From: will.deacon@arm•com (Will Deacon)
To: linux-arm-kernel@lists•infradead.org
Subject: [PATCH 9/9] ARM: software-based priviledged-no-access support
Date: Tue, 25 Aug 2015 15:05:52 +0100 [thread overview]
Message-ID: <20150825140552.GH21300@arm.com> (raw)
In-Reply-To: <E1ZSmQG-0002za-E3@rmk-PC.arm.linux.org.uk>
On Fri, Aug 21, 2015 at 02:31:56PM +0100, Russell King wrote:
> Provide a software-based implementation of the priviledged no access
> support found in ARMv8.1.
>
> Userspace pages are mapped using a different domain number from the
> kernel and IO mappings. If we switch the user domain to "no access"
> when we enter the kernel, we can prevent the kernel from touching
> userspace.
>
> However, the kernel needs to be able to access userspace via the
> various user accessor functions. With the wrapping in the previous
> patch, we can temporarily enable access when the kernel needs user
> access, and re-disable it afterwards.
>
> This allows us to trap non-intended accesses to userspace, eg, caused
> by an inadvertent dereference of the LIST_POISON* values, which, with
> appropriate user mappings setup, can be made to succeed. This in turn
> can allow use-after-free bugs to be further exploited than would
> otherwise be possible.
>
> Signed-off-by: Russell King <rmk+kernel@arm•linux.org.uk>
> ---
> arch/arm/Kconfig | 15 +++++++++++++++
> arch/arm/include/asm/domain.h | 15 ++++++++++++---
> arch/arm/include/asm/uaccess.h | 14 ++++++++++++++
> arch/arm/kernel/entry-header.S | 25 +++++++++++++++++++++++++
> arch/arm/kernel/process.c | 24 ++++++++++++++++++------
> 5 files changed, 84 insertions(+), 9 deletions(-)
[...]
> diff --git a/arch/arm/kernel/entry-header.S b/arch/arm/kernel/entry-header.S
> index 3aa6c3742182..bec7ee0764e1 100644
> --- a/arch/arm/kernel/entry-header.S
> +++ b/arch/arm/kernel/entry-header.S
> @@ -54,15 +54,40 @@
> .endm
>
> .macro uaccess_disable, tmp
> +#ifdef CONFIG_CPU_SW_DOMAIN_PAN
> + /*
> + * Whenever we re-enter userspace, the domains should always be
> + * set appropriately.
> + */
> + mov \tmp, #DACR_UACCESS_DISABLE
> + mcr p15, 0, \tmp, c3, c0, 0 @ Set domain register
> +#endif
Missing ISB?
> .endm
>
> .macro uaccess_enable, tmp
> +#ifdef CONFIG_CPU_SW_DOMAIN_PAN
> + /*
> + * Whenever we re-enter userspace, the domains should always be
> + * set appropriately.
> + */
> + mov \tmp, #DACR_UACCESS_ENABLE
> + mcr p15, 0, \tmp, c3, c0, 0
> +#endif
> .endm
>
> .macro uaccess_save_and_disable, tmp
> +#ifdef CONFIG_CPU_SW_DOMAIN_PAN
> + mrc p15, 0, \tmp, c3, c0, 0
> + str \tmp, [sp, #S_FRAME_SIZE]
> +#endif
> + uaccess_disable \tmp
> .endm
Same here. For the enable/restore cases, the exception return will
synchronise the DACR for us, but I think we need the ISB to be sure that
the change has taken effect on the exception entry paths.
Will
next prev parent reply other threads:[~2015-08-25 14:05 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-18 21:42 Prevent list poison values from being mapped by userspace processes Jeffrey Vander Stoep
2015-08-21 13:30 ` Russell King - ARM Linux
2015-08-21 13:31 ` [PATCH 1/9] ARM: domains: switch to keeping domain value in register Russell King
2015-08-21 13:31 ` [PATCH 2/9] ARM: domains: provide domain_mask() Russell King
2015-08-21 13:31 ` [PATCH 3/9] ARM: domains: move initial domain setting value to asm/domains.h Russell King
2015-08-21 13:31 ` [PATCH 4/9] ARM: domains: get rid of manager mode for user domain Russell King
2015-08-21 13:31 ` [PATCH 5/9] ARM: domains: keep vectors in separate domain Russell King
2015-08-21 13:31 ` [PATCH 6/9] ARM: domains: remove DOMAIN_TABLE Russell King
2015-08-21 13:31 ` [PATCH 7/9] ARM: uaccess: provide uaccess_save_and_enable() and uaccess_restore() Russell King
2015-08-21 13:31 ` [PATCH 8/9] ARM: entry: provide uaccess assembly macro hooks Russell King
2015-08-27 21:40 ` Stephen Boyd
2015-08-21 13:31 ` [PATCH 9/9] ARM: software-based priviledged-no-access support Russell King
2015-08-25 10:32 ` Geert Uytterhoeven
2015-08-25 10:44 ` Russell King - ARM Linux
2015-08-25 11:21 ` Geert Uytterhoeven
2015-08-25 12:38 ` Russell King - ARM Linux
2015-08-25 12:47 ` Geert Uytterhoeven
2015-08-25 13:55 ` Nicolas Schichan
2015-08-25 14:05 ` Will Deacon [this message]
2015-08-21 13:46 ` [PATCH 0/4] Efficiency cleanups Russell King - ARM Linux
2015-08-21 13:48 ` [PATCH 1/4] ARM: uaccess: simplify user access assembly Russell King
2015-08-21 13:48 ` [PATCH 2/4] ARM: entry: get rid of asm_trace_hardirqs_on_cond Russell King
2015-08-21 13:48 ` [PATCH 3/4] ARM: entry: efficiency cleanups Russell King
2015-08-21 13:48 ` [PATCH 4/4] ARM: entry: ensure that IRQs are enabled when calling syscall_trace_exit() Russell King
2015-08-24 14:36 ` [PATCH 0/4] Efficiency cleanups Will Deacon
2015-08-24 15:00 ` Russell King - ARM Linux
2015-08-21 17:32 ` Prevent list poison values from being mapped by userspace processes Catalin Marinas
2015-08-24 12:06 ` Russell King - ARM Linux
2015-08-24 13:05 ` Nicolas Schichan
2015-08-25 8:15 ` Russell King - ARM Linux
2015-08-25 13:17 ` Nicolas Schichan
2015-08-24 18:06 ` Kees Cook
2015-08-24 18:47 ` Russell King - ARM Linux
2015-08-24 18:51 ` Kees Cook
2015-08-24 19:14 ` Russell King - ARM Linux
2015-08-24 19:22 ` Kees Cook
2015-08-24 19:32 ` Russell King - ARM Linux
2015-08-24 22:01 ` Kees Cook
2015-08-26 20:34 ` Russell King - ARM Linux
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150825140552.GH21300@arm.com \
--to=will.deacon@arm$(echo .)com \
--cc=linux-arm-kernel@lists$(echo .)infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox