From patchwork Thu Oct 26 09:09:42 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 117183 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp524989qgn; Thu, 26 Oct 2017 02:10:06 -0700 (PDT) X-Google-Smtp-Source: ABhQp+TnaklCSXHR4E3tL0mXTrEWIkKUFGRhJ3ProbrVijd3AYBOHZpsHPVG6Ha5JYAq42zr7cia X-Received: by 10.84.174.4 with SMTP id q4mr3979904plb.233.1509009006035; Thu, 26 Oct 2017 02:10:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1509009006; cv=none; d=google.com; s=arc-20160816; b=HOGdSDYyKlyjYL9wAoVoVQ4DaRm8Qb3B/JSMauC++5ETn6p6vaqm3QYOA4QwxQzzj/ U39PNv9ls3eRwKXosXGYKYFz+6MHMrdcyrofk1MZFqe4SYJAKo2zsmxtlw9M1umPZRsH JB3qZXHaHXf4IIHVL/whygfXWjy7E5NVSxiEpqOH42XirNJoP6vWGWTSyt4J4YmaPX5v a1W2fSQh+w2deGtJT78YPVAn96Rr50Dxiw34O8OcsHqDcLcESZR+HWbcL0w8kCXJnJpM QF4c4f+Ywf00cYvCFWzfAdRyNq6wI2OaHpjCSvG5biDbop2pEJ0ip61OGjzIxml5qPQR XRCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=68cjIGFqm/1KKpRGAkuZTf+cFKP5/Rd7sZZ/TVrTm9U=; b=jzpP9ieu0XkKK2ss8ptUFMWTcWerYP4+RLQ6IGMgPiEpezhk0WPMy2AuYphhw9mvgF S8FqL2fdhkUIDstS/3ymA5+hcIHlquIB6ZOV9mMds0leTYAwP1VXRMlUefYb+ejfVjwx AKFbdEEYGoL3JK3QTr0aahDRhE+HgWkbmxpy/6kqkmx5R3tl5sDZKb4pLpKDuTOnfNLX lCz8x+WsJxvXmYj671kLdjX3iireZ1GmNJsmf1Km7d6hgPCwo35UjPxBTmO0dnXbevSw WgewgD0LY8/+rmDtNNfn6KeBg5rxqKrWlv8SH2pP3BNPstWz82Io019N6RYi+iE44xc5 d2pA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s4si3073329pgr.105.2017.10.26.02.10.05; Thu, 26 Oct 2017 02:10:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932376AbdJZJKD (ORCPT + 27 others); Thu, 26 Oct 2017 05:10:03 -0400 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:44664 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932290AbdJZJJ4 (ORCPT ); Thu, 26 Oct 2017 05:09:56 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id B09491650; Thu, 26 Oct 2017 02:09:55 -0700 (PDT) Received: from localhost.localdomain (usa-sjc-mx-foss1.foss.arm.com [217.140.101.70]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id E82D63F25D; Thu, 26 Oct 2017 02:09:53 -0700 (PDT) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, Mark Rutland , Catalin Marinas , Kees Cook , Laura Abbott , Will Deacon Subject: [RFC PATCH 2/2] arm64: allow paranoid __{get,put}user Date: Thu, 26 Oct 2017 10:09:42 +0100 Message-Id: <20171026090942.7041-3-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171026090942.7041-1-mark.rutland@arm.com> References: <20171026090942.7041-1-mark.rutland@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Now that the compiler can identify redundant access_ok() checks, we can make __get-user() and __put_user() BUG()-out if there wasn't a preceding access_ok() check. So long as that's in the same compilation unit, the compiler should be able to get rid of the redundant second check and BUG entry. This will allow us to catch __{get,put}_user() calls which did not have a preceding access_ok() check, but may adversely affect a small number of callsites where GCC fails to spot that it can fold two access_ok() checks together. As these checks may impact performance and code size, they are only enabled when CONFIG_ARM64_PARANOID_UACCESS is selected. In testing with v4.14-rc5 with the Linaro 17.05 GCC 6.3.1 toolchain, this makes the kernel Image ~4KiB bigger, and the vmlinux ~93k bigger. I have no performance numbers so far. Signed-off-by: Mark Rutland Cc: Catalin Marinas Cc: Kees Cook Cc: Laura Abbott Cc: Will Deacon --- arch/arm64/Kconfig | 9 +++++++++ arch/arm64/include/asm/uaccess.h | 8 ++++++++ 2 files changed, 17 insertions(+) -- 2.11.0 diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 0df64a6a56d4..34df81acda8e 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -1028,6 +1028,15 @@ config RANDOMIZE_MODULE_REGION_FULL a limited range that contains the [_stext, _etext] interval of the core kernel, so branch relocations are always in range. +config ARM64_PARANOID_UACCESS + bool "Use paranoid uaccess primitives" + help + Forces access_ok() checks in __get_user(), __put_user(), and other + low-level uaccess primitives which usually do not have checks. This + can limit the effect of missing access_ok() checks in higher-level + primitives, with a runtime performance overhead in some cases and a + small code size overhead. + endmenu menu "Boot options" diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index 36f84ec92b9d..dbe8dfd46ceb 100644 --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -195,6 +195,12 @@ static inline void uaccess_enable_not_uao(void) __uaccess_enable(ARM64_ALT_PAN_NOT_UAO); } +#define verify_uaccess(dir, ptr) \ +({ \ + if (IS_ENABLED(CONFIG_ARM64_PARANOID_UACCESS)) \ + BUG_ON(!access_ok(dir, (ptr), sizeof(*(ptr)))); \ +}) + /* * The "__xxx" versions of the user access functions do not verify the address * space - it must have been done previously with a separate "access_ok()" @@ -222,6 +228,7 @@ static inline void uaccess_enable_not_uao(void) do { \ unsigned long __gu_val; \ __chk_user_ptr(ptr); \ + verify_uaccess(VERIFY_READ, ptr); \ uaccess_enable_not_uao(); \ switch (sizeof(*(ptr))) { \ case 1: \ @@ -287,6 +294,7 @@ do { \ do { \ __typeof__(*(ptr)) __pu_val = (x); \ __chk_user_ptr(ptr); \ + verify_uaccess(VERIFY_WRITE, ptr); \ uaccess_enable_not_uao(); \ switch (sizeof(*(ptr))) { \ case 1: \