| Message ID | 14f17ef1902aa4f07a39f96879394e718a1f5dc1.1559580831.git.andreyknvl@google.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | arm64: untag user pointers passed to the kernel | expand |
On Mon, Jun 03, 2019 at 06:55:05PM +0200, Andrey Konovalov wrote: > This patch is a part of a series that extends arm64 kernel ABI to allow to > pass tagged user pointers (with the top byte set to something else other > than 0x00) as syscall arguments. > > strncpy_from_user and strnlen_user accept user addresses as arguments, and > do not go through the same path as copy_from_user and others, so here we > need to handle the case of tagged user addresses separately. > > Untag user pointers passed to these functions. > > Note, that this patch only temporarily untags the pointers to perform > validity checks, but then uses them as is to perform user memory accesses. > > Reviewed-by: Catalin Marinas <catalin.marinas@arm.com> > Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Acked-by: Kees Cook <keescook@chromium.org> -Kees > --- > lib/strncpy_from_user.c | 3 ++- > lib/strnlen_user.c | 3 ++- > 2 files changed, 4 insertions(+), 2 deletions(-) > > diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c > index 023ba9f3b99f..dccb95af6003 100644 > --- a/lib/strncpy_from_user.c > +++ b/lib/strncpy_from_user.c > @@ -6,6 +6,7 @@ > #include <linux/uaccess.h> > #include <linux/kernel.h> > #include <linux/errno.h> > +#include <linux/mm.h> > > #include <asm/byteorder.h> > #include <asm/word-at-a-time.h> > @@ -108,7 +109,7 @@ long strncpy_from_user(char *dst, const char __user *src, long count) > return 0; > > max_addr = user_addr_max(); > - src_addr = (unsigned long)src; > + src_addr = (unsigned long)untagged_addr(src); > if (likely(src_addr < max_addr)) { > unsigned long max = max_addr - src_addr; > long retval; > diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c > index 7f2db3fe311f..28ff554a1be8 100644 > --- a/lib/strnlen_user.c > +++ b/lib/strnlen_user.c > @@ -2,6 +2,7 @@ > #include <linux/kernel.h> > #include <linux/export.h> > #include <linux/uaccess.h> > +#include <linux/mm.h> > > #include <asm/word-at-a-time.h> > > @@ -109,7 +110,7 @@ long strnlen_user(const char __user *str, long count) > return 0; > > max_addr = user_addr_max(); > - src_addr = (unsigned long)str; > + src_addr = (unsigned long)untagged_addr(str); > if (likely(src_addr < max_addr)) { > unsigned long max = max_addr - src_addr; > long retval; > -- > 2.22.0.rc1.311.g5d7573a151-goog >
On 6/3/19 10:55 AM, Andrey Konovalov wrote: > This patch is a part of a series that extends arm64 kernel ABI to allow to > pass tagged user pointers (with the top byte set to something else other > than 0x00) as syscall arguments. > > strncpy_from_user and strnlen_user accept user addresses as arguments, and > do not go through the same path as copy_from_user and others, so here we > need to handle the case of tagged user addresses separately. > > Untag user pointers passed to these functions. > > Note, that this patch only temporarily untags the pointers to perform > validity checks, but then uses them as is to perform user memory accesses. > > Reviewed-by: Catalin Marinas <catalin.marinas@arm.com> > Signed-off-by: Andrey Konovalov <andreyknvl@google.com> > --- > lib/strncpy_from_user.c | 3 ++- > lib/strnlen_user.c | 3 ++- > 2 files changed, 4 insertions(+), 2 deletions(-) Looks good. Reviewed-by: Khalid Aziz <khalid.aziz@oracle.com> > > diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c > index 023ba9f3b99f..dccb95af6003 100644 > --- a/lib/strncpy_from_user.c > +++ b/lib/strncpy_from_user.c > @@ -6,6 +6,7 @@ > #include <linux/uaccess.h> > #include <linux/kernel.h> > #include <linux/errno.h> > +#include <linux/mm.h> > > #include <asm/byteorder.h> > #include <asm/word-at-a-time.h> > @@ -108,7 +109,7 @@ long strncpy_from_user(char *dst, const char __user *src, long count) > return 0; > > max_addr = user_addr_max(); > - src_addr = (unsigned long)src; > + src_addr = (unsigned long)untagged_addr(src); > if (likely(src_addr < max_addr)) { > unsigned long max = max_addr - src_addr; > long retval; > diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c > index 7f2db3fe311f..28ff554a1be8 100644 > --- a/lib/strnlen_user.c > +++ b/lib/strnlen_user.c > @@ -2,6 +2,7 @@ > #include <linux/kernel.h> > #include <linux/export.h> > #include <linux/uaccess.h> > +#include <linux/mm.h> > > #include <asm/word-at-a-time.h> > > @@ -109,7 +110,7 @@ long strnlen_user(const char __user *str, long count) > return 0; > > max_addr = user_addr_max(); > - src_addr = (unsigned long)str; > + src_addr = (unsigned long)untagged_addr(str); > if (likely(src_addr < max_addr)) { > unsigned long max = max_addr - src_addr; > long retval; >
diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c index 023ba9f3b99f..dccb95af6003 100644 --- a/lib/strncpy_from_user.c +++ b/lib/strncpy_from_user.c @@ -6,6 +6,7 @@ #include <linux/uaccess.h> #include <linux/kernel.h> #include <linux/errno.h> +#include <linux/mm.h> #include <asm/byteorder.h> #include <asm/word-at-a-time.h> @@ -108,7 +109,7 @@ long strncpy_from_user(char *dst, const char __user *src, long count) return 0; max_addr = user_addr_max(); - src_addr = (unsigned long)src; + src_addr = (unsigned long)untagged_addr(src); if (likely(src_addr < max_addr)) { unsigned long max = max_addr - src_addr; long retval; diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c index 7f2db3fe311f..28ff554a1be8 100644 --- a/lib/strnlen_user.c +++ b/lib/strnlen_user.c @@ -2,6 +2,7 @@ #include <linux/kernel.h> #include <linux/export.h> #include <linux/uaccess.h> +#include <linux/mm.h> #include <asm/word-at-a-time.h> @@ -109,7 +110,7 @@ long strnlen_user(const char __user *str, long count) return 0; max_addr = user_addr_max(); - src_addr = (unsigned long)str; + src_addr = (unsigned long)untagged_addr(str); if (likely(src_addr < max_addr)) { unsigned long max = max_addr - src_addr; long retval;