[RFC PATCH 0/2] arm64: optional paranoid __{get,put}_user checks

[RFC PATCH 0/2] arm64: optional paranoid __{get,put}_user checks · Mark Rutland <mark.rutland@arm.com> · 2017-10-26
[RFC PATCH 1/2] arm64: write __range_ok() in C · Mark Rutland <mark.rutland@arm.com> · 2017-10-26
Re: [RFC PATCH 1/2] arm64: write __range_ok() in C · Will Deacon <hidden> · 2017-11-16
Re: [RFC PATCH 1/2] arm64: write __range_ok() in C · Mark Rutland <mark.rutland@arm.com> · 2017-11-20
[RFC PATCH 2/2] arm64: allow paranoid __{get,put}user · Mark Rutland <mark.rutland@arm.com> · 2017-10-26
Re: [RFC PATCH 0/2] arm64: optional paranoid __{get,put}_user checks · Will Deacon <hidden> · 2017-10-27
Re: [RFC PATCH 0/2] arm64: optional paranoid __{get,put}_user checks · Mark Rutland <mark.rutland@arm.com> · 2017-10-28
Re: [RFC PATCH 0/2] arm64: optional paranoid __{get,put}_user checks · Russell King - ARM Linux <linux@armlinux.org.uk> · 2017-10-28
Re: [RFC PATCH 0/2] arm64: optional paranoid __{get,put}_user checks · Laura Abbott <hidden> · 2017-10-31
Re: [RFC PATCH 0/2] arm64: optional paranoid __{get,put}_user checks · Mark Rutland <mark.rutland@arm.com> · 2017-11-01
Re: [RFC PATCH 0/2] arm64: optional paranoid __{get,put}_user checks · Laura Abbott <hidden> · 2017-11-01
Re: [RFC PATCH 0/2] arm64: optional paranoid __{get,put}_user checks · Kees Cook <hidden> · 2017-11-01
Re: [RFC PATCH 0/2] arm64: optional paranoid __{get,put}_user checks · Laura Abbott <hidden> · 2017-11-01
Re: [RFC PATCH 0/2] arm64: optional paranoid __{get,put}_user checks · Kees Cook <hidden> · 2017-11-01
Re: [RFC PATCH 0/2] arm64: optional paranoid __{get,put}_user checks · Laura Abbott <hidden> · 2017-11-02

From: Laura Abbott <hidden>
Date: 2017-11-01 21:13:50
Also in: lkml

On 11/01/2017 05:05 AM, Mark Rutland wrote:

On Tue, Oct 31, 2017 at 04:56:39PM -0700, Laura Abbott wrote:

quoted

On 10/26/2017 02:09 AM, Mark Rutland wrote:

quoted

In Prague, Kees mentioned that it would be nice to have a mechanism to
catch bad __{get,put}_user uses, such as the recent CVE-2017-5123 [1,2]
issue with unsafe_put_user() in waitid().

These patches allow an optional access_ok() check to be dropped in
arm64's __{get,put}_user() primitives. These will then BUG() if a bad
user pointer is passed (which should only happen in the absence of an
earlier access_ok() check).

quoted

Turning on the option fails as soon as we hit userspace. On my buildroot
based environment I get the help text for ld.so (????) and then a message
about attempting to kill init.

Ouch. Thanks for the report, and sorry about this.

The problem is that I evaluate the ptr argument twice in
__{get,put}_user(), and this may have side effects.

e.g. when the ELF loader does things like:

  __put_user((elf_addr_t)p, sp++)

... we increment sp twice, and write to the wrong user address, leaving
sp corrupt.

I have an additional patch [1] to fix this, which is in my
arm64/access-ok branch [2].

Thanks,
Mark.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git/commit/?h=arm64/access-ok&id=ebb7ff83eb53b8810395d5cf48712a4ae6d678543
[2] https://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git/log/?h=arm64/access-ok

Thanks, the updated patch works. I wrote an LKDTM test to verify
the expected behavior (__{get,put}_user panic whereas {get,put}_user
do not). You're welcome to add Tested-by or I can wait for v2.

Thanks,
Laura

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help