June 2023 - linux-morello - op-lists.linaro.org

[PATCH 0/3] Fix module loading for PCuABI kernels

by Kristina Martsenko

Hi, Here are a few small patches to fix kernel module loading in the PCuABI kernel [1]. (Sorry about the delay!) There are some notes on testing in the third patch. Thanks, Kristina [1] https://git.morello-project.org/morello/kernel/linux/-/issues/41 Kristina Martsenko (3): module: Allow arch overrides for ELF arch check arm64: elf: Enable module loading for PCuABI kernels arm64: morello: Add test modules to defconfig .../configs/morello_transitional_pcuabi_defconfig | 6 ++++++ arch/arm64/include/asm/elf.h | 10 ++-------- include/linux/moduleloader.h | 4 ++++ kernel/module/main.c | 2 +- 4 files changed, 13 insertions(+), 9 deletions(-) base-commit: 7f84d159d4eb989bf2f42d2e3b27a204cb3c1ec4 -- 2.25.1

2 years

3
6
0 0

[PATCH v2 0/8] Add explicit capability checking

by Luca Vizzarro

Hello! Finally posting the second version of my patch series relating the explicit capability checking[1]. After some deep investigation carried out together with Kevin and Tudor – thank you both for your help! –, we may be getting closer to the end of this unexpectedly laborious task. As per before, this series is dependent on Kevin's user pointer checking helper functions and a WIP implementation of PCuABI for the futex_waitv syscall so that the kernel doesn't break. All of this work is available together for testing – it's been successfully tested with LTP by myself – on my fork's branch[2]. Finally, it now includes a patch by Al Viro recently merged on mainline Linux. This aims at rendering the implementation of iov_iter less confusing, and actually aided the investigation of this task. Kind regards, Luca [1] https://git.morello-project.org/morello/kernel/linux/-/issues/7 [2] https://git.morello-project.org/Sevenarth/linux/-/commits/morello/gup-check… Al Viro (1): use less confusing names for iov_iter direction initializers Luca Vizzarro (7): gup: Add explicit capability checks iov_iter: Add explicit capability checks bpf: Add explicit capability checks usb: core: Add explicit capability checks futex: Add explicit capability checks io_uring: Add explicit capability checks nvme: Add TODO for PCuABI implementation arch/s390/mm/maccess.c | 3 +-- arch/x86/kernel/cpu/microcode/intel.c | 2 +- arch/x86/kernel/crash_dump_64.c | 2 +- crypto/testmgr.c | 4 ++-- drivers/acpi/pfr_update.c | 2 +- drivers/block/drbd/drbd_main.c | 2 +- drivers/block/drbd/drbd_receiver.c | 2 +- drivers/block/loop.c | 12 ++++++------ drivers/block/nbd.c | 10 +++++----- drivers/char/random.c | 4 ++-- drivers/fsi/fsi-sbefifo.c | 6 +++--- drivers/infiniband/ulp/rtrs/rtrs-clt.c | 2 +- drivers/isdn/mISDN/l1oip_core.c | 2 +- drivers/misc/vmw_vmci/vmci_queue_pair.c | 6 +++--- drivers/net/ppp/ppp_generic.c | 2 +- drivers/nvme/host/ioctl.c | 1 + drivers/nvme/host/tcp.c | 4 ++-- drivers/nvme/target/io-cmd-file.c | 4 ++-- drivers/nvme/target/tcp.c | 2 +- drivers/s390/char/zcore.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/target/iscsi/iscsi_target_util.c | 4 ++-- drivers/target/target_core_file.c | 2 +- drivers/usb/core/devio.c | 4 +++- drivers/usb/usbip/usbip_common.c | 2 +- drivers/vhost/net.c | 6 +++--- drivers/vhost/scsi.c | 10 +++++----- drivers/vhost/vhost.c | 6 +++--- drivers/vhost/vringh.c | 4 ++-- drivers/vhost/vsock.c | 4 ++-- drivers/xen/pvcalls-back.c | 8 ++++---- fs/9p/vfs_addr.c | 4 ++-- fs/9p/vfs_dir.c | 2 +- fs/9p/xattr.c | 4 ++-- fs/afs/cmservice.c | 2 +- fs/afs/dir.c | 2 +- fs/afs/file.c | 4 ++-- fs/afs/internal.h | 4 ++-- fs/afs/rxrpc.c | 10 +++++----- fs/afs/write.c | 4 ++-- fs/aio.c | 4 ++-- fs/btrfs/ioctl.c | 4 ++-- fs/ceph/addr.c | 4 ++-- fs/ceph/file.c | 4 ++-- fs/cifs/connect.c | 6 +++--- fs/cifs/file.c | 4 ++-- fs/cifs/fscache.c | 4 ++-- fs/cifs/smb2ops.c | 4 ++-- fs/cifs/transport.c | 6 +++--- fs/coredump.c | 2 +- fs/erofs/fscache.c | 6 +++--- fs/fscache/io.c | 2 +- fs/fuse/ioctl.c | 4 ++-- fs/netfs/io.c | 6 +++--- fs/nfs/fscache.c | 4 ++-- fs/nfsd/vfs.c | 4 ++-- fs/ocfs2/cluster/tcp.c | 2 +- fs/orangefs/inode.c | 8 ++++---- fs/proc/vmcore.c | 6 +++--- fs/read_write.c | 12 ++++++------ fs/seq_file.c | 2 +- fs/splice.c | 10 +++++----- include/linux/io_uring.h | 2 +- include/linux/pagemap.h | 2 +- include/linux/uio.h | 3 +++ io_uring/kbuf.c | 10 +++++++++- io_uring/net.c | 17 ++++++++--------- io_uring/rsrc.c | 17 ++++++++++++++--- io_uring/rsrc.h | 4 ++-- io_uring/rw.c | 12 ++++++------ io_uring/uring_cmd.c | 6 +++++- kernel/bpf/helpers.c | 4 +++- kernel/futex/core.c | 17 ++++++++++++++--- kernel/trace/trace_events_user.c | 2 +- lib/iov_iter.c | 21 ++++++++++++++++++--- mm/gup.c | 10 +++++++--- mm/madvise.c | 2 +- mm/page_io.c | 4 ++-- mm/process_vm_access.c | 2 +- net/9p/client.c | 2 +- net/bluetooth/6lowpan.c | 2 +- net/bluetooth/a2mp.c | 2 +- net/bluetooth/smp.c | 2 +- net/ceph/messenger_v1.c | 4 ++-- net/ceph/messenger_v2.c | 14 +++++++------- net/compat.c | 3 ++- net/ipv4/tcp.c | 4 ++-- net/netfilter/ipvs/ip_vs_sync.c | 2 +- net/smc/smc_clc.c | 6 +++--- net/smc/smc_tx.c | 2 +- net/socket.c | 12 ++++++------ net/sunrpc/socklib.c | 6 +++--- net/sunrpc/svcsock.c | 4 ++-- net/sunrpc/xprtsock.c | 6 +++--- net/tipc/topsrv.c | 2 +- net/tls/tls_device.c | 4 ++-- net/xfrm/espintcp.c | 2 +- security/keys/keyctl.c | 4 ++-- 98 files changed, 274 insertions(+), 214 deletions(-) -- 2.34.1

2 years

3
15
0 0

[PATCH 0/9] New user_ptr helpers for uaccess

by Kevin Brodsky

Hi, This series introduces new user_ptr helpers to help in certain uaccess-related situations. This is a follow-up to my previous series "New CHERI API and separation of root capabilities"; the CHERI helpers it introduced are used to implement the new generic user_ptr helpers in PCuABI. The new helpers are (see patch 1 for details): * make_user_ptr_for_<perms>_uaccess(), to create user pointers in order to perform uaccess, with appropriate bounds and permissions. * check_user_ptr_<perms>(), to perform explicit checking of user pointers. This series does not actually make use of check_user_ptr_<perms>(), rather it prepares the ground for implementing explicit checking when user memory is accessed via kernel mappings [1]. The rest of the series (patch 2-9) is about converting existing uses of uaddr_to_user_ptr_safe(), as it should now only be used for *providing* user pointers to userspace, and not for uaccess. After this series, the only remaining users of uaddr_to_user_ptr_safe() are: - fs/binfmt_elf.c to provide all the initial capabilities (stack, AT_CHERI_*_CAP, etc.). uaddr_to_user_ptr_safe() is still used to write the initial data on the stack too; it didn't seem worthwhile to refactor this code as it is going to change anyway as part of [2] and [3]. - mmap / mremap / shmat to return a valid capability. To clarify which helper should be used in which situation, here are two tables specifying the helper to use depending on whether the address is specified by userspace or the kernel itself, and whether the pointer is provided to userspace or used by the kernel itself. *Before* this series: +-----------------------------------+---------------------+--------------------------+ | Pointer for \ Address provided by | User | Kernel | +===================================+=====================+==========================+ | User | - | uaddr_to_user_ptr_safe() | +-----------------------------------+---------------------+--------------------------+ | Kernel (uaccess) | uaddr_to_user_ptr() | uaddr_to_user_ptr_safe() | +-----------------------------------+---------------------+--------------------------+ *After* this series: +-----------------------------------+---------------------+-------------------------------+ | Pointer for \ Address provided by | User | Kernel | +===================================+=====================+===============================+ | User | - | uaddr_to_user_ptr_safe() | +-----------------------------------+---------------------+-------------------------------+ | Kernel (uaccess) | uaddr_to_user_ptr() | make_user_ptr_*_for_uaccess() | +-----------------------------------+---------------------+-------------------------------+ Eventually both uaddr_to_user_ptr() and uaddr_to_user_ptr_safe() should disappear, the first thanks to userspace always providing full pointers and the second being replaced by handcrafted code creating capabilities in line with the PCuABI spec (whose bounds give access to only the intended object and potentially padding). Note that patch 1 and 4 were included in the first RFC of the CHERI API series [4]. They remain broadly the same, but: - make_privileged_user_ptr and check_user_ptr() have been renamed, and the permissions are now specified by calling the right variant of the function instead of passing a bitfield. They are now called respectively make_user_ptr_for_<perms>_uaccess() and check_user_ptr_<perms>(). - The user_ptr documentation has been updated accordingly. - The commit messages have been improved to reflect the overall intention better. Review branch: https://git.morello-project.org/kbrodsky-arm/linux/-/commits/morello/user_p… Rendered doc: https://git.morello-project.org/kbrodsky-arm/linux/-/blob/morello/user_ptr_… Thanks, Kevin [1] https://git.morello-project.org/morello/kernel/linux/-/issues/7 [2] https://git.morello-project.org/morello/kernel/linux/-/issues/19 [3] https://git.morello-project.org/morello/kernel/linux/-/issues/22 [4] https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… Kevin Brodsky (9): linux/user_ptr.h: Introduce uaccess-related helpers fs/binfmt_elf: Create appropriate user pointer for uaccess coredump: Create appropriate user pointer for uaccess mm/memory: Create appropriate user pointer for uaccess Revert "mm/hugetlb: Use appropriate user pointer conversions" Revert "mm/shmem: Use appropriate user pointer conversions" audit: Create appropriate user pointer for uaccess perf: Avoid uaddr_to_user_ptr_safe() for arbitrary user address arm64: Create appropriate user pointer for uaccess Documentation/core-api/user_ptr.rst | 100 ++++++++++++++++++---------- arch/arm64/kernel/debug-monitors.c | 3 +- arch/arm64/kernel/traps.c | 2 +- fs/binfmt_elf.c | 14 ++-- fs/coredump.c | 4 +- include/linux/user_ptr.h | 86 ++++++++++++++++++++++-- kernel/auditsc.c | 3 +- kernel/events/internal.h | 2 +- lib/user_ptr.c | 46 +++++++++++++ mm/hugetlb.c | 2 +- mm/memory.c | 2 +- mm/shmem.c | 2 +- 12 files changed, 216 insertions(+), 50 deletions(-) -- 2.38.1

2 years

4
19
0 0

[PATCH] gup: Add explicit capability checks

by Luca Vizzarro

Whenever a GUP call is made, the page address for the lookup is a 64-bit long raw pointer. When working in PCuABI, this means that the metadata of the capability gets discarded, hence any access made by the GUP is not checked in hardware. This commit introduces explicit capability checks whenever a call to the current mm through the GUP functions is made. Signed-off-by: Luca Vizzarro <Luca.Vizzarro(a)arm.com> --- Hello, this patch adds explicit capability checks needed in conjuction with GUP calls. Submitting only for review and not merging. In order for this patch to work Kevin's user pointer helpers patch is required, in addition to a modification that I have suggested in his series thread. Another essential required change is actually porting the futex_waitv syscall to PCuABI. Otherwise this patch will be a BREAKING change and LTP will fail. LTP was ran successfully against this patch ONLY with the minimum required changes for futex_waitv to work, which are still a WIP. The ticket related to this patch is #7: https://git.morello-project.org/morello/kernel/linux/-/issues/7 This patch can be found on the following branch, which contains some futex_waitv changes, Kevin's series and its modification: https://git.morello-project.org/Sevenarth/linux/-/commits/morello/gup-checks Best, Luca --- drivers/usb/core/devio.c | 8 ++++++-- io_uring/kbuf.c | 5 ++++- io_uring/net.c | 4 +++- io_uring/rsrc.c | 7 ++++++- kernel/bpf/helpers.c | 4 +++- kernel/futex/core.c | 11 ++++++++--- lib/iov_iter.c | 21 ++++++++++++++++++--- mm/gup.c | 8 ++++++-- 8 files changed, 54 insertions(+), 14 deletions(-) diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c index cb37f6d2010a..4d3249ba343a 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -1584,8 +1584,12 @@ find_memory_area(struct usb_dev_state *ps, const struct usbdevfs_urb *uurb) { struct usb_memory *usbm = NULL, *iter; unsigned long flags; - /* TODO [PCuABI] - capability checks for uaccess */ - unsigned long uurb_start = user_ptr_addr(uurb->buffer); + unsigned long uurb_start; + + if (!check_user_ptr_rw(uurb->buffer, uurb->buffer_length)) + return ERR_PTR(-EFAULT); + + uurb_start = user_ptr_addr(uurb->buffer); spin_lock_irqsave(&ps->lock, flags); list_for_each_entry(iter, &ps->memory_list, memlist) { diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c index 70056c27d778..d6e6227caab0 100644 --- a/io_uring/kbuf.c +++ b/io_uring/kbuf.c @@ -587,7 +587,10 @@ int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg) pages_size = io_in_compat64(ctx) ? size_mul(sizeof(struct compat_io_uring_buf), reg.ring_entries) : size_mul(sizeof(struct io_uring_buf), reg.ring_entries); - /* TODO [PCuABI] - capability checks for uaccess */ + + if (!check_user_ptr_rw((void __user *)reg.ring_addr, pages_size)) + return -EFAULT; + pages = io_pin_pages(reg.ring_addr, pages_size, &nr_pages); if (IS_ERR(pages)) { kfree(free_bl); diff --git a/io_uring/net.c b/io_uring/net.c index 6fd28a49b671..a8766d53cad8 100644 --- a/io_uring/net.c +++ b/io_uring/net.c @@ -1088,7 +1088,9 @@ int io_send_zc(struct io_kiocb *req, unsigned int issue_flags) return io_setup_async_addr(req, &__address, issue_flags); if (zc->flags & IORING_RECVSEND_FIXED_BUF) { - /* TODO [PCuABI] - capability checks for uaccess */ + if (!check_user_ptr_write(zc->buf, zc->len)) + return -EFAULT; + ret = io_import_fixed(WRITE, &msg.msg_iter, req->imu, user_ptr_addr(zc->buf), zc->len); if (unlikely(ret)) diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c index 9e716fef91d7..285938fcf119 100644 --- a/io_uring/rsrc.c +++ b/io_uring/rsrc.c @@ -1285,7 +1285,12 @@ static int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov, return 0; ret = -ENOMEM; - /* TODO [PCuABI] - capability checks for uaccess */ + + if (!check_user_ptr_rw(iov->iov_base, iov->iov_len)) { + ret = -EFAULT; + goto done; + } + pages = io_pin_pages(user_ptr_addr(iov->iov_base), iov->iov_len, &nr_pages); if (IS_ERR(pages)) { diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index a8e76cf06da7..4db910f1758d 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -675,7 +675,9 @@ BPF_CALL_5(bpf_copy_from_user_task, void *, dst, u32, size, if (unlikely(!size)) return 0; - /* TODO [PCuABI] - capability checks for uaccess */ + if (!check_user_ptr_read(user_ptr, size)) + return -EFAULT; + ret = access_process_vm(tsk, user_ptr_addr(user_ptr), dst, size, 0); if (ret == size) return 0; diff --git a/kernel/futex/core.c b/kernel/futex/core.c index 9613080ccf0c..04289dc13b4a 100644 --- a/kernel/futex/core.c +++ b/kernel/futex/core.c @@ -226,8 +226,6 @@ int get_futex_key(u32 __user *uaddr, bool fshared, union futex_key *key, struct address_space *mapping; int err, ro = 0; - /* TODO [PCuABI] - capability checks for uaccess */ - /* * The futex address must be "naturally" aligned. */ @@ -239,6 +237,12 @@ int get_futex_key(u32 __user *uaddr, bool fshared, union futex_key *key, if (unlikely(!access_ok(uaddr, sizeof(u32)))) return -EFAULT; + if (rw == FUTEX_READ && !check_user_ptr_read(uaddr, sizeof(u32))) + return -EFAULT; + + if (rw == FUTEX_WRITE && !check_user_ptr_rw(uaddr, sizeof(u32))) + return -EFAULT; + if (unlikely(should_fail_futex(fshared))) return -EFAULT; @@ -413,7 +417,8 @@ int fault_in_user_writeable(u32 __user *uaddr) struct mm_struct *mm = current->mm; int ret; - /* TODO [PCuABI] - capability checks for uaccess */ + if (!check_user_ptr_rw(uaddr, PAGE_SIZE)) + return -EFAULT; mmap_read_lock(mm); ret = fixup_user_fault(mm, user_ptr_addr(uaddr), diff --git a/lib/iov_iter.c b/lib/iov_iter.c index 2d74d8d00ad9..046915cc1562 100644 --- a/lib/iov_iter.c +++ b/lib/iov_iter.c @@ -1481,10 +1481,16 @@ static unsigned long first_iovec_segment(const struct iov_iter *i, size_t *size) { size_t skip; long k; + bool is_rw = iov_iter_rw(i) != WRITE; + + if (iter_is_ubuf(i)) { + if (is_rw && !check_user_ptr_rw(i->ubuf, *size)) + return -EFAULT; + if (!is_rw && !check_user_ptr_read(i->ubuf, *size)) + return -EFAULT; - if (iter_is_ubuf(i)) - /* TODO [PCuABI] - capability checks for uaccess */ return user_ptr_addr(i->ubuf) + i->iov_offset; + } for (k = 0, skip = i->iov_offset; k < i->nr_segs; k++, skip = 0) { size_t len = i->iov[k].iov_len - skip; @@ -1493,7 +1499,13 @@ static unsigned long first_iovec_segment(const struct iov_iter *i, size_t *size) continue; if (*size > len) *size = len; - /* TODO [PCuABI] - capability checks for uaccess */ + if (is_rw && !check_user_ptr_rw(i->iov[k].iov_base + skip, + *size)) + return -EFAULT; + if (!is_rw && !check_user_ptr_read(i->iov[k].iov_base + skip, + *size)) + return -EFAULT; + return user_ptr_addr(i->iov[k].iov_base) + skip; } BUG(); // if it had been empty, we wouldn't get called @@ -1539,6 +1551,9 @@ static ssize_t __iov_iter_get_pages_alloc(struct iov_iter *i, gup_flags |= FOLL_NOFAULT; addr = first_iovec_segment(i, &maxsize); + if (IS_ERR_VALUE(addr)) + return addr; + *start = addr % PAGE_SIZE; addr &= PAGE_MASK; n = want_pages_array(pages, maxsize, *start, maxpages); diff --git a/mm/gup.c b/mm/gup.c index dc02749eaf9b..197459c58cd1 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -1843,11 +1843,15 @@ EXPORT_SYMBOL(fault_in_subpage_writeable); */ size_t fault_in_safe_writeable(const char __user *uaddr, size_t size) { - /* TODO [PCuABI] - capability checks for uaccess */ - unsigned long start = user_ptr_addr(uaddr), end; + unsigned long start, end; struct mm_struct *mm = current->mm; bool unlocked = false; + if (!check_user_ptr_read(uaddr, size)) + return 0; + + start = user_ptr_addr(uaddr); + if (unlikely(size == 0)) return 0; end = PAGE_ALIGN(start + size); -- 2.34.1

2 years

3
14
0 0

[Discussion] check_user_ptr interface

by Kevin Brodsky

Hi, For the sake of clarity, I am starting this new thread to discuss the interface we should adopt for the check_user_ptr interface, introduced by the "New user_ptr helpers for uaccess" series [1.1]. This function is meant to check that the specifier user pointer (capability in PCuABI) allows a given range to be accessed in a given way. The range is specified quite naturally by the address of the pointer + a separate size argument. As to the nature of the access (read and/or write), as suggested [2.2] during the review of the preliminary RFC, it is currently specified in the function name itself: check_user_ptr_read(), check_user_ptr_write(), check_user_ptr_rw(). I believe this is looking pretty good, but Luca's recent explicit check patch [3] has shown that it is a little inconvenient in the cases where the nature of the access is only known at runtime, often through an integer set to either READ or WRITE. This led me to suggest [1.2] to use these constants as an argument for check_user_ptr too, only to realise later that it doesn't work, as it is not possible to use them together (READ | WRITE is meaningless). The question now is therefore the following: should we go back to something like in the RFC [2.1], i.e. pass the access type as argument, introducing a whole new type / constants for the access type? Or should we stick to [1.1], i.e. the access type in the function name itself. At this point I would tend to favour the latter option, as there are not so many situations where the access type is only known at runtime (just 3 so far), but maybe this is short-sighted. Opinions very welcome! Thanks, Kevin [1.1] https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [1.2] https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [2.1] https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [2.2] https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [3] https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org…

2 years

1
0
0 0

2025

2024

2023

2022

linux-morello June 2023