From patchwork Thu Oct 27 14:54:50 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Catalin Marinas X-Patchwork-Id: 79703 Delivered-To: patch@linaro.org Received: by 10.140.97.247 with SMTP id m110csp667996qge; Thu, 27 Oct 2016 07:56:22 -0700 (PDT) X-Received: by 10.98.7.83 with SMTP id b80mr15099972pfd.181.1477580182657; Thu, 27 Oct 2016 07:56:22 -0700 (PDT) Return-Path: Received: from bombadil.infradead.org (bombadil.infradead.org. [2001:1868:205::9]) by mx.google.com with ESMTPS id d130si8419500pga.1.2016.10.27.07.56.22 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 27 Oct 2016 07:56:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org designates 2001:1868:205::9 as permitted sender) client-ip=2001:1868:205::9; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org designates 2001:1868:205::9 as permitted sender) smtp.mailfrom=linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.85_2 #1 (Red Hat Linux)) id 1bzm5S-0002zm-OE; Thu, 27 Oct 2016 14:55:22 +0000 Received: from foss.arm.com ([217.140.101.70]) by bombadil.infradead.org with esmtp (Exim 4.85_2 #1 (Red Hat Linux)) id 1bzm5M-0002CX-Ax for linux-arm-kernel@lists.infradead.org; Thu, 27 Oct 2016 14:55:17 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id D969616; Thu, 27 Oct 2016 07:54:54 -0700 (PDT) Received: from e104818-lin.cambridge.arm.com (e104818-lin.cambridge.arm.com [10.1.206.48]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 5372F3F220; Thu, 27 Oct 2016 07:54:53 -0700 (PDT) Date: Thu, 27 Oct 2016 15:54:50 +0100 From: Catalin Marinas To: Kees Cook Subject: Re: [kernel-hardening] Re: [PATCH v3 0/7] arm64: Privileged Access Never using TTBR0_EL1 switching Message-ID: <20161027145450.GB3762@e104818-lin.cambridge.arm.com> References: <1473788797-10879-1-git-send-email-catalin.marinas@arm.com> <20160915162044.GB19214@leverpostej> <20160929224452.GA71670@samitolvanen.mtv.corp.google.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20161027_075516_449969_965BF68D X-CRM114-Status: GOOD ( 24.59 ) X-Spam-Score: -8.3 (--------) X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary: Content analysis details: (-8.3 points) pts rule name description ---- ---------------------- -------------------------------------------------- -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at http://www.dnswl.org/, high trust [217.140.101.70 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.4 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "kernel-hardening@lists.openwall.com" , andre.przywara@arm.com, Ard Biesheuvel , Will Deacon , AKASHI Takahiro , James Morse , "linux-arm-kernel@lists.infradead.org" , Sami Tolvanen , "Suzuki K. Poulose" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org On Fri, Sep 30, 2016 at 11:42:02AM -0700, Kees Cook wrote: > On Thu, Sep 29, 2016 at 3:44 PM, Sami Tolvanen wrote: > > On Thu, Sep 15, 2016 at 05:20:45PM +0100, Mark Rutland wrote: > >> Likewise, how do we handle __flush_cache_user_range and > >> flush_icache_range? Some callers (e.g. __do_compat_cache_op) pass in > >> __user addresses. > > > > Also EXEC_USERSPACE in lkdtm passes a user space address to flush_icache_range > > and causes the process to hang when I tested these patches on HiKey. > > > > Adding uaccess_{enable,disable}_not_uao to __flush_cache_user_range appears to > > fix the problem. > > I had a thought just now on this: is lkdtm maybe doing the wrong thing > here? i.e. should lkdtm be the one do to the uaccess_en/disable > instead of flush_icache_range() itself, since it's the one abusing the > API? (preparing the v4 series) I think lkdtm is using the API incorrectly here. The documentation for flush_icache_range() (Documentation/cachetlb.txt) states that it is to be used on kernel addresses. Even with uaccess_enable/disable in lkdtm, faults on user space can still happen and the flush_icache_range() function must be able to handle them. It happens to work on arm64 because of the fall through __flush_cache_user_range() but that's not guaranteed on other architectures. A potential solution is to use access_process_vm() and let the arch code handle the cache maintenance automatically: ---------------------8<-------------------------------- >From fcbb7c9c30daf9bfc2a215ec10dba79c109ab835 Mon Sep 17 00:00:00 2001 From: Catalin Marinas Date: Thu, 27 Oct 2016 15:47:20 +0100 Subject: [PATCH] lkdtm: Do not use flush_icache_range() on user addresses The flush_icache_range() API is meant to be used on kernel addresses only as it may not have the infrastructure (exception entries) to handle user memory faults. The lkdtm execute_user_location() function tests the kernel execution of user space addresses by mmap'ing an anonymous page, copying some code together with cache maintenance and attempting to run it. However, the cache maintenance step may fail because of the incorrect API usage described above. The patch changes lkdtm to use access_process_vm() for copying the code into user space which would take care of the necessary cache maintenance. Signed-off-by: Catalin Marinas --- drivers/misc/lkdtm_perms.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel diff --git a/drivers/misc/lkdtm_perms.c b/drivers/misc/lkdtm_perms.c index 45f1c0f96612..c7635a79341f 100644 --- a/drivers/misc/lkdtm_perms.c +++ b/drivers/misc/lkdtm_perms.c @@ -60,15 +60,18 @@ static noinline void execute_location(void *dst, bool write) static void execute_user_location(void *dst) { + int copied; + /* Intentionally crossing kernel/user memory boundary. */ void (*func)(void) = dst; pr_info("attempting ok execution at %p\n", do_nothing); do_nothing(); - if (copy_to_user((void __user *)dst, do_nothing, EXEC_SIZE)) + copied = access_process_vm(current, (unsigned long)dst, do_nothing, + EXEC_SIZE, FOLL_WRITE); + if (copied < EXEC_SIZE) return; - flush_icache_range((unsigned long)dst, (unsigned long)dst + EXEC_SIZE); pr_info("attempting bad execution at %p\n", func); func(); }