Hi,
This series switches all uaccess routines to operate directly on the
user-provided capability pointer in PCuABI, instead of making the access
via the extracted 64-bit address. This means that all forms of uaccess
now enforce the capability metadata, through the use of capability-based
loads and stores, and will fail with -EFAULT following a failed
(hardware) capability check. The impacted routines are:
- *get_user* (including get_user_ptr)
- *put_user* (including put_user_ptr)
- *copy_from_user* (including copy_from_user_with_ptr)
- *copy_to_user* (including copy_to_user_with_ptr)
(Note that futex operations are already checked thanks to Luca's work [1].)
Enabling capability checks in uaccess exposed a variety of issues, both
in the kernel and in userspace. This series addresses the fallout in the
kernel before making the switch:
- Patch 1-3 overhaul strnlen_user() to prevent it from reading
beyond the bounds of the user pointer, while leaving its
implementation unchanged in !PCuABI.
- Patch 4-6 fixes various capability propagation issues (surprisingly
few of those!).
- Patch 7 fixes a bug in a Morello kselftest, detected through
capability checking in copy_from_user().
Finally, the switch to capability-based accesses is made:
- Patch 8-10 switch {get,put}_user and variants.
- Patch 11-12 switch copy_{from,to}_user and variants.
After this series, the Morello kselftests and Musl tests still pass, and
so do the liburing tests, however the LTP syscalls suite doesn't because
of various issues in LTP itself. I have addressed a number of them
upstream [2] (series already merged), and will post the remaining fixes
to linux-morello-ltp.
Because this precise uaccess checking cannot be achieved with most
existing sanitisers or hardware memory safety mechanisms, further bugs
are likely to be identified in low-level libraries and test suites
running in purecap (I have spotted a couple in the Bionic tests).
Issue:
https://git.morello-project.org/morello/kernel/linux/-/issues/5
Review branch:
https://git.morello-project.org/kbrodsky-arm/linux/-/commits/morello/checked_uaccess
Cheers,
Kevin
[1] https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org/thread/POYDKHDG7WFASYXE55RX4QWPMOPX6F23/
[2] https://lore.kernel.org/ltp/20231023135647.2157030-1-kevin.brodsky@arm.com/
Kevin Brodsky (12):
linux/user_ptr.h: Introduce user_ptr_{base,limit}
lib: Refactor do_strnlen_user()
lib: Make strnlen_user() PCuABI-friendly
block: Eliminate invalid user pointer casts
tty: Convert another ioctl helper to take arg as user_uintptr_t
seccomp: Preserve pointers when reading sock_fprog from userspace
kselftests/arm64: morello: Fix message size in mmap test
arm64: morello: Implement user capability accessors inline
arm64: uaccess: Move macros from futex.h to uaccess.h
arm64: uaccess: Switch to capability-based {get,put}_user in PCuABI
arm64: lib: Simplify copy_*_user register allocation
arm64: lib: Switch to capability-based copy_*_user in PCuABI
Documentation/core-api/user_ptr.rst | 13 ++
arch/arm64/include/asm/assembler.h | 8 +
arch/arm64/include/asm/futex.h | 20 +--
arch/arm64/include/asm/gpr-num.h | 6 +-
arch/arm64/include/asm/morello.h | 4 -
arch/arm64/include/asm/uaccess.h | 49 +++++-
arch/arm64/lib/copy_from_user.S | 33 +++-
arch/arm64/lib/copy_template.S | 14 +-
arch/arm64/lib/copy_to_user.S | 17 +-
arch/arm64/lib/morello.S | 23 ---
block/blk-zoned.c | 6 +-
block/ioctl.c | 22 +--
drivers/tty/tty_ioctl.c | 2 +-
include/linux/blkdev.h | 8 +-
include/linux/tty.h | 2 +-
include/linux/user_ptr.h | 44 +++++
kernel/seccomp.c | 2 +-
lib/strnlen_user.c | 163 +++++++++++++++----
tools/testing/selftests/arm64/morello/mmap.c | 2 +-
19 files changed, 319 insertions(+), 119 deletions(-)