13 Aug, 2020
1 commit
-
Add helpers to wrap the get_fs/set_fs magic for undoing any damange done
by set_fs(KERNEL_DS). There is no real functional benefit, but this
documents the intent of these calls better, and will allow stubbing the
functions out easily for kernels builds that do not allow address space
overrides in the future.[hch@lst.de: drop two incorrect hunks, fix a commit log typo]
Link: http://lkml.kernel.org/r/20200714105505.935079-6-hch@lst.deSigned-off-by: Christoph Hellwig
Signed-off-by: Andrew Morton
Acked-by: Linus Torvalds
Acked-by: Mark Rutland
Acked-by: Greentime Hu
Acked-by: Geert Uytterhoeven
Cc: Nick Hu
Cc: Vincent Chen
Cc: Paul Walmsley
Cc: Palmer Dabbelt
Link: http://lkml.kernel.org/r/20200710135706.537715-6-hch@lst.de
Signed-off-by: Linus Torvalds
18 Jun, 2020
2 commits
-
Better describe what these functions do.
Suggested-by: Linus Torvalds
Signed-off-by: Christoph Hellwig
Signed-off-by: Linus Torvalds -
Better describe what these functions do.
Suggested-by: Linus Torvalds
Signed-off-by: Christoph Hellwig
Signed-off-by: Linus Torvalds
10 Jun, 2020
15 commits
-
Allow the callers to distinguish a real unmapped address vs a range
that can't be probed.Suggested-by: Masami Hiramatsu
Signed-off-by: Christoph Hellwig
Signed-off-by: Andrew Morton
Reviewed-by: Masami Hiramatsu
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: "H. Peter Anvin"
Cc: Ingo Molnar
Cc: Thomas Gleixner
Link: http://lkml.kernel.org/r/20200521152301.2587579-24-hch@lst.de
Signed-off-by: Linus Torvalds -
Provide alternative versions of probe_kernel_read, probe_kernel_write
and strncpy_from_kernel_unsafe that don't need set_fs magic, but instead
use arch hooks that are modelled after unsafe_{get,put}_user to access
kernel memory in an exception safe way.Signed-off-by: Christoph Hellwig
Signed-off-by: Andrew Morton
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: "H. Peter Anvin"
Cc: Ingo Molnar
Cc: Masami Hiramatsu
Cc: Thomas Gleixner
Link: http://lkml.kernel.org/r/20200521152301.2587579-19-hch@lst.de
Signed-off-by: Linus Torvalds -
Move kernel access vs user access routines together to ease upcoming
ifdefs.Signed-off-by: Christoph Hellwig
Signed-off-by: Andrew Morton
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: "H. Peter Anvin"
Cc: Ingo Molnar
Cc: Masami Hiramatsu
Cc: Thomas Gleixner
Link: http://lkml.kernel.org/r/20200521152301.2587579-18-hch@lst.de
Signed-off-by: Linus Torvalds -
Except for historical confusion in the kprobes/uprobes and bpf tracers,
which has been fixed now, there is no good reason to ever allow user
memory accesses from probe_kernel_read. Switch probe_kernel_read to only
read from kernel memory.[akpm@linux-foundation.org: update it for "mm, dump_page(): do not crash with invalid mapping pointer"]
Signed-off-by: Christoph Hellwig
Signed-off-by: Andrew Morton
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: "H. Peter Anvin"
Cc: Ingo Molnar
Cc: Masami Hiramatsu
Cc: Thomas Gleixner
Link: http://lkml.kernel.org/r/20200521152301.2587579-17-hch@lst.de
Signed-off-by: Linus Torvalds -
All users are gone now.
Signed-off-by: Christoph Hellwig
Signed-off-by: Andrew Morton
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: "H. Peter Anvin"
Cc: Ingo Molnar
Cc: Masami Hiramatsu
Cc: Thomas Gleixner
Link: http://lkml.kernel.org/r/20200521152301.2587579-16-hch@lst.de
Signed-off-by: Linus Torvalds -
Currently architectures have to override every routine that probes
kernel memory, which includes a pure read and strcpy, both in strict
and not strict variants. Just provide a single arch hooks instead to
make sure all architectures cover all the cases.[akpm@linux-foundation.org: fix !CONFIG_X86_64 build]
Signed-off-by: Christoph Hellwig
Signed-off-by: Andrew Morton
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: "H. Peter Anvin"
Cc: Ingo Molnar
Cc: Masami Hiramatsu
Cc: Thomas Gleixner
Link: http://lkml.kernel.org/r/20200521152301.2587579-11-hch@lst.de
Signed-off-by: Linus Torvalds -
Each of the helpers has just two callers, which also different in
dealing with kernel or userspace pointers. Just open code the logic
in the callers.Signed-off-by: Christoph Hellwig
Signed-off-by: Andrew Morton
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: "H. Peter Anvin"
Cc: Ingo Molnar
Cc: Masami Hiramatsu
Cc: Thomas Gleixner
Link: http://lkml.kernel.org/r/20200521152301.2587579-10-hch@lst.de
Signed-off-by: Linus Torvalds -
This matches the naming of strnlen_user, and also makes it more clear
what the function is supposed to do.Signed-off-by: Christoph Hellwig
Signed-off-by: Andrew Morton
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: "H. Peter Anvin"
Cc: Ingo Molnar
Cc: Masami Hiramatsu
Cc: Thomas Gleixner
Link: http://lkml.kernel.org/r/20200521152301.2587579-9-hch@lst.de
Signed-off-by: Linus Torvalds -
This matches the naming of strncpy_from_user_nofault, and also makes it
more clear what the function is supposed to do.Signed-off-by: Christoph Hellwig
Signed-off-by: Andrew Morton
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: "H. Peter Anvin"
Cc: Ingo Molnar
Cc: Masami Hiramatsu
Cc: Thomas Gleixner
Link: http://lkml.kernel.org/r/20200521152301.2587579-8-hch@lst.de
Signed-off-by: Linus Torvalds -
This matches the naming of strncpy_from_user, and also makes it more
clear what the function is supposed to do.Signed-off-by: Christoph Hellwig
Signed-off-by: Andrew Morton
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: "H. Peter Anvin"
Cc: Ingo Molnar
Cc: Masami Hiramatsu
Cc: Thomas Gleixner
Link: http://lkml.kernel.org/r/20200521152301.2587579-7-hch@lst.de
Signed-off-by: Linus Torvalds -
This file now also contains several helpers for accessing user memory.
Signed-off-by: Christoph Hellwig
Signed-off-by: Andrew Morton
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: "H. Peter Anvin"
Cc: Ingo Molnar
Cc: Masami Hiramatsu
Cc: Thomas Gleixner
Link: http://lkml.kernel.org/r/20200521152301.2587579-6-hch@lst.de
Signed-off-by: Linus Torvalds -
Add proper kerneldoc comments for probe_kernel_read_strict and
probe_kernel_read strncpy_from_unsafe_strict and explain the different
versus the non-strict version.Signed-off-by: Christoph Hellwig
Signed-off-by: Andrew Morton
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: "H. Peter Anvin"
Cc: Ingo Molnar
Cc: Masami Hiramatsu
Cc: Thomas Gleixner
Link: http://lkml.kernel.org/r/20200521152301.2587579-5-hch@lst.de
Signed-off-by: Linus Torvalds -
maccess tends to define lots of underscore prefixed symbols that then
have other weak aliases. But except for two cases they are never
actually used, so remove them.Signed-off-by: Christoph Hellwig
Signed-off-by: Andrew Morton
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: "H. Peter Anvin"
Cc: Ingo Molnar
Cc: Masami Hiramatsu
Cc: Thomas Gleixner
Link: http://lkml.kernel.org/r/20200521152301.2587579-3-hch@lst.de
Signed-off-by: Linus Torvalds -
Patch series "clean up and streamline probe_kernel_* and friends", v4.
This series start cleaning up the safe kernel and user memory probing
helpers in mm/maccess.c, and then allows architectures to implement the
kernel probing without overriding the address space limit and temporarily
allowing access to user memory. It then switches x86 over to this new
mechanism by reusing the unsafe_* uaccess logic.This version also switches to the saner copy_{from,to}_kernel_nofault
naming suggested by Linus.I kept the x86 helpers as-is without calling unsage_{get,put}_user as that
avoids a number of hard to trace casts, and it will still work with the
asm-goto based version easily.This patch (of 20):
probe_kernel_write() is not used by any modular code.
[sfr@canb.auug.org.au: turns out that probe_user_write is used in modular code]
Link: http://lkml.kernel.org/r/20200602195741.4faaa348@canb.auug.org.auSigned-off-by: Christoph Hellwig
Signed-off-by: Stephen Rothwell
Signed-off-by: Andrew Morton
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: Masami Hiramatsu
Cc: Ingo Molnar
Cc: "H. Peter Anvin"
Cc: Thomas Gleixner
Link: http://lkml.kernel.org/r/20200521152301.2587579-1-hch@lst.de
Link: http://lkml.kernel.org/r/20200521152301.2587579-2-hch@lst.de
Signed-off-by: Linus Torvalds -
Convert comments that reference mmap_sem to reference mmap_lock instead.
[akpm@linux-foundation.org: fix up linux-next leftovers]
[akpm@linux-foundation.org: s/lockaphore/lock/, per Vlastimil]
[akpm@linux-foundation.org: more linux-next fixups, per Michel]Signed-off-by: Michel Lespinasse
Signed-off-by: Andrew Morton
Reviewed-by: Vlastimil Babka
Reviewed-by: Daniel Jordan
Cc: Davidlohr Bueso
Cc: David Rientjes
Cc: Hugh Dickins
Cc: Jason Gunthorpe
Cc: Jerome Glisse
Cc: John Hubbard
Cc: Laurent Dufour
Cc: Liam Howlett
Cc: Matthew Wilcox
Cc: Peter Zijlstra
Cc: Ying Han
Link: http://lkml.kernel.org/r/20200520052908.204642-13-walken@google.com
Signed-off-by: Linus Torvalds
03 Nov, 2019
2 commits
-
Add two new probe_kernel_read_strict() and strncpy_from_unsafe_strict()
helpers which by default alias to the __probe_kernel_read() and the
__strncpy_from_unsafe(), respectively, but can be overridden by archs
which have non-overlapping address ranges for kernel space and user
space in order to bail out with -EFAULT when attempting to probe user
memory including non-canonical user access addresses [0]:4-level page tables:
user-space mem: 0x0000000000000000 - 0x00007fffffffffff
non-canonical: 0x0000800000000000 - 0xffff7fffffffffff5-level page tables:
user-space mem: 0x0000000000000000 - 0x00ffffffffffffff
non-canonical: 0x0100000000000000 - 0xfeffffffffffffffThe idea is that these helpers are complementary to the probe_user_read()
and strncpy_from_unsafe_user() which probe user-only memory. Both added
helpers here do the same, but for kernel-only addresses.Both set of helpers are going to be used for BPF tracing. They also
explicitly avoid throwing the splat for non-canonical user addresses from
00c42373d397 ("x86-64: add warning for non-canonical user access address
dereferences").For compat, the current probe_kernel_read() and strncpy_from_unsafe() are
left as-is.[0] Documentation/x86/x86_64/mm.txt
Signed-off-by: Daniel Borkmann
Signed-off-by: Alexei Starovoitov
Cc: Linus Torvalds
Cc: Masami Hiramatsu
Cc: x86@kernel.org
Link: https://lore.kernel.org/bpf/eefeefd769aa5a013531f491a71f0936779e916b.1572649915.git.daniel@iogearbox.net -
Commit 3d7081822f7f ("uaccess: Add non-pagefault user-space read functions")
missed to add probe write function, therefore factor out a probe_write_common()
helper with most logic of probe_kernel_write() except setting KERNEL_DS, and
add a new probe_user_write() helper so it can be used from BPF side.Again, on some archs, the user address space and kernel address space can
co-exist and be overlapping, so in such case, setting KERNEL_DS would mean
that the given address is treated as being in kernel address space.Signed-off-by: Daniel Borkmann
Signed-off-by: Alexei Starovoitov
Acked-by: Andrii Nakryiko
Cc: Masami Hiramatsu
Link: https://lore.kernel.org/bpf/9df2542e68141bfa3addde631441ee45503856a8.1572649915.git.daniel@iogearbox.net
19 Jul, 2019
1 commit
-
Pull tracing updates from Steven Rostedt:
"The main changes in this release include:- Add user space specific memory reading for kprobes
- Allow kprobes to be executed earlier in boot
The rest are mostly just various clean ups and small fixes"
* tag 'trace-v5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: (33 commits)
tracing: Make trace_get_fields() global
tracing: Let filter_assign_type() detect FILTER_PTR_STRING
tracing: Pass type into tracing_generic_entry_update()
ftrace/selftest: Test if set_event/ftrace_pid exists before writing
ftrace/selftests: Return the skip code when tracing directory not configured in kernel
tracing/kprobe: Check registered state using kprobe
tracing/probe: Add trace_event_call accesses APIs
tracing/probe: Add probe event name and group name accesses APIs
tracing/probe: Add trace flag access APIs for trace_probe
tracing/probe: Add trace_event_file access APIs for trace_probe
tracing/probe: Add trace_event_call register API for trace_probe
tracing/probe: Add trace_probe init and free functions
tracing/uprobe: Set print format when parsing command
tracing/kprobe: Set print format right after parsed command
kprobes: Fix to init kprobes in subsys_initcall
tracepoint: Use struct_size() in kmalloc()
ring-buffer: Remove HAVE_64BIT_ALIGNED_ACCESS
ftrace: Enable trampoline when rec count returns back to one
tracing/kprobe: Do not run kprobe boot tests if kprobe_event is on cmdline
tracing: Make a separate config for trace event self tests
...
26 May, 2019
1 commit
-
Add probe_user_read(), strncpy_from_unsafe_user() and
strnlen_unsafe_user() which allows caller to access user-space
in IRQ context.Current probe_kernel_read() and strncpy_from_unsafe() are
not available for user-space memory, because it sets
KERNEL_DS while accessing data. On some arch, user address
space and kernel address space can be co-exist, but others
can not. In that case, setting KERNEL_DS means given
address is treated as a kernel address space.
Also strnlen_user() is only available from user context since
it can sleep if pagefault is enabled.To access user-space memory without pagefault, we need
these new functions which sets USER_DS while accessing
the data.Link: http://lkml.kernel.org/r/155789869802.26965.4940338412595759063.stgit@devnote2
Acked-by: Ingo Molnar
Signed-off-by: Masami Hiramatsu
Signed-off-by: Steven Rostedt (VMware)
21 May, 2019
1 commit
-
Add SPDX license identifiers to all files which:
- Have no license information of any form
- Have EXPORT_.*_SYMBOL_GPL inside which was used in the
initial scan/conversion to ignore the fileThese files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:GPL-2.0-only
Signed-off-by: Thomas Gleixner
Signed-off-by: Greg Kroah-Hartman
26 Feb, 2019
1 commit
-
This reverts commit 9da3f2b74054406f87dff7101a569217ffceb29b.
It was well-intentioned, but wrong. Overriding the exception tables for
instructions for random reasons is just wrong, and that is what the new
code did.It caused problems for tracing, and it caused problems for strncpy_from_user(),
because the new checks made perfectly valid use cases break, rather than
catch things that did bad things.Unchecked user space accesses are a problem, but that's not a reason to
add invalid checks that then people have to work around with silly flags
(in this case, that 'kernel_uaccess_faults_ok' flag, which is just an
odd way to say "this commit was wrong" and was sprinked into random
places to hide the wrongness).The real fix to unchecked user space accesses is to get rid of the
special "let's not check __get_user() and __put_user() at all" logic.
Make __{get|put}_user() be just aliases to the regular {get|put}_user()
functions, and make it impossible to access user space without having
the proper checks in places.The raison d'être of the special double-underscore versions used to be
that the range check was expensive, and if you did multiple user
accesses, you'd do the range check up front (like the signal frame
handling code, for example). But SMAP (on x86) and PAN (on ARM) have
made that optimization pointless, because the _real_ expense is the "set
CPU flag to allow user space access".Do let's not break the valid cases to catch invalid cases that shouldn't
even exist.Cc: Thomas Gleixner
Cc: Kees Cook
Cc: Tobin C. Harding
Cc: Borislav Petkov
Cc: Peter Zijlstra
Cc: Andy Lutomirski
Cc: Jann Horn
Signed-off-by: Linus Torvalds
03 Sep, 2018
1 commit
-
There have been multiple kernel vulnerabilities that permitted userspace to
pass completely unchecked pointers through to userspace accessors:- the waitid() bug - commit 96ca579a1ecc ("waitid(): Add missing
access_ok() checks")
- the sg/bsg read/write APIs
- the infiniband read/write APIsThese don't happen all that often, but when they do happen, it is hard to
test for them properly; and it is probably also hard to discover them with
fuzzing. Even when an unmapped kernel address is supplied to such buggy
code, it just returns -EFAULT instead of doing a proper BUG() or at least
WARN().Try to make such misbehaving code a bit more visible by refusing to do a
fixup in the pagefault handler code when a userspace accessor causes a #PF
on a kernel address and the current context isn't whitelisted.Signed-off-by: Jann Horn
Signed-off-by: Thomas Gleixner
Tested-by: Kees Cook
Cc: Andy Lutomirski
Cc: kernel-hardening@lists.openwall.com
Cc: dvyukov@google.com
Cc: Masami Hiramatsu
Cc: "Naveen N. Rao"
Cc: Anil S Keshavamurthy
Cc: "David S. Miller"
Cc: Alexander Viro
Cc: linux-fsdevel@vger.kernel.org
Cc: Borislav Petkov
Link: https://lkml.kernel.org/r/20180828201421.157735-7-jannh@google.com
07 Feb, 2018
1 commit
-
There are several places where parameter descriptions do no match the
actual code. Fix it.Link: http://lkml.kernel.org/r/1516700871-22279-3-git-send-email-rppt@linux.vnet.ibm.com
Signed-off-by: Mike Rapoport
Cc: Jonathan Corbet
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
23 May, 2016
1 commit
-
I'm looking at trying to possibly merge the 32-bit and 64-bit versions
of the x86 uaccess.h implementation, but first this needs to be cleaned
up.For example, the 32-bit version of "__copy_from_user_inatomic()" is
mostly the special cases for the constant size, and it's actually almost
never relevant. Most users aren't actually using a constant size
anyway, and the few cases that do small constant copies are better off
just using __get_user() instead.So get rid of the unnecessary complexity.
Signed-off-by: Linus Torvalds
06 Nov, 2015
2 commits
-
As far as I can tell, strncpy_from_unsafe never returns -EFAULT. ret is
the result of a __copy_from_user_inatomic(), which is 0 for success and
positive (in this case necessarily 1) for access error - it is never
negative. So we were always returning the length of the, possibly
truncated, destination string.Signed-off-by: Rasmus Villemoes
Acked-by: Alexei Starovoitov
Cc: Masami Hiramatsu
Cc: Namhyung Kim
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
probe_kernel_address() is basically the same as the (later added)
probe_kernel_read().The return value on EFAULT is a bit different: probe_kernel_address()
returns number-of-bytes-not-copied whereas probe_kernel_read() returns
-EFAULT. All callers have been checked, none cared.probe_kernel_read() can be overridden by the architecture whereas
probe_kernel_address() cannot. parisc, blackfin and um do this, to insert
additional checking. Hence this patch possibly fixes obscure bugs,
although there are only two probe_kernel_address() callsites outside
arch/.My first attempt involved removing probe_kernel_address() entirely and
converting all callsites to use probe_kernel_read() directly, but that got
tiresome.This patch shrinks mm/slab_common.o by 218 bytes. For a single
probe_kernel_address() callsite.Cc: Steven Miao
Cc: Jeff Dike
Cc: Richard Weinberger
Cc: "James E.J. Bottomley"
Cc: Helge Deller
Cc: Ingo Molnar
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
01 Sep, 2015
1 commit
-
To fix build errors:
kernel/built-in.o: In function `bpf_trace_printk':
bpf_trace.c:(.text+0x11a254): undefined reference to `strncpy_from_unsafe'
kernel/built-in.o: In function `fetch_memory_string':
trace_kprobe.c:(.text+0x11acf8): undefined reference to `strncpy_from_unsafe'move strncpy_from_unsafe() next to probe_kernel_read/write()
which use the same memory access style.Reported-by: Fengguang Wu
Reported-by: Guenter Roeck
Fixes: 1a6877b9c0c2 ("lib: introduce strncpy_from_unsafe()")
Signed-off-by: Alexei Starovoitov
Signed-off-by: David S. Miller
31 Oct, 2011
1 commit
-
The files changed within are only using the EXPORT_SYMBOL
macro variants. They are not using core modular infrastructure
and hence don't need module.h but only the export.h header.Signed-off-by: Paul Gortmaker
26 May, 2011
1 commit
-
The functions probe_kernel_write() and probe_kernel_read() do not modify
the src pointer. Allow const pointers to be passed in without the need
of a typecast.Acked-by: Mike Frysinger
Acked-by: Heiko Carstens
Acked-by: Martin Schwidefsky
Signed-off-by: Steven Rostedt
Link: http://lkml.kernel.org/r/1305824936.1465.4.camel@gandalf.stny.rr.com
28 Oct, 2010
1 commit
-
Save the current exception frame pointer in the thread_info struct rather than
in a global variable as the latter makes SMP tricky, especially when preemption
is also enabled.This also replaces __frame with current_frame() and rearranges header file
inclusions to make it all compile.Signed-off-by: David Howells
Acked-by: Akira Takeuchi
08 Jan, 2010
1 commit
-
Some archs such as blackfin, would like to have an arch specific
probe_kernel_read() and probe_kernel_write() implementation which can
fall back to the generic implementation if no special operations are
needed.CC: Thomas Gleixner
CC: Ingo Molnar
Signed-off-by: Jason Wessel
Signed-off-by: Mike Frysinger
12 Jun, 2009
1 commit
-
probe_kernel_write() gets used to write to the kernel address space.
E.g. to patch the kernel (kgdb, ftrace, kprobes...). Some architectures
however enable write protection for the kernel text section, so that
writes to this region would fault.
This patch allows to specify an architecture specific version of
probe_kernel_write() which allows to handle and bypass write protection
of the text segment.
That way it is still possible to catch random writes to kernel text
and explicitly allow writes via this interface.Signed-off-by: Heiko Carstens
Signed-off-by: Martin Schwidefsky
18 Apr, 2008
2 commits
-
Fix two regressions dealing with the kgdb core.
1) kgdb_skipexception and kgdb_post_primary_code are optional
functions that are only required on archs that need special exception
fixups.2) The kernel address space scope must be set on any probe_kernel_*
function or archs such as ARCH=arm will not allow access to the kernel
memory space. As an example, it is required to allow the full kernel
address space is when you the kernel debugger to inspect a system
call.Signed-off-by: Jason Wessel
Signed-off-by: Ingo Molnar -
add probe_kernel_read() and probe_kernel_write().
Uninlined and restricted to kernel range memory only, as suggested
by Linus.Signed-off-by: Ingo Molnar
Reviewed-by: Thomas Gleixner
