Re: [PATCH v18 02/15] arm64: Introduce prctl() options to control the tagged user addresses ABI

2019-06-24 Thread Kees Cook
ldren but cleared on execve(). A Kconfig > option allows the overall disabling of the relaxed ABI. > > The PR_SET_TAGGED_ADDR_CTRL will be expanded in the future to handle > MTE-specific settings like imprecise vs precise exceptions. > > Signed-off-by: Catalin Marinas Reviewed-by: Kees Co

Re: [PATCH v18 10/15] drm/radeon: untag user pointers in radeon_gem_userptr_ioctl

2019-06-24 Thread Kees Cook
vma lookups, which can only by done with > untagged pointers. > > This patch untags user pointers in radeon_gem_userptr_ioctl(). > > Suggested-by: Felix Kuehling > Acked-by: Felix Kuehling > Signed-off-by: Andrey Konovalov Reviewed-by: Kees Cook -Kees > --- >

Re: [PATCH v18 15/15] selftests, arm64: add a selftest for passing tagged pointers to kernel

2019-06-24 Thread Kees Cook
est, that calls the uname syscall with a > tagged user pointer as an argument. Without the kernel accepting tagged > user pointers the test fails with EFAULT. > > Signed-off-by: Andrey Konovalov Acked-by: Kees Cook -Kees > --- > tools/testing/selftests/arm64/.gitignore

Re: [PATCH v18 11/15] IB/mlx4: untag user pointers in mlx4_get_umem_mr

2019-06-24 Thread Kees Cook
d user pointers for vma lookups, which can > only by done with untagged pointers. > > Untag user pointers in this function. > > Signed-off-by: Andrey Konovalov Reviewed-by: Kees Cook -Kees > --- > drivers/infiniband/hw/mlx4/mr.c | 7 --- > 1 file changed, 4 insert

Re: [PATCH v18 10/15] drm/radeon: untag user pointers in radeon_gem_userptr_ioctl

2019-06-24 Thread Kees Cook
vma lookups, which can only by done with > untagged pointers. > > This patch untags user pointers in radeon_gem_userptr_ioctl(). > > Suggested-by: Felix Kuehling > Acked-by: Felix Kuehling > Signed-off-by: Andrey Konovalov Reviewed-by: Kees Cook -Kees > --- >

Re: [PATCH v18 09/15] drm/amdgpu: untag user pointers

2019-06-24 Thread Kees Cook
x Kuehling > Signed-off-by: Andrey Konovalov Reviewed-by: Kees Cook -Kees > --- > drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 2 +- > drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 2 ++ > 2 files changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers

Re: [PATCH v17 03/15] arm64: Introduce prctl() options to control the tagged user addresses ABI

2019-06-13 Thread Kees Cook
kernel. That's actually already happening (via -mm tree last I looked). tl;dr: it ends up using a cast hidden in a macro. It's in linux-next already along with a checkpatch.pl addition to yell about doing what's being done here. ;) https://lore.kernel.org/lkml/20190430180111.10688-1-mcr...@redhat.com/#r -- Kees Cook

Re: [PATCH v16 02/16] arm64: untag user pointers in access_ok and __uaccess_mask_ptr

2019-06-10 Thread Kees Cook
On Mon, Jun 10, 2019 at 07:53:30PM +0100, Catalin Marinas wrote: > On Mon, Jun 10, 2019 at 11:07:03AM -0700, Kees Cook wrote: > > On Mon, Jun 10, 2019 at 06:53:27PM +0100, Catalin Marinas wrote: > > > diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c > &

Re: [PATCH v16 02/16] arm64: untag user pointers in access_ok and __uaccess_mask_ptr

2019-06-10 Thread Kees Cook
gt; ptrauth_thread_init_user(current); > } > + > +/* > + * Enable the relaxed ABI allowing tagged user addresses into the kernel. > + */ > +int untagged_uaddr_set_mode(unsigned long arg) > +{ > + if (is_compat_task()) > + return -ENOTSUPP; > + if (arg) > + return -EINVAL; > + > + set_thread_flag(TIF_UNTAGGED_UADDR); > + > + return 0; > +} I think this should be paired with a flag clearing in copy_thread(), yes? (i.e. each binary needs to opt in) -- Kees Cook

Re: [PATCH v16 14/16] tee, arm64: untag user pointers in tee_shm_register

2019-06-07 Thread Kees Cook
tee_shm_unregister()->check_mem_type() uses provided > user pointers for vma lookups (via __check_mem_type()), which can only by > done with untagged pointers. > > Untag user pointers in this function. > > Signed-off-by: Andrey Konovalov "tee: shm: untag user pointers

Re: [PATCH v16 09/16] fs, arm64: untag user pointers in fs/userfaultfd.c

2019-06-07 Thread Kees Cook
e provided user pointers for vma lookups, which can > only by done with untagged pointers. > > Untag user pointers in validate_range(). > > Signed-off-by: Andrey Konovalov "userfaultfd: untag user pointers" Reviewed-by: Kees Cook -Kees > --- > fs/userfaultfd.c | 2

Re: [PATCH v16 08/16] fs, arm64: untag user pointers in copy_mount_options

2019-06-07 Thread Kees Cook
ld expect, instead: fs/namespace: untag user pointers in copy_mount_options Reviewed-by: Kees Cook -Kees > --- > fs/namespace.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/namespace.c b/fs/namespace.c > index b26778bdc236..2e85712a19ed 1

Re: [PATCH v16 07/16] mm, arm64: untag user pointers in get_vaddr_frames

2019-06-07 Thread Kees Cook
s provided user pointers for vma lookups, which can > only by done with untagged pointers. Instead of locating and changing > all callers of this function, perform untagging in it. > > Signed-off-by: Andrey Konovalov Reviewed-by: Kees Cook -Kees > --- > mm/frame_vector.c | 2 +

Re: [PATCH v16 06/16] mm, arm64: untag user pointers in mm/gup.c

2019-06-07 Thread Kees Cook
for vma lookups. > > Reviewed-by: Catalin Marinas > Signed-off-by: Andrey Konovalov Reviewed-by: Kees Cook -Kees > --- > mm/gup.c | 4 > 1 file changed, 4 insertions(+) > > diff --git a/mm/gup.c b/mm/gup.c > index ddde097cf9e4..c37df3d455a2 100644 > --- a

Re: [PATCH v16 15/16] vfio/type1, arm64: untag user pointers in vaddr_get_pfn

2019-06-07 Thread Kees Cook
s provided user pointers for vma lookups, which can > only by done with untagged pointers. > > Untag user pointers in this function. > > Signed-off-by: Andrey Konovalov Reviewed-by: Kees Cook -Kees > --- > drivers/vfio/vfio_iommu_type1.c | 2 ++ > 1 file changed, 2 inser

Re: [PATCH v16 16/16] selftests, arm64: add a selftest for passing tagged pointers to kernel

2019-06-07 Thread Kees Cook
s a simple test, that calls the uname syscall with a > tagged user pointer as an argument. Without the kernel accepting tagged > user pointers the test fails with EFAULT. > > Signed-off-by: Andrey Konovalov I'm adding Shuah to CC in case she has some suggestions about the new selftest. Rev

Re: [PATCH v16 13/16] media/v4l2-core, arm64: untag user pointers in videobuf_dma_contig_user_get

2019-06-07 Thread Kees Cook
user_get() uses provided user pointers for vma > lookups, which can only by done with untagged pointers. > > Untag the pointers in this function. > > Acked-by: Mauro Carvalho Chehab > Signed-off-by: Andrey Konovalov Reviewed-by: Kees Cook -Kees > --- > drivers/me

Re: [PATCH v16 02/16] arm64: untag user pointers in access_ok and __uaccess_mask_ptr

2019-06-07 Thread Kees Cook
ing user pointers in access_ok and in __uaccess_mask_ptr, > before performing access validity checks. > > Note, that this patch only temporarily untags the pointers to perform the > checks, but then passes them as is into the kernel internals. > > Reviewed-by: Catalin Marinas > Signed-off-by

Re: [PATCH v16 05/16] arm64: untag user pointers passed to memory syscalls

2019-06-07 Thread Kees Cook
tagged pointers to be passed to the following memory > syscalls: get_mempolicy, madvise, mbind, mincore, mlock, mlock2, mprotect, > mremap, msync, munlock. > > Signed-off-by: Andrey Konovalov Reviewed-by: Kees Cook -Kees > --- > mm/madvise.c | 2 ++ > mm/mempolicy.c | 3 +++ &g

Re: [PATCH v16 04/16] mm: untag user pointers in do_pages_move

2019-06-07 Thread Kees Cook
_move() is used in the implementation of the move_pages syscall. > > Untag user pointers in this function. > > Reviewed-by: Catalin Marinas > Signed-off-by: Andrey Konovalov Reviewed-by: Kees Cook -Kees > --- > mm/migrate.c | 1 + > 1 file changed, 1 insertion(+) > > dif

Re: [PATCH v16 03/16] lib, arm64: untag user pointers in strn*_user

2019-06-07 Thread Kees Cook
ly untags the pointers to perform > validity checks, but then uses them as is to perform user memory accesses. > > Reviewed-by: Catalin Marinas > Signed-off-by: Andrey Konovalov Acked-by: Kees Cook -Kees > --- > lib/strncpy_from_user.c | 3 ++- > lib/strnlen_user

Re: [PATCH v15 00/17] arm64: untag user pointers passed to the kernel

2019-06-01 Thread Kees Cook
On Tue, May 28, 2019 at 06:02:45PM +0100, Catalin Marinas wrote: > On Thu, May 23, 2019 at 02:31:16PM -0700, Kees Cook wrote: > > syzkaller already attempts to randomly inject non-canonical and > > 0x addresses for user pointers in syscalls in an effort to > > fi

Re: [PATCH v15 00/17] arm64: untag user pointers passed to the kernel

2019-05-23 Thread Kees Cook
On Thu, May 23, 2019 at 06:43:46PM +0100, Catalin Marinas wrote: > On Thu, May 23, 2019 at 09:38:19AM -0700, Kees Cook wrote: > > What on this front would you be comfortable with? Given it's a new > > feature isn't it sufficient to have a CONFIG (and/or boot option)? > >

Re: [PATCH v15 00/17] arm64: untag user pointers passed to the kernel

2019-05-23 Thread Kees Cook
ations using TBI already but > I'm not aware of any still using this feature other than hwasan) Correct. Alright, the tl;dr appears to be: - you want more assurances that we can find __user stripping in the kernel more easily. (But this seems like a parallel problem.) - we might need to opt in to TBI with a prctl() - all other concerns are for the future MTE series (though it sounds like HWCAP_MTE and a prctl() solve those issues too). Is this accurate? What do you see as the blockers for this series at this point? -- Kees Cook

Re: [PATCH v15 00/17] arm64: untag user pointers passed to the kernel

2019-05-22 Thread Kees Cook
't MTE instructions just NOP to older CPUs? I.e. if the CPU (or kernel) don't support it, it just gets entirely ignored: checking is only needed to satisfy curiosity or behavioral expectations. To me, the conflict seems to be using TBI in the face of expecting MTE to be the default state of the future. (But the internal changes needed for TBI -- this series -- is a prereq for MTE.) -- Kees Cook

Re: [PATCH v15 00/17] arm64: untag user pointers passed to the kernel

2019-05-22 Thread Kees Cook
On Wed, May 22, 2019 at 08:30:21AM -0700, enh wrote: > On Wed, May 22, 2019 at 3:11 AM Catalin Marinas > wrote: > > On Tue, May 21, 2019 at 05:04:39PM -0700, Kees Cook wrote: > > > I just want to make sure I fully understand your concern about this > > > being

Re: [PATCH v15 00/17] arm64: untag user pointers passed to the kernel

2019-05-21 Thread Kees Cook
- kernel has now broken userspace that used to work The trouble I see with this is that it is largely theoretical and requires part of userspace to collude to start using a new CPU feature that tickles a bug in the kernel. As I understand the golden rule, this is a bug in the kernel (a missed ioctl() or such) to be fixed, not a global breaking of some userspace behavior. I feel like I'm missing something about this being seen as an ABI break. The kernel already fails on userspace addresses that have high bits set -- are there things that _depend_ on this failure to operate? -- Kees Cook

Re: [PATCH] drm/amdgpu/pm: Remove VLA usage

2018-07-17 Thread Kees Cook
On Wed, Jun 20, 2018 at 11:26 AM, Kees Cook wrote: > In the quest to remove all stack VLA usage from the kernel[1], this > uses the maximum sane buffer size and removes copy/paste code. > > [1] > https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...

Re: [PATCH] drm/amd/display: Use 2-factor allocator calls

2018-07-05 Thread Kees Cook
On Thu, Jul 5, 2018 at 6:37 AM, Michel Dänzer wrote: > On 2018-07-04 07:27 PM, Kees Cook wrote: >> As already done treewide, switch from open-coded multiplication to >> 2-factor allocation helper. >> >> Signed-off-by: Kees Cook >> --- >> drivers/gpu/drm/

[PATCH] drm/amd/display: Use 2-factor allocator calls

2018-07-05 Thread Kees Cook
As already done treewide, switch from open-coded multiplication to 2-factor allocation helper. Signed-off-by: Kees Cook --- drivers/gpu/drm/amd/display/modules/color/color_gamma.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/amd/display/modules

[PATCH] drm/amdgpu/pm: Remove VLA usage

2018-06-20 Thread Kees Cook
In the quest to remove all stack VLA usage from the kernel[1], this uses the maximum sane buffer size and removes copy/paste code. [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com Signed-off-by: Kees Cook --- drivers/gpu/drm/amd/amdgpu

Re: [PATCHv3] drm/amdkfd: Remove vla

2018-05-03 Thread Kees Cook
fd_priv.h > b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h > index 96a9cc0f02c9..a90db05dfe61 100644 > --- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h > +++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h > @@ -39,6 +39,8 @@ > > #include "amd_shared.h" > > +#define KFD_MAX_RING_EN

Re: [PATCH] drm/amd/powerplay: rv: Use designated initializers

2017-07-28 Thread Kees Cook
On Thu, Jul 27, 2017 at 6:43 PM, Alex Deucher <alexdeuc...@gmail.com> wrote: > On Tue, Jul 25, 2017 at 5:47 PM, Kees Cook <keesc...@chromium.org> wrote: >> As done for vega10 in commit 3ddd396f6b57 ("drm/amd/powerplay: Use >> designated initializers&qu

Re: [PATCH] drm/amd/powerplay: rv: Use designated initializers

2017-07-28 Thread Kees Cook
On Fri, Jul 28, 2017 at 2:13 AM, Christian König <christian.koe...@amd.com> wrote: > Am 28.07.2017 um 03:43 schrieb Alex Deucher: >> >> On Tue, Jul 25, 2017 at 5:47 PM, Kees Cook <keesc...@chromium.org> wrote: >>> >>> As done for vega10 in

[PATCH] drm/amd/powerplay: rv: Use designated initializers

2017-07-25 Thread Kees Cook
.@amd.com> Cc: Hawking Zhang <hawking.zh...@amd.com> Cc: Alex Deucher <alexander.deuc...@amd.com> Signed-off-by: Kees Cook <keesc...@chromium.org> --- If I can get an Ack for this, I'll carry it in the gcc-plugins tree, unless you think this is worth landing for v4.13, in which ca