Re: [PATCH v2 1/1] futex: remove duplicated code and fix UB
On Thu, 24 Aug 2017, Will Deacon wrote:
> On Thu, Aug 24, 2017 at 09:31:05AM +0200, Jiri Slaby wrote:
> > +static int futex_atomic_op_inuser(unsigned int encoded_op, u32 __user
> > *uaddr)
> > +{
> > + unsigned int op = (encoded_op & 0x7000) >> 28;
> > + unsigned int cmp =(encoded_op & 0x0f00) >> 24;
> > + int oparg = sign_extend32((encoded_op & 0x00fff000) >> 12, 12);
> > + int cmparg = sign_extend32(encoded_op & 0x0fff, 12);
> > + int oldval, ret;
> > +
> > + if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) {
> > + if (oparg < 0 || oparg > 31)
> > + return -EINVAL;
> > + oparg = 1 << oparg;
> > + }
> > +
> > + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
> > + return -EFAULT;
> > +
> > + ret = arch_futex_atomic_op_inuser(op, oparg, , uaddr);
> > + if (ret)
> > + return ret;
>
> We could move the pagefault_{disable,enable} calls here, and then remove
> them from the futex_atomic_op_inuser callsites elsewhere in futex.c
Correct, but we can do that after getting this in.
Thanks,
tglx
___
linux-snps-arc mailing list
linux-snps-arc@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-snps-arc
Re: [PATCH v2 1/1] futex: remove duplicated code and fix UB
Hi Jiri,
On Thu, Aug 24, 2017 at 09:31:05AM +0200, Jiri Slaby wrote:
> There is code duplicated over all architecture's headers for
> futex_atomic_op_inuser. Namely op decoding, access_ok check for uaddr,
> and comparison of the result.
>
> Remove this duplication and leave up to the arches only the needed
> assembly which is now in arch_futex_atomic_op_inuser.
>
> This effectively distributes the Will Deacon's arm64 fix for undefined
> behaviour reported by UBSAN to all architectures. The fix was done in
> commit 5f16a046f8e1 (arm64: futex: Fix undefined behaviour with
> FUTEX_OP_OPARG_SHIFT usage). Look there for an example dump.
>
> And as suggested by Thomas, check for negative oparg too, because it was
> also reported to cause undefined behaviour report.
>
> Note that s390 removed access_ok check in d12a29703 ("s390/uaccess:
> remove pointless access_ok() checks") as access_ok there returns true.
> We introduce it back to the helper for the sake of simplicity (it gets
> optimized away anyway).
For arm64 and the core code:
Reviewed-by: Will Deacon
Although one minor thing on the core part:
> diff --git a/kernel/futex.c b/kernel/futex.c
> index 0939255fc750..3d38eaf05492 100644
> --- a/kernel/futex.c
> +++ b/kernel/futex.c
> @@ -1551,6 +1551,45 @@ futex_wake(u32 __user *uaddr, unsigned int flags, int
> nr_wake, u32 bitset)
> return ret;
> }
>
> +static int futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr)
> +{
> + unsigned int op = (encoded_op & 0x7000) >> 28;
> + unsigned int cmp =(encoded_op & 0x0f00) >> 24;
> + int oparg = sign_extend32((encoded_op & 0x00fff000) >> 12, 12);
> + int cmparg = sign_extend32(encoded_op & 0x0fff, 12);
> + int oldval, ret;
> +
> + if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) {
> + if (oparg < 0 || oparg > 31)
> + return -EINVAL;
> + oparg = 1 << oparg;
> + }
> +
> + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
> + return -EFAULT;
> +
> + ret = arch_futex_atomic_op_inuser(op, oparg, , uaddr);
> + if (ret)
> + return ret;
We could move the pagefault_{disable,enable} calls here, and then remove
them from the futex_atomic_op_inuser callsites elsewhere in futex.c
Will
___
linux-snps-arc mailing list
linux-snps-arc@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-snps-arc
[PATCH v2 1/1] futex: remove duplicated code and fix UB
There is code duplicated over all architecture's headers for
futex_atomic_op_inuser. Namely op decoding, access_ok check for uaddr,
and comparison of the result.
Remove this duplication and leave up to the arches only the needed
assembly which is now in arch_futex_atomic_op_inuser.
This effectively distributes the Will Deacon's arm64 fix for undefined
behaviour reported by UBSAN to all architectures. The fix was done in
commit 5f16a046f8e1 (arm64: futex: Fix undefined behaviour with
FUTEX_OP_OPARG_SHIFT usage). Look there for an example dump.
And as suggested by Thomas, check for negative oparg too, because it was
also reported to cause undefined behaviour report.
Note that s390 removed access_ok check in d12a29703 ("s390/uaccess:
remove pointless access_ok() checks") as access_ok there returns true.
We introduce it back to the helper for the sake of simplicity (it gets
optimized away anyway).
[v2]
- check also for negative values
- wait for Will's fix to be in upstream
Signed-off-by: Jiri Slaby
Cc: Richard Henderson
Cc: Ivan Kokshaysky
Cc: Matt Turner
Cc: Vineet Gupta
Acked-by: Russell King
Cc: Catalin Marinas
Cc: Will Deacon
Reviewed-by: Darren Hart (VMware)
Cc: Richard Kuo
Cc: Tony Luck
Cc: Fenghua Yu
Cc: Michal Simek
Cc: Ralf Baechle
Cc: Jonas Bonn
Cc: Stefan Kristiansson
Cc: Stafford Horne
Cc: "James E.J. Bottomley"
Cc: Helge Deller
Cc: Benjamin Herrenschmidt
Cc: Paul Mackerras
Acked-by: Michael Ellerman (powerpc)
Cc: Martin Schwidefsky
Acked-by: Heiko Carstens [s390]
Cc: Yoshinori Sato
Cc: Rich Felker
Cc: "David S. Miller"
Acked-by: Chris Metcalf [for tile]
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: "H. Peter Anvin"
Cc: Chris Zankel
Cc: Max Filippov
Cc: Arnd Bergmann
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
---
arch/alpha/include/asm/futex.h | 26 ---
arch/arc/include/asm/futex.h| 40 -
arch/arm/include/asm/futex.h| 26 +++
arch/arm64/include/asm/futex.h | 26 +++
arch/frv/include/asm/futex.h| 3 ++-
arch/frv/kernel/futex.c | 27 +++-
arch/hexagon/include/asm/futex.h| 38 +++-
arch/ia64/include/asm/futex.h | 25 +++
arch/microblaze/include/asm/futex.h | 38 +++-
arch/mips/include/asm/futex.h | 25 +++
arch/openrisc/include/asm/futex.h | 39 +++--
arch/parisc/include/asm/futex.h | 26 +++
arch/powerpc/include/asm/futex.h| 26 ---
arch/s390/include/asm/futex.h | 23 -
arch/sh/include/asm/futex.h | 26 +++
arch/sparc/include/asm/futex_64.h | 26 ---
arch/tile/include/asm/futex.h | 40 -
arch/x86/include/asm/futex.h| 40 -
arch/xtensa/include/asm/futex.h | 27
include/asm-generic/futex.h | 50 +++--
kernel/futex.c | 39 +
21 files changed, 130 insertions(+), 506 deletions(-)
diff --git a/arch/alpha/include/asm/futex.h b/arch/alpha/include/asm/futex.h
index fb01dfb760c2..05a70edd57b6 100644
--- a/arch/alpha/include/asm/futex.h
+++ b/arch/alpha/include/asm/futex.h
@@ -25,18 +25,10 @@
: "r" (uaddr), "r"(oparg) \
: "memory")
-static inline int futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
+static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval,
+ u32 __user *uaddr)
{
- int op = (encoded_op >> 28) & 7;
- int cmp
