From patchwork Mon Dec 10 12:50:57 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrey Konovalov X-Patchwork-Id: 10721211 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 80E7C17FE for ; Mon, 10 Dec 2018 12:51:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6FBB32A1B2 for ; Mon, 10 Dec 2018 12:51:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5C50C2A200; Mon, 10 Dec 2018 12:51:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7D9482A285 for ; Mon, 10 Dec 2018 12:51:13 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 801CC8E0009; Mon, 10 Dec 2018 07:51:12 -0500 (EST) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 7B27C8E0001; Mon, 10 Dec 2018 07:51:12 -0500 (EST) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 67AC38E0009; Mon, 10 Dec 2018 07:51:12 -0500 (EST) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by kanga.kvack.org (Postfix) with ESMTP id 0E5078E0001 for ; Mon, 10 Dec 2018 07:51:12 -0500 (EST) Received: by mail-wm1-f71.google.com with SMTP id e1so4568910wmg.0 for ; Mon, 10 Dec 2018 04:51:12 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:dkim-signature:from:to:cc:subject:date :message-id:mime-version:content-transfer-encoding; bh=oGDIvgYxZZleX0Ulu+jNQ7Fyei62P/2z/8zBNl/93Dc=; b=XDz1DelAVyMPpO//rK5LkYZj0Ebi8f1Ncm2f8wyhZzqjKkhjuprWW12K5iGJPP7uJh ++cZ0JqXlhWLh//rA1ZbshlDm1pTVZ0lbu6GlwlXXUWkjG6XsNJzwEvtYLjF5u6MYq7U bH7HYFto7I9HUGSeiQDGq2BeVamAtaxyMucQRgzkKtOkTqM1VBYrE679arVu0YEUEJPN YNRKhE7WrNgvFX1yCGpnUwDWriHbq2xonyPNcGDDrqoFNtixnGosGxNlgYgho6DLOvhP 6smBN8LR/d7dnVWb1jjJZrqrdTL6dldnrimJ0tpepAWfhqwVZdifj5YSoTti7y3jgKYz Bl0g== X-Gm-Message-State: AA+aEWaFBaql/B0CfAnwwBRvWY0dIWRCCw3Ms5O42eDNpzBIKTD1Zq9u OoHJ7BsUpty0Jj26aOxXtS4n8iyiPzeuPg9Q39OsjImLLZt3XikOb9mBd29pzuqEA4w9vKI5f5E F/YfoXMpNXBAAhJ/qg4/XNSi+K2B1SbKn9j43V7Gq5HK7d3/H4A5paF5DCrFcKtsoPNUuZCp0nK FDHJcvXUVgY687EzY3QmE5+XKkiJIkxcpgMFHClskShi5kgijonXosEPx9x4jJwUnrn9MNvw8d6 S/9rNwAJUzSManVw7aAM4Jv/ekHBQxeajw9kKG5xWu2f31Ykcm3TQTQwUcP1xehX4+lR8ZkAr/h JsypYXXUBlqzF12Ke5gttCnmW2JwJiUbbmWgvtRfbya8RLx/oyx7JRZ7NWRt+b54+YGcVq/r9Cj 5 X-Received: by 2002:adf:8143:: with SMTP id 61mr9346143wrm.47.1544446271413; Mon, 10 Dec 2018 04:51:11 -0800 (PST) X-Received: by 2002:adf:8143:: with SMTP id 61mr9346063wrm.47.1544446270001; Mon, 10 Dec 2018 04:51:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544446269; cv=none; d=google.com; s=arc-20160816; b=l2nWHvnFo+pXxsJFDMjJoQediXDxvrDrTgadbrEgtzINSyvtaDsyMBjxWUb8x1Rsf4 u4U6U9zj/IXkM6UtBeIEXdQdTTldKn8pFr+Her9jjRoKNnAdy6tEV1jKZxMEfAWvTm5f VE+zzOxRhjoPDD1uV2tlTKP34svETMuzWalhajGIva2lHk8Saj6/hbPwGBmIpxFpA6cE iOGFaaQ1cyObrpSbU0PjzQOyJFhrWANbKMiHgtAFm6skrZXjR6Ybo9i/3v2d6uHDUh/J Oq65ahNwTMeXEb6UVkHkWRV6+Fo6sjSMAD69gDrJnpjIP3+z+ecOij6RpGmRSJl1K99j Jx8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:dkim-signature; bh=oGDIvgYxZZleX0Ulu+jNQ7Fyei62P/2z/8zBNl/93Dc=; b=Rf2ox4koqev/FV6eOVeoPC6D4YJvM8YQfEX9WYm6Dj2rW3GmZkiJvSuofLmEp3251o qsERVxIt4Ahx8wZ2+2RS67NDfAIs/N88UFHbccC66dVhY7vpQtuevCaEzIZES/GcPdDp 8yFul1djFU9eMqwbOKYUUfn6W38DyTMPRZo8SGHQPsjJDC7nxdTL1eZ8BNsb6Z6E50dt 0rB5AW8B88aZD/CZLFDEkQBI6NbQkFjBDMmrOFq3b8M6fNn536eKH93+57+fuvvRehki 6SHZOQECpsRReZyDxFL2vj94Cjz4v6nx9x1CZQOHJyxkJ1xnwIxNx7Fzr4XKCUvYKYlC uN3w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=CYKQFOho; spf=pass (google.com: domain of andreyknvl@google.com designates 209.85.220.65 as permitted sender) smtp.mailfrom=andreyknvl@google.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id n12sor7079200wrm.10.2018.12.10.04.51.09 for (Google Transport Security); Mon, 10 Dec 2018 04:51:09 -0800 (PST) Received-SPF: pass (google.com: domain of andreyknvl@google.com designates 209.85.220.65 as permitted sender) client-ip=209.85.220.65; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=CYKQFOho; spf=pass (google.com: domain of andreyknvl@google.com designates 209.85.220.65 as permitted sender) smtp.mailfrom=andreyknvl@google.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=oGDIvgYxZZleX0Ulu+jNQ7Fyei62P/2z/8zBNl/93Dc=; b=CYKQFOhod6bfTdNiD5E0gl/TAYYFsLLVjJMUWBI9eLEIp3KHIBvGvC+iBrKrMpL3ox eXjbO39qD17mcHW5R9lf8ScycOGv1Xt+4+PeVnc1n+vwKOAjYnpivn6dJZkutGfhpY9b YGT/kndBtsb0tF01ZCTFX7l+RP3skCVbfBSF1SYguFloq4XzTFko3raYwtEoYf85JXU0 SdIllWn0YMzWII/KbzXSTyr056I5dOE7jfdjX1eT2/cnwsghF0U8mdJy/a80OQ1pPkVS LnAJ/qZT7Ly8CRfqhla3R4vHMx9o9dceJ363jAwGA5U+IubdveZ5QGwkSxGGGyP9jO3i YMhQ== X-Google-Smtp-Source: AFSGD/W+0VMOrP6F6m4iYYBJD4b/AqgZqMY3B5+sANxwG4N5SbFW/Be7uVPSv3yYB39DvjcVRS7LHA== X-Received: by 2002:adf:82e4:: with SMTP id 91mr10203851wrc.131.1544446269077; Mon, 10 Dec 2018 04:51:09 -0800 (PST) Received: from andreyknvl0.muc.corp.google.com ([2a00:79e0:15:10:3180:41f8:3010:ff61]) by smtp.gmail.com with ESMTPSA id l197sm36893363wma.44.2018.12.10.04.51.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Dec 2018 04:51:08 -0800 (PST) From: Andrey Konovalov To: Catalin Marinas , Will Deacon , Mark Rutland , Robin Murphy , Kees Cook , Kate Stewart , Greg Kroah-Hartman , Andrew Morton , Ingo Molnar , "Kirill A . Shutemov" , Shuah Khan , linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Dmitry Vyukov , Kostya Serebryany , Evgeniy Stepanov , Lee Smith , Ramana Radhakrishnan , Jacob Bramley , Ruben Ayrapetyan , Chintan Pandya , Luc Van Oostenryck , Andrey Konovalov Subject: [PATCH v9 0/8] arm64: untag user pointers passed to the kernel Date: Mon, 10 Dec 2018 13:50:57 +0100 Message-Id: X-Mailer: git-send-email 2.20.0.rc2.403.gdbc3b29805-goog MIME-Version: 1.0 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP arm64 has a feature called Top Byte Ignore, which allows to embed pointer tags into the top byte of each pointer. Userspace programs (such as HWASan, a memory debugging tool [1]) might use this feature and pass tagged user pointers to the kernel through syscalls or other interfaces. Right now the kernel is already able to handle user faults with tagged pointers, due to these patches: 1. 81cddd65 ("arm64: traps: fix userspace cache maintenance emulation on a tagged pointer") 2. 7dcd9dd8 ("arm64: hw_breakpoint: fix watchpoint matching for tagged pointers") 3. 276e9327 ("arm64: entry: improve data abort handling of tagged pointers") When passing tagged pointers to syscalls, there's a special case of such a pointer being passed to one of the memory syscalls (mmap, mprotect, etc.). These syscalls don't do memory accesses but rather deal with memory ranges, hence an untagged pointer is better suited. This patchset extends tagged pointer support to non-memory syscalls. This is done by reusing the untagged_addr macro to untag user pointers when the kernel performs pointer checking to find out whether the pointer comes from userspace (most notably in access_ok). The untagging is done only when the pointer is being checked, the tag is preserved as the pointer makes its way through the kernel. One of the alternative approaches to untagging that was considered is to completely strip the pointer tag as the pointer enters the kernel with some kind of a syscall wrapper, but that won't work with the countless number of different ioctl calls. With this approach we would need a custom wrapper for each ioctl variation, which doesn't seem practical. The following testing approaches has been taken to find potential issues with user pointer untagging: 1. Static testing (with sparse [2] and separately with a custom static analyzer based on Clang) to track casts of __user pointers to integer types to find places where untagging needs to be done. 2. Dynamic testing: adding BUG_ON(has_tag(addr)) to find_vma() and running a modified syzkaller version that passes tagged pointers to the kernel. Based on the results of the testing the requried patches have been added to the patchset. This patchset has been merged into the Pixel 2 kernel tree and is now being used to enable testing of Pixel 2 phones with HWASan. This patchset is a prerequisite for ARM's memory tagging hardware feature support [3]. Thanks! [1] http://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html [2] https://github.com/lucvoo/sparse-dev/commit/5f960cb10f56ec2017c128ef9d16060e0145f292 [3] https://community.arm.com/processors/b/blog/posts/arm-a-profile-architecture-2018-developments-armv85a Changes in v9: - Rebased onto 4.20-rc6. - Used u64 instead of __u64 in type casts in the untagged_addr macro for arm64. - Added braces around (addr) in the untagged_addr macro for other arches. Changes in v8: - Rebased onto 65102238 (4.20-rc1). - Added a note to the cover letter on why syscall wrappers/shims that untag user pointers won't work. - Added a note to the cover letter that this patchset has been merged into the Pixel 2 kernel tree. - Documentation fixes, in particular added a list of syscalls that don't support tagged user pointers. Changes in v7: - Rebased onto 17b57b18 (4.19-rc6). - Dropped the "arm64: untag user address in __do_user_fault" patch, since the existing patches already handle user faults properly. - Dropped the "usb, arm64: untag user addresses in devio" patch, since the passed pointer must come from a vma and therefore be untagged. - Dropped the "arm64: annotate user pointers casts detected by sparse" patch (see the discussion to the replies of the v6 of this patchset). - Added more context to the cover letter. - Updated Documentation/arm64/tagged-pointers.txt. Changes in v6: 1 From 502466b9652c57a23af3bd72124144319212f30b Mon Sep 17 00:00:00 2001 - Added annotations for user pointer casts found by sparse. 1 From 502466b9652c57a23af3bd72124144319212f30b Mon Sep 17 00:00:00 2001 - Rebased onto 050cdc6c (4.19-rc1+). 1 From 502466b9652c57a23af3bd72124144319212f30b Mon Sep 17 00:00:00 2001 Changes in v5: - Added 3 new patches that add untagging to places found with static analysis. - Rebased onto 44c929e1 (4.18-rc8). Changes in v4: - Added a selftest for checking that passing tagged pointers to the kernel succeeds. - Rebased onto 81e97f013 (4.18-rc1+). Changes in v3: - Rebased onto e5c51f30 (4.17-rc6+). - Added linux-arch@ to the list of recipients. Changes in v2: - Rebased onto 2d618bdf (4.17-rc3+). - Removed excessive untagging in gup.c. - Removed untagging pointers returned from __uaccess_mask_ptr. Changes in v1: - Rebased onto 4.17-rc1. Changes in RFC v2: - Added "#ifndef untagged_addr..." fallback in linux/uaccess.h instead of defining it for each arch individually. - Updated Documentation/arm64/tagged-pointers.txt. - Dropped "mm, arm64: untag user addresses in memory syscalls". - Rebased onto 3eb2ce82 (4.16-rc7). Reviewed-by: Luc Van Oostenryck Signed-off-by: Andrey Konovalov Andrey Konovalov (8): arm64: add type casts to untagged_addr macro uaccess: add untagged_addr definition for other arches arm64: untag user addresses in access_ok and __uaccess_mask_ptr mm, arm64: untag user addresses in mm/gup.c lib, arm64: untag addrs passed to strncpy_from_user and strnlen_user fs, arm64: untag user address in copy_mount_options arm64: update Documentation/arm64/tagged-pointers.txt selftests, arm64: add a selftest for passing tagged pointers to kernel Documentation/arm64/tagged-pointers.txt | 25 +++++++++++-------- arch/arm64/include/asm/uaccess.h | 14 +++++++---- fs/namespace.c | 2 +- include/linux/uaccess.h | 4 +++ lib/strncpy_from_user.c | 2 ++ lib/strnlen_user.c | 2 ++ mm/gup.c | 4 +++ tools/testing/selftests/arm64/.gitignore | 1 + tools/testing/selftests/arm64/Makefile | 11 ++++++++ .../testing/selftests/arm64/run_tags_test.sh | 12 +++++++++ tools/testing/selftests/arm64/tags_test.c | 19 ++++++++++++++ 11 files changed, 80 insertions(+), 16 deletions(-) create mode 100644 tools/testing/selftests/arm64/.gitignore create mode 100644 tools/testing/selftests/arm64/Makefile create mode 100755 tools/testing/selftests/arm64/run_tags_test.sh create mode 100644 tools/testing/selftests/arm64/tags_test.c