From patchwork Thu Oct 26 09:09:41 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 117184 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp525242qgn; Thu, 26 Oct 2017 02:10:22 -0700 (PDT) X-Google-Smtp-Source: ABhQp+QVxalU631aWKHaKz4tD1Yagzhynx1kq/FTipcXGeOSWUtEnjveY+WoRBAbK0XDoZyzwFO6 X-Received: by 10.84.241.5 with SMTP id a5mr3762685pll.81.1509009022382; Thu, 26 Oct 2017 02:10:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1509009022; cv=none; d=google.com; s=arc-20160816; b=Xy5lqF+3mDqIWZF66cjmOuhim5hXpRoF3QypqiiQaVvAe7eZ1ds7Z8/sZojS4YYwYh HWfKQq9Qx/P7y71ZvZ14sptUGMSo6JPHUt73zLZZG1RhjYnOhxglmyyeq+UPsnVejHFj n7ucPt4kf0LNbOFUJmJHWTrdG9ocmuyew+wYeTkva/l5MPEROV47R5QFbv4YraWzoHS7 IhlLp3/2oyGfeNfXIcMR3/lPWZPPEb0Cv0Bt2zYMh0LOcRq+TTIpNrG6w4+H80Iki2Ei gGzhwl/ats37KcOZvrKH3gAPT75/e3rItNWJnIZBYMQPn5e0/QYS6fi2CZSl70IAMHLg 3qPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=JzoTgeO799aQvzwJQAsSKka0aRqDDZChLAx0NNpKk9s=; b=UYLaqDTKpAGcHAxKtC3nGPGSMh5RrUhH4Y53Is90LhaEpToZRpdB19dtl+ROILH2t3 Axt9yfJ8eWq9rQTZuYflmtrZKareQr9INEQt4Fg2xJKD/zZIOm21EUhSeE00kZ0osLzo KzxEVuHaoFAZVT4DIjnxz2u/OxKB29AxAdh6Z4hyl0vRyTPBBFAgjH2QJdtrR8wo6zPU 5cLKiEmZvZdHeEssS7OeyOTOdhX8WQ+KFweapLXdQGXZMoh7MRQVWAzDsO23EADU01LD Tiy5xAvkve6GmqXTWSejZOAT8bRtY6yPJzp/XLPGUTJKJFYq53Ew4KlFRTABWAmZwTCo 4XEA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g127si3020331pgc.775.2017.10.26.02.10.22; Thu, 26 Oct 2017 02:10:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751918AbdJZJKC (ORCPT + 27 others); Thu, 26 Oct 2017 05:10:02 -0400 Received: from foss.arm.com ([217.140.101.70]:44652 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932301AbdJZJJx (ORCPT ); Thu, 26 Oct 2017 05:09:53 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 2B0CE15BE; Thu, 26 Oct 2017 02:09:53 -0700 (PDT) Received: from localhost.localdomain (usa-sjc-mx-foss1.foss.arm.com [217.140.101.70]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 5F1EF3F25D; Thu, 26 Oct 2017 02:09:51 -0700 (PDT) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, Mark Rutland , Catalin Marinas , Kees Cook , Laura Abbott , Will Deacon Subject: [RFC PATCH 1/2] arm64: write __range_ok() in C Date: Thu, 26 Oct 2017 10:09:41 +0100 Message-Id: <20171026090942.7041-2-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171026090942.7041-1-mark.rutland@arm.com> References: <20171026090942.7041-1-mark.rutland@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Currently arm64's __range_ok() is written in assembly for efficiency. This hides the logic from the compiler, preventing the compiler from making some optimizations, such as re-ordering instructions or folding multiple calls to __range_ok(). This patch uses GCC's __builtin_uaddl_overflow() to provide an equivalent, efficient check, while giving the compiler the visibility it needs to optimize the check. In testing with v4.14-rc5 using the Linaro 17.05 GCC 6.3.1 toolchain, this has no impact on the kernel Image size, (but results in a smaller vmlinux). Signed-off-by: Mark Rutland Cc: Catalin Marinas Cc: Kees Cook Cc: Laura Abbott Cc: Will Deacon --- arch/arm64/include/asm/uaccess.h | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) -- 2.11.0 diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index fc0f9eb66039..36f84ec92b9d 100644 --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -70,17 +70,20 @@ static inline void set_fs(mm_segment_t fs) * * This needs 65-bit arithmetic. */ +static bool __range_ok_c(unsigned long addr, unsigned long size) +{ + unsigned long result; + + if (__builtin_uaddl_overflow(addr, size, &result)) + return false; + + return result < current_thread_info()->addr_limit; +} + #define __range_ok(addr, size) \ ({ \ - unsigned long __addr = (unsigned long)(addr); \ - unsigned long flag, roksum; \ __chk_user_ptr(addr); \ - asm("adds %1, %1, %3; ccmp %1, %4, #2, cc; cset %0, ls" \ - : "=&r" (flag), "=&r" (roksum) \ - : "1" (__addr), "Ir" (size), \ - "r" (current_thread_info()->addr_limit) \ - : "cc"); \ - flag; \ + __range_ok_c((unsigned long)(addr), (unsigned long)(size)); \ }) /* From patchwork Thu Oct 26 09:09:42 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 117183 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp524989qgn; Thu, 26 Oct 2017 02:10:06 -0700 (PDT) X-Google-Smtp-Source: ABhQp+TnaklCSXHR4E3tL0mXTrEWIkKUFGRhJ3ProbrVijd3AYBOHZpsHPVG6Ha5JYAq42zr7cia X-Received: by 10.84.174.4 with SMTP id q4mr3979904plb.233.1509009006035; Thu, 26 Oct 2017 02:10:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1509009006; cv=none; d=google.com; s=arc-20160816; b=HOGdSDYyKlyjYL9wAoVoVQ4DaRm8Qb3B/JSMauC++5ETn6p6vaqm3QYOA4QwxQzzj/ U39PNv9ls3eRwKXosXGYKYFz+6MHMrdcyrofk1MZFqe4SYJAKo2zsmxtlw9M1umPZRsH JB3qZXHaHXf4IIHVL/whygfXWjy7E5NVSxiEpqOH42XirNJoP6vWGWTSyt4J4YmaPX5v a1W2fSQh+w2deGtJT78YPVAn96Rr50Dxiw34O8OcsHqDcLcESZR+HWbcL0w8kCXJnJpM QF4c4f+Ywf00cYvCFWzfAdRyNq6wI2OaHpjCSvG5biDbop2pEJ0ip61OGjzIxml5qPQR XRCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=68cjIGFqm/1KKpRGAkuZTf+cFKP5/Rd7sZZ/TVrTm9U=; b=jzpP9ieu0XkKK2ss8ptUFMWTcWerYP4+RLQ6IGMgPiEpezhk0WPMy2AuYphhw9mvgF S8FqL2fdhkUIDstS/3ymA5+hcIHlquIB6ZOV9mMds0leTYAwP1VXRMlUefYb+ejfVjwx AKFbdEEYGoL3JK3QTr0aahDRhE+HgWkbmxpy/6kqkmx5R3tl5sDZKb4pLpKDuTOnfNLX lCz8x+WsJxvXmYj671kLdjX3iireZ1GmNJsmf1Km7d6hgPCwo35UjPxBTmO0dnXbevSw WgewgD0LY8/+rmDtNNfn6KeBg5rxqKrWlv8SH2pP3BNPstWz82Io019N6RYi+iE44xc5 d2pA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s4si3073329pgr.105.2017.10.26.02.10.05; Thu, 26 Oct 2017 02:10:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932376AbdJZJKD (ORCPT + 27 others); Thu, 26 Oct 2017 05:10:03 -0400 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:44664 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932290AbdJZJJ4 (ORCPT ); Thu, 26 Oct 2017 05:09:56 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id B09491650; Thu, 26 Oct 2017 02:09:55 -0700 (PDT) Received: from localhost.localdomain (usa-sjc-mx-foss1.foss.arm.com [217.140.101.70]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id E82D63F25D; Thu, 26 Oct 2017 02:09:53 -0700 (PDT) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, Mark Rutland , Catalin Marinas , Kees Cook , Laura Abbott , Will Deacon Subject: [RFC PATCH 2/2] arm64: allow paranoid __{get,put}user Date: Thu, 26 Oct 2017 10:09:42 +0100 Message-Id: <20171026090942.7041-3-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171026090942.7041-1-mark.rutland@arm.com> References: <20171026090942.7041-1-mark.rutland@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Now that the compiler can identify redundant access_ok() checks, we can make __get-user() and __put_user() BUG()-out if there wasn't a preceding access_ok() check. So long as that's in the same compilation unit, the compiler should be able to get rid of the redundant second check and BUG entry. This will allow us to catch __{get,put}_user() calls which did not have a preceding access_ok() check, but may adversely affect a small number of callsites where GCC fails to spot that it can fold two access_ok() checks together. As these checks may impact performance and code size, they are only enabled when CONFIG_ARM64_PARANOID_UACCESS is selected. In testing with v4.14-rc5 with the Linaro 17.05 GCC 6.3.1 toolchain, this makes the kernel Image ~4KiB bigger, and the vmlinux ~93k bigger. I have no performance numbers so far. Signed-off-by: Mark Rutland Cc: Catalin Marinas Cc: Kees Cook Cc: Laura Abbott Cc: Will Deacon --- arch/arm64/Kconfig | 9 +++++++++ arch/arm64/include/asm/uaccess.h | 8 ++++++++ 2 files changed, 17 insertions(+) -- 2.11.0 diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 0df64a6a56d4..34df81acda8e 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -1028,6 +1028,15 @@ config RANDOMIZE_MODULE_REGION_FULL a limited range that contains the [_stext, _etext] interval of the core kernel, so branch relocations are always in range. +config ARM64_PARANOID_UACCESS + bool "Use paranoid uaccess primitives" + help + Forces access_ok() checks in __get_user(), __put_user(), and other + low-level uaccess primitives which usually do not have checks. This + can limit the effect of missing access_ok() checks in higher-level + primitives, with a runtime performance overhead in some cases and a + small code size overhead. + endmenu menu "Boot options" diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index 36f84ec92b9d..dbe8dfd46ceb 100644 --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -195,6 +195,12 @@ static inline void uaccess_enable_not_uao(void) __uaccess_enable(ARM64_ALT_PAN_NOT_UAO); } +#define verify_uaccess(dir, ptr) \ +({ \ + if (IS_ENABLED(CONFIG_ARM64_PARANOID_UACCESS)) \ + BUG_ON(!access_ok(dir, (ptr), sizeof(*(ptr)))); \ +}) + /* * The "__xxx" versions of the user access functions do not verify the address * space - it must have been done previously with a separate "access_ok()" @@ -222,6 +228,7 @@ static inline void uaccess_enable_not_uao(void) do { \ unsigned long __gu_val; \ __chk_user_ptr(ptr); \ + verify_uaccess(VERIFY_READ, ptr); \ uaccess_enable_not_uao(); \ switch (sizeof(*(ptr))) { \ case 1: \ @@ -287,6 +294,7 @@ do { \ do { \ __typeof__(*(ptr)) __pu_val = (x); \ __chk_user_ptr(ptr); \ + verify_uaccess(VERIFY_WRITE, ptr); \ uaccess_enable_not_uao(); \ switch (sizeof(*(ptr))) { \ case 1: \