From patchwork Wed Dec 8 04:48:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Collingbourne X-Patchwork-Id: 12695277 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 5FC8AC433EF for ; Wed, 8 Dec 2021 04:50:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:References: Mime-Version:Message-Id:In-Reply-To:Date:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=A4a4y8MNPxv5EkIOgVQtksBG2ZXHlgamAK37hLmmlmU=; b=OPcKk3HvhbNE9Jz+334y7nGW9M Xkrheiy0euZLGBuxwCBOO3SCLYp4rjcu7ydd1S7smqdElNJ6uXrxj47gbGpMA25AVgr1FJ1OmlTFg W9X31BJomeQSyi2TVzWn8VRCiOxtYvL6c7rVFR9iTkaQ12qxQhsgLo1AvGnjsjE7F/QW7MwJgpP7J 5Jp1VNJRz5VlhyffL+n6BRMeCK+TjwBQMrMIRAEwsugjOFAV9fqbxa1YJ1tWf9uuj/nks0Lr+7JbD FctAXhUyU62utG/MRyDGQDGCHysIuWiQH1rRC87dqrR/3r5APs5s1/UG4FGERmEFTVC9oeOoZ91AC mwktlqFA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1muose-00BESM-TF; Wed, 08 Dec 2021 04:48:37 +0000 Received: from mail-yb1-xb49.google.com ([2607:f8b0:4864:20::b49]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1muosO-00BEMK-Pp for linux-arm-kernel@lists.infradead.org; Wed, 08 Dec 2021 04:48:22 +0000 Received: by mail-yb1-xb49.google.com with SMTP id q198-20020a25d9cf000000b005f7a6a84f9fso2519066ybg.6 for ; Tue, 07 Dec 2021 20:48:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=JtdRIroDVgccFwCdTVc0TsbiO+v4ycYN9fgE1zvbpew=; b=qioJGvHxCaUMYDmDWwlYCm4ZZ+I/yyWW6plwpkL0qqIm/yxh00rgj3Cj9bQulgK6dV pmNSUoGFXODYeH8/AgHcaNy+56yvC/IfqkIsGJ2nU1DCs5dHklqn6zvO6+6uL5zi4PKG ZsYV5JdtzeqjScR6HVpQcTk1Zdxk5Zt/JTHtOJosP2eq3+nm2bdTkOk0HeYqAZbCCFrX sFuguIvussQ80ecbny4Y7opDWo13Kh7hLHxb8cyc6GuZnOnbeHMnNqEnlCQk4VhFFW6w TTMezquVS9UurUhV30C0m6yfeHkoxhkcu3ii4CHmqPRmzh7gAQk06VS4aaXzSbUrk2CR gt8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=JtdRIroDVgccFwCdTVc0TsbiO+v4ycYN9fgE1zvbpew=; b=ujYwuxsdzW9bLBK0xR0moyobhtohrSJ9cA//RtUZzZEup5rMGtxX1MH7GXcdI2fHmp 1qeB3gw6SdWuHTNLECVylyCLT7Ms9j3tE+RvaBbdWf/4koGmamf7V2XdfLQiR+c/52g5 QbNC5KTW80SD+FKjTZBRpeNOqf4nFFw+iXoUN+mER1m8xmNxrBr1NPymGkKPFaKAjJgZ zjeD4BWhWK4/rLfEpKxh3GAI1OahGDNgni/7VE3yLexGmQF4CC+lRuYIzsP0WJkBINZ5 4SugQGUeMc39w98Iojaxzt8yYJAoFSbcXvVhrTckGf78GBtbgxyfb4EGokXHqUXxlusz mRnQ== X-Gm-Message-State: AOAM531q+xnIMgSMFUQCKjipLA3o+xXcZxyFSc1BdWkXaZKv0codVm+V VwjJecUo8gslAQMzEAEWX9V3bEo= X-Google-Smtp-Source: ABdhPJxsCHqUib2mOPudZ77H+uVFoQunSny/sJrZzgoUbaBQQJhAf9CMq9HP1U+BRyz4zwhjxAoOygw= X-Received: from pcc-desktop.svl.corp.google.com ([2620:15c:2ce:200:be2d:924d:844b:d2fa]) (user=pcc job=sendgmr) by 2002:a25:d196:: with SMTP id i144mr54279180ybg.595.1638938899130; Tue, 07 Dec 2021 20:48:19 -0800 (PST) Date: Tue, 7 Dec 2021 20:48:03 -0800 In-Reply-To: <20211208044808.872554-1-pcc@google.com> Message-Id: <20211208044808.872554-2-pcc@google.com> Mime-Version: 1.0 References: <20211208044808.872554-1-pcc@google.com> X-Mailer: git-send-email 2.34.1.173.g76aa8bc2d0-goog Subject: [PATCH v3 1/6] include: split out uaccess instrumentation into a separate header From: Peter Collingbourne To: Catalin Marinas , Will Deacon , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Daniel Bristot de Oliveira , Thomas Gleixner , Andy Lutomirski , Kees Cook , Andrew Morton , Masahiro Yamada , Sami Tolvanen , YiFei Zhu , Mark Rutland , Frederic Weisbecker , Viresh Kumar , Andrey Konovalov , Peter Collingbourne , Gabriel Krisman Bertazi , Chris Hyser , Daniel Vetter , Chris Wilson , Arnd Bergmann , Dmitry Vyukov , Christian Brauner , "Eric W. Biederman" , Alexey Gladkov , Ran Xiaokai , David Hildenbrand , Xiaofeng Cao , Cyrill Gorcunov , Thomas Cedeno , Marco Elver , Alexander Potapenko Cc: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Evgenii Stepanov X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20211207_204820_866452_987A924E X-CRM114-Status: GOOD ( 21.71 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org In an upcoming change we are going to add uaccess instrumentation that uses inline access to struct task_struct from the instrumentation routines. Because instrumentation.h is included from many places including (recursively) from sched.h this would otherwise lead to a circular dependency. Break the dependency by moving uaccess instrumentation routines into a separate header, instrumentation-uaccess.h. Link: https://linux-review.googlesource.com/id/I625728db0c8db374e13e4ebc54985ac5c79ace7d Signed-off-by: Peter Collingbourne Acked-by: Dmitry Vyukov --- include/linux/instrumented-uaccess.h | 49 ++++++++++++++++++++++++++++ include/linux/instrumented.h | 34 ------------------- include/linux/uaccess.h | 2 +- lib/iov_iter.c | 2 +- lib/usercopy.c | 2 +- 5 files changed, 52 insertions(+), 37 deletions(-) create mode 100644 include/linux/instrumented-uaccess.h diff --git a/include/linux/instrumented-uaccess.h b/include/linux/instrumented-uaccess.h new file mode 100644 index 000000000000..ece549088e50 --- /dev/null +++ b/include/linux/instrumented-uaccess.h @@ -0,0 +1,49 @@ +/* SPDX-License-Identifier: GPL-2.0 */ + +/* + * This header provides generic wrappers for memory access instrumentation for + * uaccess routines that the compiler cannot emit for: KASAN, KCSAN. + */ +#ifndef _LINUX_INSTRUMENTED_UACCESS_H +#define _LINUX_INSTRUMENTED_UACCESS_H + +#include +#include +#include +#include + +/** + * instrument_copy_to_user - instrument reads of copy_to_user + * + * Instrument reads from kernel memory, that are due to copy_to_user (and + * variants). The instrumentation must be inserted before the accesses. + * + * @to destination address + * @from source address + * @n number of bytes to copy + */ +static __always_inline void +instrument_copy_to_user(void __user *to, const void *from, unsigned long n) +{ + kasan_check_read(from, n); + kcsan_check_read(from, n); +} + +/** + * instrument_copy_from_user - instrument writes of copy_from_user + * + * Instrument writes to kernel memory, that are due to copy_from_user (and + * variants). The instrumentation should be inserted before the accesses. + * + * @to destination address + * @from source address + * @n number of bytes to copy + */ +static __always_inline void +instrument_copy_from_user(const void *to, const void __user *from, unsigned long n) +{ + kasan_check_write(to, n); + kcsan_check_write(to, n); +} + +#endif /* _LINUX_INSTRUMENTED_UACCESS_H */ diff --git a/include/linux/instrumented.h b/include/linux/instrumented.h index 42faebbaa202..b68f415510c7 100644 --- a/include/linux/instrumented.h +++ b/include/linux/instrumented.h @@ -102,38 +102,4 @@ static __always_inline void instrument_atomic_read_write(const volatile void *v, kcsan_check_atomic_read_write(v, size); } -/** - * instrument_copy_to_user - instrument reads of copy_to_user - * - * Instrument reads from kernel memory, that are due to copy_to_user (and - * variants). The instrumentation must be inserted before the accesses. - * - * @to destination address - * @from source address - * @n number of bytes to copy - */ -static __always_inline void -instrument_copy_to_user(void __user *to, const void *from, unsigned long n) -{ - kasan_check_read(from, n); - kcsan_check_read(from, n); -} - -/** - * instrument_copy_from_user - instrument writes of copy_from_user - * - * Instrument writes to kernel memory, that are due to copy_from_user (and - * variants). The instrumentation should be inserted before the accesses. - * - * @to destination address - * @from source address - * @n number of bytes to copy - */ -static __always_inline void -instrument_copy_from_user(const void *to, const void __user *from, unsigned long n) -{ - kasan_check_write(to, n); - kcsan_check_write(to, n); -} - #endif /* _LINUX_INSTRUMENTED_H */ diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h index ac0394087f7d..c0c467e39657 100644 --- a/include/linux/uaccess.h +++ b/include/linux/uaccess.h @@ -3,7 +3,7 @@ #define __LINUX_UACCESS_H__ #include -#include +#include #include #include #include diff --git a/lib/iov_iter.c b/lib/iov_iter.c index 66a740e6e153..3f9dc6df7102 100644 --- a/lib/iov_iter.c +++ b/lib/iov_iter.c @@ -12,7 +12,7 @@ #include #include #include -#include +#include #define PIPE_PARANOIA /* for now */ diff --git a/lib/usercopy.c b/lib/usercopy.c index 7413dd300516..1cd188e62d06 100644 --- a/lib/usercopy.c +++ b/lib/usercopy.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: GPL-2.0 #include #include -#include +#include #include /* out-of-line parts */ From patchwork Wed Dec 8 04:48:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Collingbourne X-Patchwork-Id: 12695278 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9DAF9C433EF for ; Wed, 8 Dec 2021 04:50:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:References: Mime-Version:Message-Id:In-Reply-To:Date:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=p8xoMEhh6pX7uPluBFj3kORcS6+u0dx1qW6SguqAS7s=; b=p3fKras/sIWbxUGSFYTmWtulIw wb94f+8pVtMZEuT8le2gNiM07dDifIvH6+5zSjL+kJyjRitm5Hcaet6jktIHvWylWoU7eqr44uc7Q gSP/2kOnxXIYkYv6AwRf8o/VkK9I6viDLe5VfD04VK46trFopzlax61iJv+WEAzDKALYqf2vuPuq8 d8hLQ84+W/xvckW8P/y9q3Xe179PiIajJZo45dpFrGNPxmyGyz3KFjFc2UJzLS4bGTVDXiSMlAn6A 2WmHSkykQ2df3det2t1Km4JDpnBbHyQBbE1Mo/IeR3mPt6JBNZ9G493mrGZi0m4PrhwGkNIefGvWH /1xcL6Dg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1muosq-00BEWT-1Y; Wed, 08 Dec 2021 04:48:48 +0000 Received: from mail-yb1-xb49.google.com ([2607:f8b0:4864:20::b49]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1muosR-00BENQ-FG for linux-arm-kernel@lists.infradead.org; Wed, 08 Dec 2021 04:48:26 +0000 Received: by mail-yb1-xb49.google.com with SMTP id l75-20020a25254e000000b005f763be2fecso2545798ybl.7 for ; Tue, 07 Dec 2021 20:48:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=jBlXBnNdAMxSUa7yhIEysIDH76+KtqzmNyIubBtA+w4=; b=SypwgL/uWaUiO5tC4MdvSa7r8QMW3zr/sROnmdA2wikBl9aPLJlgK7YeiJo72Ihjxx te9F/z+Ko3jXg68CNGg9Uzt5zKemJK/1Y2MR0+Cb4IDXvYTWgG7CD/cQH+gOJtw1YB/t vBSUb0rQhA55U+PN4bz5BGA3zgIefxtfuRbeb+ILSk90ovlIvUoKiB1cJlydTSoD60hb cJVUXM2bGNMHTd39Ys6CfTcMKF41gZT41eKYmTwPWQlSXJkwDV9DWj3unRVBH3vt4boE 3PITH31oUGQCQjOK8ITTFXP/WqknPiaAxqpKyUewNFSeaP6BpcJC2BEOQH7A5VLw8wOS 3leQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=jBlXBnNdAMxSUa7yhIEysIDH76+KtqzmNyIubBtA+w4=; b=3pdfUJgMTs+WBnLJf/M73Z1gjmzRczzV83OdMGVbfXukCrbwdVwCsKi97NC38JYfjY EN5GeRe0NM1GX9BgOLksI/w7SoLehOkPVktc/vesSW0S26rB7djIEa4qVURcOhzwfZBN rzLz88RMBlEmANUQW+CfuVnjZTbfHgYvag9dwxIN6utXwmk4jyimMOWIulmQiW7vANwa vwpP//fHk06IIxXVgUlEUKuauahw4EIITaeBceu/ymKa/JDut8nYWZFGs5esmSvPH1G9 aEKbv+D/xk89Pw/fnEt+s9pWotQCnalqutppNlLLUQaQO56Rh5UarURtgJpmXrx7HNAR +9eA== X-Gm-Message-State: AOAM533OKzZ0vKBkkA7oA+UwpwO4hJ39k9Ccnb2JpcOmEVE2fXTUtdLl NOrtPflvLo4RwfH7cf4Aw5UPkMo= X-Google-Smtp-Source: ABdhPJwQwBHnDVDWeN8wKH2CZAz13EYYVPbKRZ8sxCY+r+igIJYsneorjLfhzDVPwqRgQHujvls1IdQ= X-Received: from pcc-desktop.svl.corp.google.com ([2620:15c:2ce:200:be2d:924d:844b:d2fa]) (user=pcc job=sendgmr) by 2002:a05:6902:102d:: with SMTP id x13mr29987965ybt.114.1638938901833; Tue, 07 Dec 2021 20:48:21 -0800 (PST) Date: Tue, 7 Dec 2021 20:48:04 -0800 In-Reply-To: <20211208044808.872554-1-pcc@google.com> Message-Id: <20211208044808.872554-3-pcc@google.com> Mime-Version: 1.0 References: <20211208044808.872554-1-pcc@google.com> X-Mailer: git-send-email 2.34.1.173.g76aa8bc2d0-goog Subject: [PATCH v3 2/6] uaccess-buffer: add core code From: Peter Collingbourne To: Catalin Marinas , Will Deacon , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Daniel Bristot de Oliveira , Thomas Gleixner , Andy Lutomirski , Kees Cook , Andrew Morton , Masahiro Yamada , Sami Tolvanen , YiFei Zhu , Mark Rutland , Frederic Weisbecker , Viresh Kumar , Andrey Konovalov , Peter Collingbourne , Gabriel Krisman Bertazi , Chris Hyser , Daniel Vetter , Chris Wilson , Arnd Bergmann , Dmitry Vyukov , Christian Brauner , "Eric W. Biederman" , Alexey Gladkov , Ran Xiaokai , David Hildenbrand , Xiaofeng Cao , Cyrill Gorcunov , Thomas Cedeno , Marco Elver , Alexander Potapenko Cc: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Evgenii Stepanov X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20211207_204823_565565_8062F643 X-CRM114-Status: GOOD ( 33.66 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Add the core code to support uaccess logging. Subsequent patches will hook this up to the arch-specific kernel entry and exit code for certain architectures. Link: https://linux-review.googlesource.com/id/I6581765646501a5631b281d670903945ebadc57d Signed-off-by: Peter Collingbourne --- v3: - performance optimizations for entry/exit code - don't use kcur == NULL to mean overflow - fix potential double free in clone() - don't allocate a new kernel-side uaccess buffer for each syscall - fix uaccess buffer leak on exit - fix some sparse warnings v2: - New interface that avoids multiple syscalls per real syscall and is arch-generic - Avoid logging uaccesses done by BPF programs - Add documentation - Split up into multiple patches - Various code moves, renames etc as requested by Marco fs/exec.c | 3 + include/linux/instrumented-uaccess.h | 6 +- include/linux/sched.h | 5 ++ include/linux/uaccess-buffer-info.h | 46 ++++++++++ include/linux/uaccess-buffer.h | 112 +++++++++++++++++++++++ include/uapi/linux/prctl.h | 3 + include/uapi/linux/uaccess-buffer.h | 27 ++++++ kernel/Makefile | 1 + kernel/bpf/helpers.c | 7 +- kernel/fork.c | 4 + kernel/signal.c | 4 +- kernel/sys.c | 6 ++ kernel/uaccess-buffer.c | 129 +++++++++++++++++++++++++++ 13 files changed, 350 insertions(+), 3 deletions(-) create mode 100644 include/linux/uaccess-buffer-info.h create mode 100644 include/linux/uaccess-buffer.h create mode 100644 include/uapi/linux/uaccess-buffer.h create mode 100644 kernel/uaccess-buffer.c diff --git a/fs/exec.c b/fs/exec.c index 537d92c41105..c9975e790f30 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -65,6 +65,7 @@ #include #include #include +#include #include #include @@ -1313,6 +1314,8 @@ int begin_new_exec(struct linux_binprm * bprm) me->personality &= ~bprm->per_clear; clear_syscall_work_syscall_user_dispatch(me); + uaccess_buffer_set_descriptor_addr_addr(0); + uaccess_buffer_free(current); /* * We have to apply CLOEXEC before we change whether the process is diff --git a/include/linux/instrumented-uaccess.h b/include/linux/instrumented-uaccess.h index ece549088e50..b967f4436d15 100644 --- a/include/linux/instrumented-uaccess.h +++ b/include/linux/instrumented-uaccess.h @@ -2,7 +2,8 @@ /* * This header provides generic wrappers for memory access instrumentation for - * uaccess routines that the compiler cannot emit for: KASAN, KCSAN. + * uaccess routines that the compiler cannot emit for: KASAN, KCSAN, + * uaccess buffers. */ #ifndef _LINUX_INSTRUMENTED_UACCESS_H #define _LINUX_INSTRUMENTED_UACCESS_H @@ -11,6 +12,7 @@ #include #include #include +#include /** * instrument_copy_to_user - instrument reads of copy_to_user @@ -27,6 +29,7 @@ instrument_copy_to_user(void __user *to, const void *from, unsigned long n) { kasan_check_read(from, n); kcsan_check_read(from, n); + uaccess_buffer_log_write(to, n); } /** @@ -44,6 +47,7 @@ instrument_copy_from_user(const void *to, const void __user *from, unsigned long { kasan_check_write(to, n); kcsan_check_write(to, n); + uaccess_buffer_log_read(from, n); } #endif /* _LINUX_INSTRUMENTED_UACCESS_H */ diff --git a/include/linux/sched.h b/include/linux/sched.h index 78c351e35fec..7c5278d7b57d 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -34,6 +34,7 @@ #include #include #include +#include #include /* task_struct member predeclarations (sorted alphabetically): */ @@ -1484,6 +1485,10 @@ struct task_struct { struct callback_head l1d_flush_kill; #endif +#ifdef CONFIG_HAVE_ARCH_UACCESS_BUFFER + struct uaccess_buffer_info uaccess_buffer; +#endif + /* * New fields for task_struct should be added above here, so that * they are included in the randomized portion of task_struct. diff --git a/include/linux/uaccess-buffer-info.h b/include/linux/uaccess-buffer-info.h new file mode 100644 index 000000000000..15e2d8f7c074 --- /dev/null +++ b/include/linux/uaccess-buffer-info.h @@ -0,0 +1,46 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _LINUX_UACCESS_BUFFER_INFO_H +#define _LINUX_UACCESS_BUFFER_INFO_H + +#ifdef CONFIG_HAVE_ARCH_UACCESS_BUFFER + +struct uaccess_buffer_info { + /* + * The pointer to pointer to struct uaccess_descriptor. This is the + * value controlled by prctl(PR_SET_UACCESS_DESCRIPTOR_ADDR_ADDR). + */ + struct uaccess_descriptor __user *__user *desc_ptr_ptr; + + /* + * The pointer to struct uaccess_descriptor read at syscall entry time. + */ + struct uaccess_descriptor __user *desc_ptr; + + /* + * A pointer to the kernel's temporary copy of the uaccess log for the + * current syscall. We log to a kernel buffer in order to avoid leaking + * timing information to userspace. + */ + struct uaccess_buffer_entry *kbegin; + + /* + * The position of the next uaccess buffer entry for the current + * syscall, or NULL if we are not logging the current syscall. + */ + struct uaccess_buffer_entry *kcur; + + /* + * A pointer to the end of the kernel's uaccess log. + */ + struct uaccess_buffer_entry *kend; + + /* + * The pointer to the userspace uaccess log, as read from the + * struct uaccess_descriptor. + */ + struct uaccess_buffer_entry __user *ubegin; +}; + +#endif + +#endif /* _LINUX_UACCESS_BUFFER_INFO_H */ diff --git a/include/linux/uaccess-buffer.h b/include/linux/uaccess-buffer.h new file mode 100644 index 000000000000..f2f46db274f3 --- /dev/null +++ b/include/linux/uaccess-buffer.h @@ -0,0 +1,112 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _LINUX_UACCESS_BUFFER_H +#define _LINUX_UACCESS_BUFFER_H + +#include +#include + +#include + +#ifdef CONFIG_HAVE_ARCH_UACCESS_BUFFER + +static inline bool uaccess_buffer_maybe_blocked(struct task_struct *tsk) +{ + return test_task_syscall_work(tsk, UACCESS_BUFFER_ENTRY); +} + +void __uaccess_buffer_syscall_entry(void); +static inline void uaccess_buffer_syscall_entry(void) +{ + __uaccess_buffer_syscall_entry(); +} + +void __uaccess_buffer_syscall_exit(void); +static inline void uaccess_buffer_syscall_exit(void) +{ + __uaccess_buffer_syscall_exit(); +} + +bool __uaccess_buffer_pre_exit_loop(void); +static inline bool uaccess_buffer_pre_exit_loop(void) +{ + if (!test_syscall_work(UACCESS_BUFFER_ENTRY)) + return false; + return __uaccess_buffer_pre_exit_loop(); +} + +void __uaccess_buffer_post_exit_loop(void); +static inline void uaccess_buffer_post_exit_loop(bool pending) +{ + if (pending) + __uaccess_buffer_post_exit_loop(); +} + +static inline int uaccess_buffer_set_descriptor_addr_addr(unsigned long addr) +{ + current->uaccess_buffer.desc_ptr_ptr = + (struct uaccess_descriptor __user * __user *)addr; + if (addr) + set_syscall_work(UACCESS_BUFFER_ENTRY); + else + clear_syscall_work(UACCESS_BUFFER_ENTRY); + return 0; +} + +size_t copy_from_user_nolog(void *to, const void __user *from, size_t len); + +void uaccess_buffer_free(struct task_struct *tsk); + +void __uaccess_buffer_log_read(const void __user *from, unsigned long n); +static inline void uaccess_buffer_log_read(const void __user *from, unsigned long n) +{ + if (unlikely(test_syscall_work(UACCESS_BUFFER_EXIT))) + __uaccess_buffer_log_read(from, n); +} + +void __uaccess_buffer_log_write(void __user *to, unsigned long n); +static inline void uaccess_buffer_log_write(void __user *to, unsigned long n) +{ + if (unlikely(test_syscall_work(UACCESS_BUFFER_EXIT))) + __uaccess_buffer_log_write(to, n); +} + +#else + +static inline bool uaccess_buffer_maybe_blocked(struct task_struct *tsk) +{ + return false; +} +static inline void uaccess_buffer_syscall_entry(void) +{ +} +static inline void uaccess_buffer_syscall_exit(void) +{ +} +static inline bool uaccess_buffer_pre_exit_loop(void) +{ + return false; +} +static inline void uaccess_buffer_post_exit_loop(bool pending) +{ +} +static inline int uaccess_buffer_set_descriptor_addr_addr(unsigned long addr) +{ + return -EINVAL; +} +static inline void uaccess_buffer_free(struct task_struct *tsk) +{ +} + +#define copy_from_user_nolog(to, from, len) copy_from_user(to, from, len) + +static inline void uaccess_buffer_log_read(const void __user *from, + unsigned long n) +{ +} +static inline void uaccess_buffer_log_write(void __user *to, unsigned long n) +{ +} + +#endif + +#endif /* _LINUX_UACCESS_BUFFER_H */ diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h index bb73e9a0b24f..74b37469c7b3 100644 --- a/include/uapi/linux/prctl.h +++ b/include/uapi/linux/prctl.h @@ -272,4 +272,7 @@ struct prctl_mm_map { # define PR_SCHED_CORE_SCOPE_THREAD_GROUP 1 # define PR_SCHED_CORE_SCOPE_PROCESS_GROUP 2 +/* Configure uaccess logging feature */ +#define PR_SET_UACCESS_DESCRIPTOR_ADDR_ADDR 63 + #endif /* _LINUX_PRCTL_H */ diff --git a/include/uapi/linux/uaccess-buffer.h b/include/uapi/linux/uaccess-buffer.h new file mode 100644 index 000000000000..bf10f7c78857 --- /dev/null +++ b/include/uapi/linux/uaccess-buffer.h @@ -0,0 +1,27 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ +#ifndef _UAPI_LINUX_UACCESS_BUFFER_H +#define _UAPI_LINUX_UACCESS_BUFFER_H + +#include + +/* Location of the uaccess log. */ +struct uaccess_descriptor { + /* Address of the uaccess_buffer_entry array. */ + __u64 addr; + /* Size of the uaccess_buffer_entry array in number of elements. */ + __u64 size; +}; + +/* Format of the entries in the uaccess log. */ +struct uaccess_buffer_entry { + /* Address being accessed. */ + __u64 addr; + /* Number of bytes that were accessed. */ + __u64 size; + /* UACCESS_BUFFER_* flags. */ + __u64 flags; +}; + +#define UACCESS_BUFFER_FLAG_WRITE 1 /* access was a write */ + +#endif /* _UAPI_LINUX_UACCESS_BUFFER_H */ diff --git a/kernel/Makefile b/kernel/Makefile index 186c49582f45..d4d9be5146c3 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -114,6 +114,7 @@ obj-$(CONFIG_KCSAN) += kcsan/ obj-$(CONFIG_SHADOW_CALL_STACK) += scs.o obj-$(CONFIG_HAVE_STATIC_CALL_INLINE) += static_call.o obj-$(CONFIG_CFI_CLANG) += cfi.o +obj-$(CONFIG_HAVE_ARCH_UACCESS_BUFFER) += uaccess-buffer.o obj-$(CONFIG_PERF_EVENTS) += events/ diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c index 649f07623df6..ab6520a633ef 100644 --- a/kernel/bpf/helpers.c +++ b/kernel/bpf/helpers.c @@ -15,6 +15,7 @@ #include #include #include +#include #include "../../lib/kstrtox.h" @@ -637,7 +638,11 @@ const struct bpf_func_proto bpf_event_output_data_proto = { BPF_CALL_3(bpf_copy_from_user, void *, dst, u32, size, const void __user *, user_ptr) { - int ret = copy_from_user(dst, user_ptr, size); + /* + * Avoid logging uaccesses here as the BPF program may not be following + * the uaccess log rules. + */ + int ret = copy_from_user_nolog(dst, user_ptr, size); if (unlikely(ret)) { memset(dst, 0, size); diff --git a/kernel/fork.c b/kernel/fork.c index 3244cc56b697..8be2ca528a65 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -96,6 +96,7 @@ #include #include #include +#include #include #include @@ -754,6 +755,7 @@ void __put_task_struct(struct task_struct *tsk) delayacct_tsk_free(tsk); put_signal_struct(tsk->signal); sched_core_free(tsk); + uaccess_buffer_free(tsk); if (!profile_handoff_task(tsk)) free_task(tsk); @@ -890,6 +892,8 @@ static struct task_struct *dup_task_struct(struct task_struct *orig, int node) if (memcg_charge_kernel_stack(tsk)) goto free_stack; + uaccess_buffer_free(orig); + stack_vm_area = task_stack_vm_area(tsk); err = arch_dup_task_struct(tsk, orig); diff --git a/kernel/signal.c b/kernel/signal.c index a629b11bf3e0..69bf21518bd0 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -45,6 +45,7 @@ #include #include #include +#include #define CREATE_TRACE_POINTS #include @@ -1031,7 +1032,8 @@ static void complete_signal(int sig, struct task_struct *p, enum pid_type type) if (sig_fatal(p, sig) && !(signal->flags & SIGNAL_GROUP_EXIT) && !sigismember(&t->real_blocked, sig) && - (sig == SIGKILL || !p->ptrace)) { + (sig == SIGKILL || + !(p->ptrace || uaccess_buffer_maybe_blocked(p)))) { /* * This signal will be fatal to the whole group. */ diff --git a/kernel/sys.c b/kernel/sys.c index 8fdac0d90504..c71a9a9c0f68 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -42,6 +42,7 @@ #include #include #include +#include #include #include @@ -2530,6 +2531,11 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, error = sched_core_share_pid(arg2, arg3, arg4, arg5); break; #endif + case PR_SET_UACCESS_DESCRIPTOR_ADDR_ADDR: + if (arg3 || arg4 || arg5) + return -EINVAL; + error = uaccess_buffer_set_descriptor_addr_addr(arg2); + break; default: error = -EINVAL; break; diff --git a/kernel/uaccess-buffer.c b/kernel/uaccess-buffer.c new file mode 100644 index 000000000000..088e43f7611c --- /dev/null +++ b/kernel/uaccess-buffer.c @@ -0,0 +1,129 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Support for uaccess logging via uaccess buffers. + * + * Copyright (C) 2021, Google LLC. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static void uaccess_buffer_log(unsigned long addr, unsigned long size, + unsigned long flags) +{ + struct uaccess_buffer_info *buf = ¤t->uaccess_buffer; + struct uaccess_buffer_entry *entry = buf->kcur; + + if (entry == buf->kend || unlikely(uaccess_kernel())) + return; + entry->addr = addr; + entry->size = size; + entry->flags = flags; + + ++buf->kcur; +} + +void __uaccess_buffer_log_read(const void __user *from, unsigned long n) +{ + uaccess_buffer_log((unsigned long)from, n, 0); +} +EXPORT_SYMBOL(__uaccess_buffer_log_read); + +void __uaccess_buffer_log_write(void __user *to, unsigned long n) +{ + uaccess_buffer_log((unsigned long)to, n, UACCESS_BUFFER_FLAG_WRITE); +} +EXPORT_SYMBOL(__uaccess_buffer_log_write); + +bool __uaccess_buffer_pre_exit_loop(void) +{ + struct uaccess_buffer_info *buf = ¤t->uaccess_buffer; + struct uaccess_descriptor __user *desc_ptr; + sigset_t tmp_mask; + + if (get_user(desc_ptr, buf->desc_ptr_ptr) || !desc_ptr) + return false; + + current->real_blocked = current->blocked; + sigfillset(&tmp_mask); + set_current_blocked(&tmp_mask); + return true; +} + +void __uaccess_buffer_post_exit_loop(void) +{ + spin_lock_irq(¤t->sighand->siglock); + current->blocked = current->real_blocked; + recalc_sigpending(); + spin_unlock_irq(¤t->sighand->siglock); +} + +void uaccess_buffer_free(struct task_struct *tsk) +{ + struct uaccess_buffer_info *buf = &tsk->uaccess_buffer; + + kfree(buf->kbegin); + clear_syscall_work(UACCESS_BUFFER_EXIT); + buf->kbegin = buf->kcur = buf->kend = NULL; +} + +void __uaccess_buffer_syscall_entry(void) +{ + struct uaccess_buffer_info *buf = ¤t->uaccess_buffer; + struct uaccess_descriptor desc; + + if (get_user(buf->desc_ptr, buf->desc_ptr_ptr) || !buf->desc_ptr || + put_user(0, buf->desc_ptr_ptr) || + copy_from_user(&desc, buf->desc_ptr, sizeof(desc))) + return; + + if (desc.size > 1024) + desc.size = 1024; + + if (buf->kend - buf->kbegin != desc.size) + buf->kbegin = + krealloc_array(buf->kbegin, desc.size, + sizeof(struct uaccess_buffer_entry), + GFP_KERNEL); + if (!buf->kbegin) + return; + + set_syscall_work(UACCESS_BUFFER_EXIT); + buf->kcur = buf->kbegin; + buf->kend = buf->kbegin + desc.size; + buf->ubegin = + (struct uaccess_buffer_entry __user *)(unsigned long)desc.addr; +} + +void __uaccess_buffer_syscall_exit(void) +{ + struct uaccess_buffer_info *buf = ¤t->uaccess_buffer; + u64 num_entries = buf->kcur - buf->kbegin; + struct uaccess_descriptor desc; + + clear_syscall_work(UACCESS_BUFFER_EXIT); + desc.addr = (u64)(unsigned long)(buf->ubegin + num_entries); + desc.size = buf->kend - buf->kcur; + buf->kcur = NULL; + if (copy_to_user(buf->ubegin, buf->kbegin, + num_entries * sizeof(struct uaccess_buffer_entry)) == 0) + (void)copy_to_user(buf->desc_ptr, &desc, sizeof(desc)); +} + +size_t copy_from_user_nolog(void *to, const void __user *from, size_t len) +{ + size_t retval; + + clear_syscall_work(UACCESS_BUFFER_EXIT); + retval = copy_from_user(to, from, len); + if (current->uaccess_buffer.kcur) + set_syscall_work(UACCESS_BUFFER_EXIT); + return retval; +} From patchwork Wed Dec 8 04:48:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Collingbourne X-Patchwork-Id: 12695279 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id CE1FEC433F5 for ; Wed, 8 Dec 2021 04:50:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:References: Mime-Version:Message-Id:In-Reply-To:Date:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=LIpbf4xks1263c1W+VIAbLKOVR+PSQmQg5mefW+J7qY=; b=BYWinhVhmzN5jD13eyEe7HUxlf siptltlo/j0KYN806LaNUr+j7H2eK0FrAESglg7h68970hCmg4TqjVGnr9Z/lDyYGaKtiMishFKz1 AgCYJAZt5nOY0CA9SIgrtks+E9Ud/xv5gM5ZeW0NNQYvdplbnlAGf0zQyKNC4hjjlbvU4KLyZWV9m D+kOQ5/Q5/MBgQcHHpCgIY8LGwWBMQxleh52mHMjAwZlHz5Bxl6Gly3rN7RjX+4/eaGrJfXA2TROs yDna/DV2aJOgtp5mfMPXFux7vtHrL+2S1neAsZsDlCqjLuGrVeAZlHtxw15JpRIzHPRuPbS3Q4HpC r1C3mrCw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1muot2-00BEbX-HO; Wed, 08 Dec 2021 04:49:00 +0000 Received: from mail-yb1-xb49.google.com ([2607:f8b0:4864:20::b49]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1muosT-00BEOC-Rp for linux-arm-kernel@lists.infradead.org; Wed, 08 Dec 2021 04:48:27 +0000 Received: by mail-yb1-xb49.google.com with SMTP id l28-20020a25b31c000000b005c27dd4987bso2459565ybj.18 for ; Tue, 07 Dec 2021 20:48:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=lvYZWOMBGv2NvliGw5NO73inoVaqmyrZ+UqoCCa0Q2o=; b=LcAaZtOXvzkNd9sVH2yLm+/LCfc50ZjsZQfoXUZn7U+OT7GnL1XVyB0o+cD51g1mak Atu4LFmhQbZyDYeWpivY/cKuxNwGA8Jh/O7LpaMl/n1cfe2dZkr+atqOCbOeszYfTebI GC+jxXlemcn9ha4kKrirxAiOx89J4pv6tgTH17jY1GS/bmFafsxIDdDGbhzbX+ARJjCL G1Vq1kN0jk63LtGyolqjlQ/LUi0i9ZuCv6Qa8sNIMOPIlPGzgln1AjOoe2RdvLL8u+Ld pnAKV5yKSrxy6nzTPsR77c04HAKapfoXuyNLG7p2cKRJLtjzi8rUA0NXs5ToyAv17gH+ MfFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=lvYZWOMBGv2NvliGw5NO73inoVaqmyrZ+UqoCCa0Q2o=; b=Ab3q/KNHeftPZONSvIhZIlMf0HZQJVEhUbLZWmUOfhXMy0v48ytKiR1p/R9q6dpKNb qIgevPouEc+f0JVI/f83QlhekSxPNgxvfomi/PeA8/zrqWgpVgiP/gR7xdB77my9VI6f 0x1yOILmUDJUQiQhHQktw2kLgo6YqGpn+SRFMo0EglrYOSz+NbK8OojEmqPWIurmcExp gf0UagS2jFFy5imwtwW8y66ahho7M557vZ+KG7eZKnZDg7XB8M/mN07xLjxt5amRQhi5 Q6XNCZVvqMU+daNtdebA0xPFxlg3h3ZAUfVkQefNJIGYm8+9nNs6A7M3Q2eDYsTsc5Ku 7t5A== X-Gm-Message-State: AOAM533DMowEkZAY6ISIQWyPqWeW5tODYQYu1yQuOWMiTVWTzTXGclzg 5LFmbhzjZ7UtVI3l/I4Ic06i7S4= X-Google-Smtp-Source: ABdhPJwdKv4aEZBt18+APFTl37LHZZmJKCQ2bWdhzhqziL4e4O+qlZtepaGeVotGWLHKGp3ZB5en6oU= X-Received: from pcc-desktop.svl.corp.google.com ([2620:15c:2ce:200:be2d:924d:844b:d2fa]) (user=pcc job=sendgmr) by 2002:a25:5cf:: with SMTP id 198mr52498659ybf.742.1638938904301; Tue, 07 Dec 2021 20:48:24 -0800 (PST) Date: Tue, 7 Dec 2021 20:48:05 -0800 In-Reply-To: <20211208044808.872554-1-pcc@google.com> Message-Id: <20211208044808.872554-4-pcc@google.com> Mime-Version: 1.0 References: <20211208044808.872554-1-pcc@google.com> X-Mailer: git-send-email 2.34.1.173.g76aa8bc2d0-goog Subject: [PATCH v3 3/6] fs: use copy_from_user_nolog() to copy mount() data From: Peter Collingbourne To: Catalin Marinas , Will Deacon , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Daniel Bristot de Oliveira , Thomas Gleixner , Andy Lutomirski , Kees Cook , Andrew Morton , Masahiro Yamada , Sami Tolvanen , YiFei Zhu , Mark Rutland , Frederic Weisbecker , Viresh Kumar , Andrey Konovalov , Peter Collingbourne , Gabriel Krisman Bertazi , Chris Hyser , Daniel Vetter , Chris Wilson , Arnd Bergmann , Dmitry Vyukov , Christian Brauner , "Eric W. Biederman" , Alexey Gladkov , Ran Xiaokai , David Hildenbrand , Xiaofeng Cao , Cyrill Gorcunov , Thomas Cedeno , Marco Elver , Alexander Potapenko Cc: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Evgenii Stepanov X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20211207_204825_969911_7AA4E9B0 X-CRM114-Status: GOOD ( 18.92 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org With uaccess logging the contract is that the kernel must not report accessing more data than necessary, as this can lead to false positive reports in downstream consumers. This generally works out of the box when instrumenting copy_{from,to}_user(), but with the data argument to mount() we use copy_from_user() to copy PAGE_SIZE bytes (or as much as we can, if the PAGE_SIZE sized access failed) and figure out later how much we actually need. To prevent this from leading to a false positive report, use copy_from_user_nolog(), which will prevent the access from being logged. Recall that it is valid for the kernel to report accessing less data than it actually accessed, as uaccess logging is a best-effort mechanism for reporting uaccesses. Link: https://linux-review.googlesource.com/id/I5629b92a725c817acd9a861288338dd605cafee6 Signed-off-by: Peter Collingbourne --- fs/namespace.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/fs/namespace.c b/fs/namespace.c index 659a8f39c61a..8f5f2aaca64e 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -31,6 +31,7 @@ #include #include #include +#include #include "pnode.h" #include "internal.h" @@ -3197,7 +3198,12 @@ static void *copy_mount_options(const void __user * data) if (!copy) return ERR_PTR(-ENOMEM); - left = copy_from_user(copy, data, PAGE_SIZE); + /* + * Use copy_from_user_nolog to avoid reporting overly large accesses in + * the uaccess buffer, as this can lead to false positive reports in + * downstream consumers. + */ + left = copy_from_user_nolog(copy, data, PAGE_SIZE); /* * Not all architectures have an exact copy_from_user(). Resort to From patchwork Wed Dec 8 04:48:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Collingbourne X-Patchwork-Id: 12695280 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 35177C433EF for ; Wed, 8 Dec 2021 04:51:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:References: Mime-Version:Message-Id:In-Reply-To:Date:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=8ZJ72yx0hm3ZFdZBsnGtT4JAib2VFvuGq9kfndJvcFE=; b=Vhv1EHkoH5Cu1y7H2pEhtMg9mx l2ZqZ0vi4+dVTa68WqSn5TjwQKvumjxXmigX9w3hFcUGZyUKGyTnAwhurW6phv9RuimAq/LfnnjoY ZxDUP5SQ+1dU7tBP/GAbsu6dU7ZVSlVM7GoI6JYLP55p7lFTjrkGFewGji+bNXAM/xpaA0ziYSMOq wrfQhqFUb5EDkTrgyJeQ4YHDwvfXzCrwjhokhJmTW/WuBFlEdmDZtWC4UbTU3ntc1zSp09yNJxtO/ Ny6bQMLXwiiqFxOwm7IT0OA6sX4B0UlBq6flH7L5wfCeA8HzeOGuJPm+duklWfSFudN9LBZesXsmS QyrH7gSg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1muotI-00BEh1-8m; Wed, 08 Dec 2021 04:49:16 +0000 Received: from mail-yb1-xb49.google.com ([2607:f8b0:4864:20::b49]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1muosW-00BEPC-O8 for linux-arm-kernel@lists.infradead.org; Wed, 08 Dec 2021 04:48:30 +0000 Received: by mail-yb1-xb49.google.com with SMTP id y125-20020a25dc83000000b005c2326bf744so2391584ybe.21 for ; Tue, 07 Dec 2021 20:48:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=efI4VGE3sof2fQql9BlEqQVxwYAZcmtpPH9in/kXoik=; b=PuwSA+qIKrc3RQd2I/5ygmWc7LSlVgf/7FLnARGyOSH32W5MessMoD7fplrR1NUuOt WcY5c0YgdzFBZNrHX0yc+4sU/Zl8lwHNqu3r/V9rhoIRmJXxpDkAMlDIOEDAf2WcT8vH U9BccwTofdXAVLA89oUW+Rmt/lhG9SGvKbvABUEHb8wRN+xZBn6IdIdzKpjjufUyZQCJ cNfZFjbqrX0nIynOmq6p8szCPiI/14YEjYzMGQ1ZRG1AaFGZuMpty+0aL1NO3l0P+IoP v0ovyLur8nY1+O0ZqghNgpzgH/4vmUfw0ase3ReE0fA3jPzVeOf+yuz6v6uIn8PnpLyZ 4soA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=efI4VGE3sof2fQql9BlEqQVxwYAZcmtpPH9in/kXoik=; b=NQczyZzZi1u1/t5x3JnGIjQ5PTXkhp1R7Sqf9yHenWZxZN1WPZKQzZBYNX1JB6vkPb Z6QfWXk6RjqbI4iV70ihqHSSm7cDNa3QTiVe4/m91542xvTwGSiiSqd8ZrQtEIPE0kD7 QzGwFr5a7cdHheFi7TzhWwPD8xlTB05h2B92IM6tUTLKcvzYfOjQ+ouxDTt2zbR/sAEl PkJTHBmrX1Au+6jEYwHuwGoKxU37EmlBtM0UXsqDnCT7Mm41Pc+nMdy7r8tdafgB4uUo H9vV00H9HUE0ZbaasorQa8E9VUHTU0Gw0Bc6WyCxIwNoRqPiEJ2nUTdT1tJyUvj3IcEi XyZg== X-Gm-Message-State: AOAM533TGq5vqxPcMwqdlyuT+bil31SJ65iQQOLQErwlYnRt++L78WIX ejPgRWL8VhktH1k0arjGxfXFiJc= X-Google-Smtp-Source: ABdhPJxP7dPKK2Ljuj5NjmKRJvgeiWRQ19jHcTiWCxLdBcR4NxN8mBZmENJLbs8PFNf5jy5WQZvu5o8= X-Received: from pcc-desktop.svl.corp.google.com ([2620:15c:2ce:200:be2d:924d:844b:d2fa]) (user=pcc job=sendgmr) by 2002:a05:6902:1105:: with SMTP id o5mr60159435ybu.519.1638938907050; Tue, 07 Dec 2021 20:48:27 -0800 (PST) Date: Tue, 7 Dec 2021 20:48:06 -0800 In-Reply-To: <20211208044808.872554-1-pcc@google.com> Message-Id: <20211208044808.872554-5-pcc@google.com> Mime-Version: 1.0 References: <20211208044808.872554-1-pcc@google.com> X-Mailer: git-send-email 2.34.1.173.g76aa8bc2d0-goog Subject: [PATCH v3 4/6] uaccess-buffer: add CONFIG_GENERIC_ENTRY support From: Peter Collingbourne To: Catalin Marinas , Will Deacon , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Daniel Bristot de Oliveira , Thomas Gleixner , Andy Lutomirski , Kees Cook , Andrew Morton , Masahiro Yamada , Sami Tolvanen , YiFei Zhu , Mark Rutland , Frederic Weisbecker , Viresh Kumar , Andrey Konovalov , Peter Collingbourne , Gabriel Krisman Bertazi , Chris Hyser , Daniel Vetter , Chris Wilson , Arnd Bergmann , Dmitry Vyukov , Christian Brauner , "Eric W. Biederman" , Alexey Gladkov , Ran Xiaokai , David Hildenbrand , Xiaofeng Cao , Cyrill Gorcunov , Thomas Cedeno , Marco Elver , Alexander Potapenko Cc: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Evgenii Stepanov X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20211207_204828_817303_36BAD629 X-CRM114-Status: GOOD ( 16.83 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Add uaccess logging support on architectures that use CONFIG_GENERIC_ENTRY (currently only s390 and x86). Link: https://linux-review.googlesource.com/id/I3c5eb19a7e4a1dbe6095f6971f7826c4b0663f7d Signed-off-by: Peter Collingbourne Acked-by: Dmitry Vyukov --- arch/Kconfig | 6 ++++++ include/linux/entry-common.h | 2 ++ include/linux/thread_info.h | 4 ++++ kernel/entry/common.c | 10 ++++++++++ 4 files changed, 22 insertions(+) diff --git a/arch/Kconfig b/arch/Kconfig index d3c4ab249e9c..c4dcab5279ac 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -31,6 +31,7 @@ config HOTPLUG_SMT bool config GENERIC_ENTRY + select HAVE_ARCH_UACCESS_BUFFER bool config KPROBES @@ -1312,6 +1313,11 @@ config ARCH_HAS_PARANOID_L1D_FLUSH config DYNAMIC_SIGFRAME bool +config HAVE_ARCH_UACCESS_BUFFER + bool + help + Select if the architecture's syscall entry/exit code supports uaccess buffers. + source "kernel/gcov/Kconfig" source "scripts/gcc-plugins/Kconfig" diff --git a/include/linux/entry-common.h b/include/linux/entry-common.h index 2e2b8d6140ed..973fcd1d48a3 100644 --- a/include/linux/entry-common.h +++ b/include/linux/entry-common.h @@ -42,12 +42,14 @@ SYSCALL_WORK_SYSCALL_EMU | \ SYSCALL_WORK_SYSCALL_AUDIT | \ SYSCALL_WORK_SYSCALL_USER_DISPATCH | \ + SYSCALL_WORK_UACCESS_BUFFER_ENTRY | \ ARCH_SYSCALL_WORK_ENTER) #define SYSCALL_WORK_EXIT (SYSCALL_WORK_SYSCALL_TRACEPOINT | \ SYSCALL_WORK_SYSCALL_TRACE | \ SYSCALL_WORK_SYSCALL_AUDIT | \ SYSCALL_WORK_SYSCALL_USER_DISPATCH | \ SYSCALL_WORK_SYSCALL_EXIT_TRAP | \ + SYSCALL_WORK_UACCESS_BUFFER_EXIT | \ ARCH_SYSCALL_WORK_EXIT) /* diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h index ad0c4e041030..b0f8ea86967f 100644 --- a/include/linux/thread_info.h +++ b/include/linux/thread_info.h @@ -46,6 +46,8 @@ enum syscall_work_bit { SYSCALL_WORK_BIT_SYSCALL_AUDIT, SYSCALL_WORK_BIT_SYSCALL_USER_DISPATCH, SYSCALL_WORK_BIT_SYSCALL_EXIT_TRAP, + SYSCALL_WORK_BIT_UACCESS_BUFFER_ENTRY, + SYSCALL_WORK_BIT_UACCESS_BUFFER_EXIT, }; #define SYSCALL_WORK_SECCOMP BIT(SYSCALL_WORK_BIT_SECCOMP) @@ -55,6 +57,8 @@ enum syscall_work_bit { #define SYSCALL_WORK_SYSCALL_AUDIT BIT(SYSCALL_WORK_BIT_SYSCALL_AUDIT) #define SYSCALL_WORK_SYSCALL_USER_DISPATCH BIT(SYSCALL_WORK_BIT_SYSCALL_USER_DISPATCH) #define SYSCALL_WORK_SYSCALL_EXIT_TRAP BIT(SYSCALL_WORK_BIT_SYSCALL_EXIT_TRAP) +#define SYSCALL_WORK_UACCESS_BUFFER_ENTRY BIT(SYSCALL_WORK_BIT_UACCESS_BUFFER_ENTRY) +#define SYSCALL_WORK_UACCESS_BUFFER_EXIT BIT(SYSCALL_WORK_BIT_UACCESS_BUFFER_EXIT) #endif #include diff --git a/kernel/entry/common.c b/kernel/entry/common.c index d5a61d565ad5..57c4bb01a554 100644 --- a/kernel/entry/common.c +++ b/kernel/entry/common.c @@ -6,6 +6,7 @@ #include #include #include +#include #include "common.h" @@ -70,6 +71,9 @@ static long syscall_trace_enter(struct pt_regs *regs, long syscall, return ret; } + if (work & SYSCALL_WORK_UACCESS_BUFFER_ENTRY) + uaccess_buffer_syscall_entry(); + /* Either of the above might have changed the syscall number */ syscall = syscall_get_nr(current, regs); @@ -197,14 +201,17 @@ static unsigned long exit_to_user_mode_loop(struct pt_regs *regs, static void exit_to_user_mode_prepare(struct pt_regs *regs) { unsigned long ti_work = READ_ONCE(current_thread_info()->flags); + bool uaccess_buffer_pending; lockdep_assert_irqs_disabled(); /* Flush pending rcuog wakeup before the last need_resched() check */ tick_nohz_user_enter_prepare(); + uaccess_buffer_pending = uaccess_buffer_pre_exit_loop(); if (unlikely(ti_work & EXIT_TO_USER_MODE_WORK)) ti_work = exit_to_user_mode_loop(regs, ti_work); + uaccess_buffer_post_exit_loop(uaccess_buffer_pending); arch_exit_to_user_mode_prepare(regs, ti_work); @@ -247,6 +254,9 @@ static void syscall_exit_work(struct pt_regs *regs, unsigned long work) audit_syscall_exit(regs); + if (work & SYSCALL_WORK_UACCESS_BUFFER_EXIT) + uaccess_buffer_syscall_exit(); + if (work & SYSCALL_WORK_SYSCALL_TRACEPOINT) trace_sys_exit(regs, syscall_get_return_value(current, regs)); From patchwork Wed Dec 8 04:48:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Collingbourne X-Patchwork-Id: 12695281 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 14DFBC433F5 for ; Wed, 8 Dec 2021 04:51:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:References: Mime-Version:Message-Id:In-Reply-To:Date:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=G4V3Dqh4s7XjeK3YLdXlWB+f+liXmIuI/NfVy7nXeuA=; b=B/pPKxnWdAYytJnfJ0bowUBqL5 EOHBhqB/QfrOFymK3dAJaqvuHGBYhaGGWXTDdggbT3jwPxT7ROF34eje/6cOp6g6vwQuMt7mryjRX wnW7brsWfgtS2R0NGgIGx8Y6pJhCDul/Fn3HRsjW+xnOnmTBGScpcNpsZRS/RODoGQ3TkuQxuAyHQ y6/HXrkkTkoz86Xm7rRj1bm7glsacgMvxePXqRFv2ycggLVSgg2uIc2DKogVd7D7UlQ1h7Q7DZ1lH z5t1iiqK3ss6jIFPOPrkS2zYyrVg8KCtg8555MAnjkmjcJ1x9Y9qDmwt5RXDKCyNrjwfITEvx5jl8 DN31TLIA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1muotn-00BEvL-1x; Wed, 08 Dec 2021 04:49:47 +0000 Received: from mail-yb1-xb49.google.com ([2607:f8b0:4864:20::b49]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1muosZ-00BEQS-6n for linux-arm-kernel@lists.infradead.org; Wed, 08 Dec 2021 04:48:32 +0000 Received: by mail-yb1-xb49.google.com with SMTP id t1-20020a5b03c1000000b005f6ee3e97easo2427153ybp.16 for ; Tue, 07 Dec 2021 20:48:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=BuYVt4Wv0/mLVwaaIxyzVOdtPDNx8nrlLULo3MVy2n8=; b=esxrbETmeoGQWN9deNhNumZ4ezPBGwub8BltXaTBLncqXRRn6ZLXDQuYvzcISWEMZ8 OJfaQMEAQ1dMEx77LfsOeP9simnlFHwdwgWVNds8dtw7WZG93B8gpskLMxq8cxNXbQ8m FvBnChTEvCeEzenHzLRjDE+QEH07lo1iFeSnrY4jx+wNCLWoF3Z/4fXFEj3/7NcvS20N mlunZVCYlA2Hc5OAbFZeVjjygqcKvg1Vh+ShwXgnWvtiYJsCySEGi2LuJdwoGwKyh/HL vjUI9TQHkf37ecKRW2F/rhhlY1H2oy9RLmyBh8810ArZR4H5BeHqYY/rcewpl/+AXVUB 5YVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=BuYVt4Wv0/mLVwaaIxyzVOdtPDNx8nrlLULo3MVy2n8=; b=MvFWy2ZibtmEVqBUiEuBL8sYr53XAZIgHqYuUH9ZqUUFQvqDxy0dyNCpgRGJOz/ixz 50pkSFPwdrNOUFKuCSX4Bro5+rL7p4KZkOTC3CvdR3JxLivDPv7dbYg7nzoY94xLIirU atkaHo9JKfatsgD8/ohz4+hkKZRbwlNUD9Er7kJ2fWusbCMR1WOPhduwlIED0l5EI1EG ay6sRPrnftN4TW2+0LwTYTC7lJmFLHR1VHIJKXf/es/iiiZAZ+kKnygYGasKmAuerDHP F7zyK0zsNVMM1iZlsFCmKZwe2x37PZTct/Xmn1/ERlxinMa9wzWg5NZaKHj+muDHB64p UB8Q== X-Gm-Message-State: AOAM533Jf3xQpvFld5q1tagSM7hL1YfaqyjQlXmADZ6RQJxEwphj2ybD amsLVTdzWDg7l+nlzsMBD49q0mw= X-Google-Smtp-Source: ABdhPJzx+21RSReSvHN2cMMCfhyMY8AHK5hhszYJj+Y0g7m/jMQnXVXj89q9SluIIeHYaDzCTtmhne8= X-Received: from pcc-desktop.svl.corp.google.com ([2620:15c:2ce:200:be2d:924d:844b:d2fa]) (user=pcc job=sendgmr) by 2002:a25:b0a8:: with SMTP id f40mr54053245ybj.125.1638938909697; Tue, 07 Dec 2021 20:48:29 -0800 (PST) Date: Tue, 7 Dec 2021 20:48:07 -0800 In-Reply-To: <20211208044808.872554-1-pcc@google.com> Message-Id: <20211208044808.872554-6-pcc@google.com> Mime-Version: 1.0 References: <20211208044808.872554-1-pcc@google.com> X-Mailer: git-send-email 2.34.1.173.g76aa8bc2d0-goog Subject: [PATCH v3 5/6] arm64: add support for uaccess logging From: Peter Collingbourne To: Catalin Marinas , Will Deacon , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Daniel Bristot de Oliveira , Thomas Gleixner , Andy Lutomirski , Kees Cook , Andrew Morton , Masahiro Yamada , Sami Tolvanen , YiFei Zhu , Mark Rutland , Frederic Weisbecker , Viresh Kumar , Andrey Konovalov , Peter Collingbourne , Gabriel Krisman Bertazi , Chris Hyser , Daniel Vetter , Chris Wilson , Arnd Bergmann , Dmitry Vyukov , Christian Brauner , "Eric W. Biederman" , Alexey Gladkov , Ran Xiaokai , David Hildenbrand , Xiaofeng Cao , Cyrill Gorcunov , Thomas Cedeno , Marco Elver , Alexander Potapenko Cc: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Evgenii Stepanov X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20211207_204831_287732_F9A70C82 X-CRM114-Status: GOOD ( 19.54 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org arm64 does not use CONFIG_GENERIC_ENTRY, so add the support for uaccess logging directly to the architecture. Link: https://linux-review.googlesource.com/id/I88de539fb9c4a9d27fa8cccbe201a6e4382faf89 Signed-off-by: Peter Collingbourne --- arch/arm64/Kconfig | 1 + arch/arm64/include/asm/thread_info.h | 7 ++++++- arch/arm64/kernel/ptrace.c | 7 +++++++ arch/arm64/kernel/signal.c | 5 +++++ arch/arm64/kernel/syscall.c | 1 + 5 files changed, 20 insertions(+), 1 deletion(-) diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index c4207cf9bb17..6023946abe4a 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -161,6 +161,7 @@ config ARM64 select HAVE_ARCH_THREAD_STRUCT_WHITELIST select HAVE_ARCH_TRACEHOOK select HAVE_ARCH_TRANSPARENT_HUGEPAGE + select HAVE_ARCH_UACCESS_BUFFER select HAVE_ARCH_VMAP_STACK select HAVE_ARM_SMCCC select HAVE_ASM_MODVERSIONS diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h index e1317b7c4525..0461b36251ea 100644 --- a/arch/arm64/include/asm/thread_info.h +++ b/arch/arm64/include/asm/thread_info.h @@ -82,6 +82,8 @@ int arch_dup_task_struct(struct task_struct *dst, #define TIF_SVE_VL_INHERIT 24 /* Inherit SVE vl_onexec across exec */ #define TIF_SSBD 25 /* Wants SSB mitigation */ #define TIF_TAGGED_ADDR 26 /* Allow tagged user addresses */ +#define TIF_UACCESS_BUFFER_ENTRY 27 /* thread has non-zero uaccess_desc_addr_addr */ +#define TIF_UACCESS_BUFFER_EXIT 28 /* thread has non-zero kcur */ #define _TIF_SIGPENDING (1 << TIF_SIGPENDING) #define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED) @@ -98,6 +100,8 @@ int arch_dup_task_struct(struct task_struct *dst, #define _TIF_SVE (1 << TIF_SVE) #define _TIF_MTE_ASYNC_FAULT (1 << TIF_MTE_ASYNC_FAULT) #define _TIF_NOTIFY_SIGNAL (1 << TIF_NOTIFY_SIGNAL) +#define _TIF_UACCESS_BUFFER_ENTRY (1 << TIF_UACCESS_BUFFER_ENTRY) +#define _TIF_UACCESS_BUFFER_EXIT (1 << TIF_UACCESS_BUFFER_EXIT) #define _TIF_WORK_MASK (_TIF_NEED_RESCHED | _TIF_SIGPENDING | \ _TIF_NOTIFY_RESUME | _TIF_FOREIGN_FPSTATE | \ @@ -106,7 +110,8 @@ int arch_dup_task_struct(struct task_struct *dst, #define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \ _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP | \ - _TIF_SYSCALL_EMU) + _TIF_SYSCALL_EMU | _TIF_UACCESS_BUFFER_ENTRY | \ + _TIF_UACCESS_BUFFER_EXIT) #ifdef CONFIG_SHADOW_CALL_STACK #define INIT_SCS \ diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 88a9034fb9b5..283372eccaeb 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -29,6 +29,7 @@ #include #include #include +#include #include #include @@ -1854,6 +1855,9 @@ int syscall_trace_enter(struct pt_regs *regs) if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) trace_sys_enter(regs, regs->syscallno); + if (flags & _TIF_UACCESS_BUFFER_ENTRY) + uaccess_buffer_syscall_entry(); + audit_syscall_entry(regs->syscallno, regs->orig_x0, regs->regs[1], regs->regs[2], regs->regs[3]); @@ -1866,6 +1870,9 @@ void syscall_trace_exit(struct pt_regs *regs) audit_syscall_exit(regs); + if (flags & _TIF_UACCESS_BUFFER_EXIT) + uaccess_buffer_syscall_exit(); + if (flags & _TIF_SYSCALL_TRACEPOINT) trace_sys_exit(regs, syscall_get_return_value(current, regs)); diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c index 8f6372b44b65..5bbd98e5c257 100644 --- a/arch/arm64/kernel/signal.c +++ b/arch/arm64/kernel/signal.c @@ -20,6 +20,7 @@ #include #include #include +#include #include #include @@ -919,6 +920,8 @@ static void do_signal(struct pt_regs *regs) void do_notify_resume(struct pt_regs *regs, unsigned long thread_flags) { + bool uaccess_buffer_pending = uaccess_buffer_pre_exit_loop(); + do { if (thread_flags & _TIF_NEED_RESCHED) { /* Unmask Debug and SError for the next task */ @@ -950,6 +953,8 @@ void do_notify_resume(struct pt_regs *regs, unsigned long thread_flags) local_daif_mask(); thread_flags = READ_ONCE(current_thread_info()->flags); } while (thread_flags & _TIF_WORK_MASK); + + uaccess_buffer_post_exit_loop(uaccess_buffer_pending); } unsigned long __ro_after_init signal_minsigstksz; diff --git a/arch/arm64/kernel/syscall.c b/arch/arm64/kernel/syscall.c index 50a0f1a38e84..d59022b594f2 100644 --- a/arch/arm64/kernel/syscall.c +++ b/arch/arm64/kernel/syscall.c @@ -7,6 +7,7 @@ #include #include #include +#include #include #include From patchwork Wed Dec 8 04:48:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Collingbourne X-Patchwork-Id: 12695282 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 4C78DC433F5 for ; Wed, 8 Dec 2021 04:52:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:References: Mime-Version:Message-Id:In-Reply-To:Date:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=bfSTcTA3Q0izeT7Kl8PakYkyadecqVuaHtMnc0DA2CQ=; b=Q7COisRVhekz+FvM6eIdp4Hg0R 2adZ8wOA3vQj6pqfVCWj9ud1jY03quaUQNGWScZmSyrdb+8yu2yYF+nVrXEmFboDO5JBY1UHShLzP r5feQd0/ClDe+Vqmo0QTFukjewkAtIpb30o3baJZVNfgGSIzs2FDQNcKo4UBfK7228+Wpr+ZbSiYj JDX7iLm5qhw/pW/wMGjT/JZZZeQ0ZaVs21XVLFGnIH4jWBsDw7jMIal3iuze8klvIaLxnASkrAD0N TM9zp87kOhspnzGyYA0jOlVSFxcQ6OjU8z8Aku4d3ptmh69XucNNR+DLx0deK2eaaCkisxwkqdeG/ blwkJjyw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1muouQ-00BFHw-KK; Wed, 08 Dec 2021 04:50:28 +0000 Received: from mail-yb1-xb4a.google.com ([2607:f8b0:4864:20::b4a]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1muosb-00BERK-Le for linux-arm-kernel@lists.infradead.org; Wed, 08 Dec 2021 04:48:35 +0000 Received: by mail-yb1-xb4a.google.com with SMTP id b15-20020a25ae8f000000b005c20f367790so2589815ybj.2 for ; Tue, 07 Dec 2021 20:48:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=a1e01/uQIMruIVMxVHsJI+lKzq1arm+BxjGSeQVMHMA=; b=X5XGUkPM9DeYjKTNyLx2ogk3uEMOMqK3PIrwP0pN9HrJlyX1XaukdQVdrACI73UoI3 C73Tp66+6etXU4aZ1PWgFJ4WBFWZtFEroPEq02Gkr6xcejitZp76DXS8oTs3s5VOjqNP Eyg7FdUgoYYDf886Tg9frjeUBQTjA5v56tFO2t8rXOkyLvD+UDdxYtuf7+mZtcYhMF5S b3Up/nJeyx6W7qbr365Vs8T1S46gGaXdJ0rB1ND35ibD7sdIEKCvszFhOUOJO+BqxfKl YWTcweeQkvDzzswEj6LzSd2IGtcsswqvdESk1anfzaMnXZSgwyB3WViy7sqFYkQNCL7y sCug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=a1e01/uQIMruIVMxVHsJI+lKzq1arm+BxjGSeQVMHMA=; b=RwRVD399T112uEyJVJIln3INL2BjU5ZfR9/J9FXdXfBZQW0pN7IBqynS4m9BbJUKlg 4uScHqze+iosZvpqife0eY0+H+ROFXS723QRKgP2Nla3qJpc0SAiBkHrh/2bvBreVy1S ipNmHCvixPhVZ4q5a/BFr5YEFQJm7yGLBgY9jW8CpzlU/OjyCa+BqX+WXJ3ISB1csQVI hwZZ+dAZJ0y31n+j7bOfXtYi/vUusyKCHV2aGNg5CDapuIkyRFm3PAmSV/H2OWJhQMbr GlFqm+lBJMwBnGMzZKz5EyG9HeFOx+IjtxEtkIwU1A+jrMIMJdjbMQZJCPVHNm4+krnU lB5A== X-Gm-Message-State: AOAM530bo6IfxBLFyzzshI9FOHDJPcflxhBeQNUD7pfzbMP3+xg4GQub puRznoIJmUFQBKXItcUgsyLel4A= X-Google-Smtp-Source: ABdhPJygyqIWeu10SeLNwpOjQa4crQYQeJJQ5eWQYbtj8qvL/UTnq8W35uhTakuFmHjpK4j8LLrTDGc= X-Received: from pcc-desktop.svl.corp.google.com ([2620:15c:2ce:200:be2d:924d:844b:d2fa]) (user=pcc job=sendgmr) by 2002:a25:b0a8:: with SMTP id f40mr54053425ybj.125.1638938912219; Tue, 07 Dec 2021 20:48:32 -0800 (PST) Date: Tue, 7 Dec 2021 20:48:08 -0800 In-Reply-To: <20211208044808.872554-1-pcc@google.com> Message-Id: <20211208044808.872554-7-pcc@google.com> Mime-Version: 1.0 References: <20211208044808.872554-1-pcc@google.com> X-Mailer: git-send-email 2.34.1.173.g76aa8bc2d0-goog Subject: [PATCH v3 6/6] Documentation: document uaccess logging From: Peter Collingbourne To: Catalin Marinas , Will Deacon , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Daniel Bristot de Oliveira , Thomas Gleixner , Andy Lutomirski , Kees Cook , Andrew Morton , Masahiro Yamada , Sami Tolvanen , YiFei Zhu , Mark Rutland , Frederic Weisbecker , Viresh Kumar , Andrey Konovalov , Peter Collingbourne , Gabriel Krisman Bertazi , Chris Hyser , Daniel Vetter , Chris Wilson , Arnd Bergmann , Dmitry Vyukov , Christian Brauner , "Eric W. Biederman" , Alexey Gladkov , Ran Xiaokai , David Hildenbrand , Xiaofeng Cao , Cyrill Gorcunov , Thomas Cedeno , Marco Elver , Alexander Potapenko Cc: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Evgenii Stepanov X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20211207_204833_765803_AD1FD861 X-CRM114-Status: GOOD ( 31.51 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Add documentation for the uaccess logging feature. Link: https://linux-review.googlesource.com/id/Ia626c0ca91bc0a3d8067d7f28406aa40693b65a2 Signed-off-by: Peter Collingbourne --- v3: - document what happens if passing NULL to prctl - be explicit about meaning of addr and size Documentation/admin-guide/index.rst | 1 + Documentation/admin-guide/uaccess-logging.rst | 151 ++++++++++++++++++ 2 files changed, 152 insertions(+) create mode 100644 Documentation/admin-guide/uaccess-logging.rst diff --git a/Documentation/admin-guide/index.rst b/Documentation/admin-guide/index.rst index 1bedab498104..4f6ee447ab2f 100644 --- a/Documentation/admin-guide/index.rst +++ b/Documentation/admin-guide/index.rst @@ -54,6 +54,7 @@ ABI will be found here. :maxdepth: 1 sysfs-rules + uaccess-logging The rest of this manual consists of various unordered guides on how to configure specific aspects of kernel behavior to your liking. diff --git a/Documentation/admin-guide/uaccess-logging.rst b/Documentation/admin-guide/uaccess-logging.rst new file mode 100644 index 000000000000..24def38bbdf8 --- /dev/null +++ b/Documentation/admin-guide/uaccess-logging.rst @@ -0,0 +1,151 @@ +.. SPDX-License-Identifier: GPL-2.0 + +=============== +Uaccess Logging +=============== + +Background +---------- + +Userspace tools such as sanitizers (ASan, MSan, HWASan) and tools +making use of the ARM Memory Tagging Extension (MTE) need to +monitor all memory accesses in a program so that they can detect +memory errors. Furthermore, fuzzing tools such as syzkaller need to +monitor all memory accesses so that they know which parts of memory +to fuzz. For accesses made purely in userspace, this is achieved +via compiler instrumentation, or for MTE, via direct hardware +support. However, accesses made by the kernel on behalf of the user +program via syscalls (i.e. uaccesses) are normally invisible to +these tools. + +Traditionally, the sanitizers have handled this by interposing the libc +syscall stubs with a wrapper that checks the memory based on what we +believe the uaccesses will be. However, this creates a maintenance +burden: each syscall must be annotated with its uaccesses in order +to be recognized by the sanitizer, and these annotations must be +continuously updated as the kernel changes. + +The kernel's uaccess logging feature provides userspace tools with +the address and size of each userspace access, thereby allowing these +tools to report memory errors involving these accesses without needing +annotations for every syscall. + +By relying on the kernel's actual uaccesses, rather than a +reimplementation of them, the userspace memory safety tools may +play a dual role of verifying the validity of kernel accesses. Even +a sanitizer whose syscall wrappers have complete knowledge of the +kernel's intended API may vary from the kernel's actual uaccesses due +to kernel bugs. A sanitizer with knowledge of the kernel's actual +uaccesses may produce more accurate error reports that reveal such +bugs. For example, a kernel that accesses more memory than expected +by the userspace program could indicate that either userspace or the +kernel has the wrong idea about which kernel functionality is being +requested -- either way, there is a bug. + +Interface +--------- + +The feature may be used via the following prctl: + +.. code-block:: c + + uint64_t addr = 0; /* Generally will be a TLS slot or equivalent */ + prctl(PR_SET_UACCESS_DESCRIPTOR_ADDR_ADDR, &addr, 0, 0, 0); + +Supplying a non-zero address as the second argument to ``prctl`` +will cause the kernel to read an address (referred to as the *uaccess +descriptor address*) from that address on each kernel entry. Specifying +an address of NULL as the second argument will restore the kernel's +default behavior, i.e. no uaccess descriptor address is read. + +When entering the kernel with a non-zero uaccess descriptor address +to handle a syscall, the kernel will read a data structure of type +``struct uaccess_descriptor`` from the uaccess descriptor address, +which is defined as follows: + +.. code-block:: c + + struct uaccess_descriptor { + uint64_t addr, size; + }; + +This data structure contains the address and size (in array elements) +of a *uaccess buffer*, which is an array of data structures of type +``struct uaccess_buffer_entry``. Before returning to userspace, the +kernel will log information about uaccesses to sequential entries +in the uaccess buffer. It will also store ``NULL`` to the uaccess +descriptor address, and store the address and size of the unused +portion of the uaccess buffer to the uaccess descriptor. + +The format of a uaccess buffer entry is defined as follows: + +.. code-block:: c + + struct uaccess_buffer_entry { + uint64_t addr, size, flags; + }; + +``addr`` and ``size`` contain the address and size of the user memory +access. On arm64, tag bits are preserved in the ``addr`` field. There +is currently one flag bit assignment for the ``flags`` field: + +.. code-block:: c + + #define UACCESS_BUFFER_FLAG_WRITE 1 + +This flag is set if the access was a write, or clear if it was a +read. The meaning of all other flag bits is reserved. + +When entering the kernel with a non-zero uaccess descriptor +address for a reason other than a syscall (for example, when +IPI'd due to an incoming asynchronous signal), any signals other +than ``SIGKILL`` and ``SIGSTOP`` are masked as if by calling +``sigprocmask(SIG_SETMASK, set, NULL)`` where ``set`` has been +initialized with ``sigfillset(set)``. This is to prevent incoming +signals from interfering with uaccess logging. + +Example +------- + +Here is an example of a code snippet that will enumerate the accesses +performed by a ``uname(2)`` syscall: + +.. code-block:: c + + struct uaccess_buffer_entry entries[64]; + struct uaccess_descriptor desc; + uint64_t desc_addr = 0; + prctl(PR_SET_UACCESS_DESCRIPTOR_ADDR_ADDR, &desc_addr, 0, 0, 0); + + desc.addr = (uint64_t)&entries; + desc.size = 64; + desc_addr = (uint64_t)&desc; + + struct utsname un; + uname(&un); + + struct uaccess_buffer_entry* entries_end = (struct uaccess_buffer_entry*)desc.addr; + for (struct uaccess_buffer_entry* entry = entries; entry != entries_end; ++entry) { + printf("%s at 0x%lx size 0x%lx\n", entry->flags & UACCESS_BUFFER_FLAG_WRITE ? "WRITE" : "READ", + (unsigned long)entry->addr, (unsigned long)entry->size); + } + +Limitations +----------- + +This feature is currently only supported on the arm64, s390 and x86 +architectures. + +Uaccess buffers are a "best-effort" mechanism for logging uaccesses. Of +course, not all of the accesses may fit in the buffer, but aside from +that, not all internal kernel APIs that access userspace memory are +covered. Therefore, userspace programs should tolerate unreported +accesses. + +On the other hand, the kernel guarantees that it will not +(intentionally) report accessing more data than it is specified +to read. For example, if the kernel implements a syscall that is +specified to read a data structure of size ``N`` bytes by first +reading a page's worth of data and then only using the first ``N`` +bytes from it, the kernel will either report reading ``N`` bytes or +not report the access at all.