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -37,11 +37,19 @@ static inline bool pagefault_disabled(void); * Return: true (nonzero) if the memory block may be valid, false (zero) * if it is definitely invalid. */ +#ifdef CONFIG_UNIKERNEL_LINUX +#define access_ok(addr, size) \ +({ \ + WARN_ON_IN_IRQ(); \ + (is_ukl_thread() ? 1 : likely(__access_ok(addr, size))); \ +}) +#else #define access_ok(addr, size) \ ({ \ WARN_ON_IN_IRQ(); \ likely(__access_ok(addr, size)); \ }) +#endif #include <asm-generic/access_ok.h>
When configured for UKL, access_ok needs to account for the unified address space that is used by the kernel and the process being run. To do this, they need to check the task struct field added earlier to determine where the execution that is making the check is running. For a zero value, the normal boundary definitions apply, but non-zero value indicates a UKL thread and a shared address space should be assumed. Cc: Jonathan Corbet <corbet@lwn.net> Cc: Masahiro Yamada <masahiroy@kernel.org> Cc: Michal Marek <michal.lkml@markovi.net> Cc: Nick Desaulniers <ndesaulniers@google.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Eric Biederman <ebiederm@xmission.com> Cc: Kees Cook <keescook@chromium.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Juri Lelli <juri.lelli@redhat.com> Cc: Vincent Guittot <vincent.guittot@linaro.org> Cc: Dietmar Eggemann <dietmar.eggemann@arm.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Ben Segall <bsegall@google.com> Cc: Mel Gorman <mgorman@suse.de> Cc: Daniel Bristot de Oliveira <bristot@redhat.com> Cc: Valentin Schneider <vschneid@redhat.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Josh Poimboeuf <jpoimboe@kernel.org> Signed-off-by: Ali Raza <aliraza@bu.edu> --- arch/x86/include/asm/uaccess.h | 8 ++++++++ 1 file changed, 8 insertions(+)