Re: [PATCH v2 1/1] futex: remove duplicated code and fix UB
On Thu, 24 Aug 2017, Will Deacon wrote: > On Thu, Aug 24, 2017 at 09:31:05AM +0200, Jiri Slaby wrote: > > +static int futex_atomic_op_inuser(unsigned int encoded_op, u32 __user > > *uaddr) > > +{ > > + unsigned int op = (encoded_op & 0x7000) >> 28; > > + unsigned int cmp =(encoded_op & 0x0f00) >> 24; > > + int oparg = sign_extend32((encoded_op & 0x00fff000) >> 12, 12); > > + int cmparg = sign_extend32(encoded_op & 0x0fff, 12); > > + int oldval, ret; > > + > > + if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) { > > + if (oparg < 0 || oparg > 31) > > + return -EINVAL; > > + oparg = 1 << oparg; > > + } > > + > > + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) > > + return -EFAULT; > > + > > + ret = arch_futex_atomic_op_inuser(op, oparg, , uaddr); > > + if (ret) > > + return ret; > > We could move the pagefault_{disable,enable} calls here, and then remove > them from the futex_atomic_op_inuser callsites elsewhere in futex.c Correct, but we can do that after getting this in. Thanks, tglx ___ linux-snps-arc mailing list linux-snps-arc@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-snps-arc
Re: [PATCH v2 1/1] futex: remove duplicated code and fix UB
Hi Jiri, On Thu, Aug 24, 2017 at 09:31:05AM +0200, Jiri Slaby wrote: > There is code duplicated over all architecture's headers for > futex_atomic_op_inuser. Namely op decoding, access_ok check for uaddr, > and comparison of the result. > > Remove this duplication and leave up to the arches only the needed > assembly which is now in arch_futex_atomic_op_inuser. > > This effectively distributes the Will Deacon's arm64 fix for undefined > behaviour reported by UBSAN to all architectures. The fix was done in > commit 5f16a046f8e1 (arm64: futex: Fix undefined behaviour with > FUTEX_OP_OPARG_SHIFT usage). Look there for an example dump. > > And as suggested by Thomas, check for negative oparg too, because it was > also reported to cause undefined behaviour report. > > Note that s390 removed access_ok check in d12a29703 ("s390/uaccess: > remove pointless access_ok() checks") as access_ok there returns true. > We introduce it back to the helper for the sake of simplicity (it gets > optimized away anyway). For arm64 and the core code: Reviewed-by: Will DeaconAlthough one minor thing on the core part: > diff --git a/kernel/futex.c b/kernel/futex.c > index 0939255fc750..3d38eaf05492 100644 > --- a/kernel/futex.c > +++ b/kernel/futex.c > @@ -1551,6 +1551,45 @@ futex_wake(u32 __user *uaddr, unsigned int flags, int > nr_wake, u32 bitset) > return ret; > } > > +static int futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr) > +{ > + unsigned int op = (encoded_op & 0x7000) >> 28; > + unsigned int cmp =(encoded_op & 0x0f00) >> 24; > + int oparg = sign_extend32((encoded_op & 0x00fff000) >> 12, 12); > + int cmparg = sign_extend32(encoded_op & 0x0fff, 12); > + int oldval, ret; > + > + if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) { > + if (oparg < 0 || oparg > 31) > + return -EINVAL; > + oparg = 1 << oparg; > + } > + > + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) > + return -EFAULT; > + > + ret = arch_futex_atomic_op_inuser(op, oparg, , uaddr); > + if (ret) > + return ret; We could move the pagefault_{disable,enable} calls here, and then remove them from the futex_atomic_op_inuser callsites elsewhere in futex.c Will ___ linux-snps-arc mailing list linux-snps-arc@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-snps-arc
[PATCH v2 1/1] futex: remove duplicated code and fix UB
There is code duplicated over all architecture's headers for futex_atomic_op_inuser. Namely op decoding, access_ok check for uaddr, and comparison of the result. Remove this duplication and leave up to the arches only the needed assembly which is now in arch_futex_atomic_op_inuser. This effectively distributes the Will Deacon's arm64 fix for undefined behaviour reported by UBSAN to all architectures. The fix was done in commit 5f16a046f8e1 (arm64: futex: Fix undefined behaviour with FUTEX_OP_OPARG_SHIFT usage). Look there for an example dump. And as suggested by Thomas, check for negative oparg too, because it was also reported to cause undefined behaviour report. Note that s390 removed access_ok check in d12a29703 ("s390/uaccess: remove pointless access_ok() checks") as access_ok there returns true. We introduce it back to the helper for the sake of simplicity (it gets optimized away anyway). [v2] - check also for negative values - wait for Will's fix to be in upstream Signed-off-by: Jiri SlabyCc: Richard Henderson Cc: Ivan Kokshaysky Cc: Matt Turner Cc: Vineet Gupta Acked-by: Russell King Cc: Catalin Marinas Cc: Will Deacon Reviewed-by: Darren Hart (VMware) Cc: Richard Kuo Cc: Tony Luck Cc: Fenghua Yu Cc: Michal Simek Cc: Ralf Baechle Cc: Jonas Bonn Cc: Stefan Kristiansson Cc: Stafford Horne Cc: "James E.J. Bottomley" Cc: Helge Deller Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Acked-by: Michael Ellerman (powerpc) Cc: Martin Schwidefsky Acked-by: Heiko Carstens [s390] Cc: Yoshinori Sato Cc: Rich Felker Cc: "David S. Miller" Acked-by: Chris Metcalf [for tile] Cc: Thomas Gleixner Cc: Ingo Molnar Cc: "H. Peter Anvin" Cc: Chris Zankel Cc: Max Filippov Cc: Arnd Bergmann Cc: Cc: Cc: Cc: Cc: Cc: Cc: Cc: Cc: Cc: Cc: Cc: Cc: Cc: Cc: Cc: --- arch/alpha/include/asm/futex.h | 26 --- arch/arc/include/asm/futex.h| 40 - arch/arm/include/asm/futex.h| 26 +++ arch/arm64/include/asm/futex.h | 26 +++ arch/frv/include/asm/futex.h| 3 ++- arch/frv/kernel/futex.c | 27 +++- arch/hexagon/include/asm/futex.h| 38 +++- arch/ia64/include/asm/futex.h | 25 +++ arch/microblaze/include/asm/futex.h | 38 +++- arch/mips/include/asm/futex.h | 25 +++ arch/openrisc/include/asm/futex.h | 39 +++-- arch/parisc/include/asm/futex.h | 26 +++ arch/powerpc/include/asm/futex.h| 26 --- arch/s390/include/asm/futex.h | 23 - arch/sh/include/asm/futex.h | 26 +++ arch/sparc/include/asm/futex_64.h | 26 --- arch/tile/include/asm/futex.h | 40 - arch/x86/include/asm/futex.h| 40 - arch/xtensa/include/asm/futex.h | 27 include/asm-generic/futex.h | 50 +++-- kernel/futex.c | 39 + 21 files changed, 130 insertions(+), 506 deletions(-) diff --git a/arch/alpha/include/asm/futex.h b/arch/alpha/include/asm/futex.h index fb01dfb760c2..05a70edd57b6 100644 --- a/arch/alpha/include/asm/futex.h +++ b/arch/alpha/include/asm/futex.h @@ -25,18 +25,10 @@ : "r" (uaddr), "r"(oparg) \ : "memory") -static inline int futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) +static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval, + u32 __user *uaddr) { - int op = (encoded_op >> 28) & 7; - int cmp