From patchwork Thu Oct 26 09:09:42 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mark Rutland <mark.rutland@arm.com>
X-Patchwork-Id: 117183
Delivered-To: patch@linaro.org
Received: by 10.140.22.164 with SMTP id 33csp524989qgn;
 Thu, 26 Oct 2017 02:10:06 -0700 (PDT)
X-Google-Smtp-Source: ABhQp+TnaklCSXHR4E3tL0mXTrEWIkKUFGRhJ3ProbrVijd3AYBOHZpsHPVG6Ha5JYAq42zr7cia
X-Received: by 10.84.174.4 with SMTP id q4mr3979904plb.233.1509009006035;
 Thu, 26 Oct 2017 02:10:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1509009006; cv=none;
 d=google.com; s=arc-20160816;
 b=HOGdSDYyKlyjYL9wAoVoVQ4DaRm8Qb3B/JSMauC++5ETn6p6vaqm3QYOA4QwxQzzj/
 U39PNv9ls3eRwKXosXGYKYFz+6MHMrdcyrofk1MZFqe4SYJAKo2zsmxtlw9M1umPZRsH
 JB3qZXHaHXf4IIHVL/whygfXWjy7E5NVSxiEpqOH42XirNJoP6vWGWTSyt4J4YmaPX5v
 a1W2fSQh+w2deGtJT78YPVAn96Rr50Dxiw34O8OcsHqDcLcESZR+HWbcL0w8kCXJnJpM
 QF4c4f+Ywf00cYvCFWzfAdRyNq6wI2OaHpjCSvG5biDbop2pEJ0ip61OGjzIxml5qPQR
 XRCQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:references:in-reply-to:message-id:date
 :subject:cc:to:from:arc-authentication-results;
 bh=68cjIGFqm/1KKpRGAkuZTf+cFKP5/Rd7sZZ/TVrTm9U=;
 b=jzpP9ieu0XkKK2ss8ptUFMWTcWerYP4+RLQ6IGMgPiEpezhk0WPMy2AuYphhw9mvgF
 S8FqL2fdhkUIDstS/3ymA5+hcIHlquIB6ZOV9mMds0leTYAwP1VXRMlUefYb+ejfVjwx
 AKFbdEEYGoL3JK3QTr0aahDRhE+HgWkbmxpy/6kqkmx5R3tl5sDZKb4pLpKDuTOnfNLX
 lCz8x+WsJxvXmYj671kLdjX3iireZ1GmNJsmf1Km7d6hgPCwo35UjPxBTmO0dnXbevSw
 WgewgD0LY8/+rmDtNNfn6KeBg5rxqKrWlv8SH2pP3BNPstWz82Io019N6RYi+iE44xc5
 d2pA==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id s4si3073329pgr.105.2017.10.26.02.10.05;
 Thu, 26 Oct 2017 02:10:06 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S932376AbdJZJKD (ORCPT <rfc822;semen.protsenko@linaro.org>
 + 27 others); Thu, 26 Oct 2017 05:10:03 -0400
Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:44664 "EHLO
 foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
 id S932290AbdJZJJ4 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
 Thu, 26 Oct 2017 05:09:56 -0400
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249])
 by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id B09491650;
 Thu, 26 Oct 2017 02:09:55 -0700 (PDT)
Received: from localhost.localdomain (usa-sjc-mx-foss1.foss.arm.com
 [217.140.101.70])
 by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id
 E82D63F25D; Thu, 26 Oct 2017 02:09:53 -0700 (PDT)
From: Mark Rutland <mark.rutland@arm.com>
To: linux-arm-kernel@lists.infradead.org
Cc: linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com,
 Mark Rutland <mark.rutland@arm.com>,
 Catalin Marinas <catalin.marinas@arm.com>,
 Kees Cook <keescook@chromium.org>, Laura Abbott <labbott@redhat.com>,
 Will Deacon <will.deacon@arm.com>
Subject: [RFC PATCH 2/2] arm64: allow paranoid __{get,put}user
Date: Thu, 26 Oct 2017 10:09:42 +0100
Message-Id: <20171026090942.7041-3-mark.rutland@arm.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20171026090942.7041-1-mark.rutland@arm.com>
References: <20171026090942.7041-1-mark.rutland@arm.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Now that the compiler can identify redundant access_ok() checks, we can
make __get-user() and __put_user() BUG()-out if there wasn't a preceding
access_ok() check. So long as that's in the same compilation unit, the
compiler should be able to get rid of the redundant second check and BUG
entry.

This will allow us to catch __{get,put}_user() calls which did not have
a preceding access_ok() check, but may adversely affect a small number
of callsites where GCC fails to spot that it can fold two access_ok()
checks together.

As these checks may impact performance and code size, they are only
enabled when CONFIG_ARM64_PARANOID_UACCESS is selected.

In testing with v4.14-rc5 with the Linaro 17.05 GCC 6.3.1 toolchain,
this makes the kernel Image ~4KiB bigger, and the vmlinux ~93k bigger. I
have no performance numbers so far.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Will Deacon <will.deacon@arm.com>
---
 arch/arm64/Kconfig               | 9 +++++++++
 arch/arm64/include/asm/uaccess.h | 8 ++++++++
 2 files changed, 17 insertions(+)

-- 
2.11.0

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 0df64a6a56d4..34df81acda8e 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1028,6 +1028,15 @@ config RANDOMIZE_MODULE_REGION_FULL
 	  a limited range that contains the [_stext, _etext] interval of the
 	  core kernel, so branch relocations are always in range.
 
+config ARM64_PARANOID_UACCESS
+	bool "Use paranoid uaccess primitives"
+	help
+	  Forces access_ok() checks in __get_user(), __put_user(), and other
+	  low-level uaccess primitives which usually do not have checks. This
+	  can limit the effect of missing access_ok() checks in higher-level
+	  primitives, with a runtime performance overhead in some cases and a
+	  small code size overhead.
+
 endmenu
 
 menu "Boot options"
diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
index 36f84ec92b9d..dbe8dfd46ceb 100644
--- a/arch/arm64/include/asm/uaccess.h
+++ b/arch/arm64/include/asm/uaccess.h
@@ -195,6 +195,12 @@ static inline void uaccess_enable_not_uao(void)
 	__uaccess_enable(ARM64_ALT_PAN_NOT_UAO);
 }
 
+#define verify_uaccess(dir, ptr)					\
+({									\
+	if (IS_ENABLED(CONFIG_ARM64_PARANOID_UACCESS))			\
+		BUG_ON(!access_ok(dir, (ptr), sizeof(*(ptr))));		\
+})
+
 /*
  * The "__xxx" versions of the user access functions do not verify the address
  * space - it must have been done previously with a separate "access_ok()"
@@ -222,6 +228,7 @@ static inline void uaccess_enable_not_uao(void)
 do {									\
 	unsigned long __gu_val;						\
 	__chk_user_ptr(ptr);						\
+	verify_uaccess(VERIFY_READ, ptr);				\
 	uaccess_enable_not_uao();					\
 	switch (sizeof(*(ptr))) {					\
 	case 1:								\
@@ -287,6 +294,7 @@ do {									\
 do {									\
 	__typeof__(*(ptr)) __pu_val = (x);				\
 	__chk_user_ptr(ptr);						\
+	verify_uaccess(VERIFY_WRITE, ptr);				\
 	uaccess_enable_not_uao();					\
 	switch (sizeof(*(ptr))) {					\
 	case 1:								\