Hi, On 1/30/2024 7:50 AM, Sohil Mehta wrote: > Hi Hou Tao, > > I agree to your approach in this patch. Please see some comments below. > > On 1/26/2024 3:54 AM, Hou Tao wrote: >> From: Hou Tao <houtao1@xxxxxxxxxx> >> >> When trying to use copy_from_kernel_nofault() to read vsyscall page >> through a bpf program, the following oops was reported: [SNIP] >> It seems the occurrence of oops depends on SMAP feature of CPU. It >> happens as follow: a bpf program uses bpf_probe_read_kernel() to read >> from vsyscall page, bpf_probe_read_kernel() invokes >> copy_from_kernel_nofault() in turn and then invokes __get_user_asm(). >> Because the vsyscall page address is not readable for kernel space, >> a page fault exception is triggered accordingly, handle_page_fault() >> considers the vsyscall page address as a userspace address instead of a >> kernel space address, so the fix-up set-up by bpf isn't applied. Because >> the CPU has SMAP feature and the access happens in kernel mode, so >> page_fault_oops() is invoked and an oops happens. If these is no SMAP >> feature, the fix-up set-up by bpf will be applied and >> copy_from_kernel_nofault() will return -EFAULT instead. >> > I find this paragraph to be a bit hard to follow. I think we can > minimize the reference to SMAP here since it is only helping detect > cross address space accesses. How about something like the following: > > The oops is triggered when: > > 1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall > page and invokes copy_from_kernel_nofault() which in turn calls > __get_user_asm(). > > 2) Because the vsyscall page address is not readable from kernel space, > a page fault exception is triggered accordingly. > > 3) handle_page_fault() considers the vsyscall page address as a user > space address instead of a kernel space address. This results in the > fix-up setup by bpf not being applied and a page_fault_oops() is invoked > due to SMAP. Thanks for the rephrasing. It is much better now. >> Considering handle_page_fault() has already considered the vsyscall page >> address as a userspace address, fix the problem by disallowing vsyscall >> page read for copy_from_kernel_nofault(). >> > I agree, following the same approach as handle_page_fault() seems > reasonable. > >> Originally-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx> >> Reported-by: syzbot+72aa0161922eba61b50e@xxxxxxxxxxxxxxxxxxxxxxxxx >> Closes: https://lore.kernel.org/bpf/CAG48ez06TZft=ATH1qh2c5mpS5BT8UakwNkzi6nvK5_djC-4Nw@xxxxxxxxxxxxxx >> Reported-by: xingwei lee <xrivendell7@xxxxxxxxx> >> Closes: https://lore.kernel.org/bpf/CABOYnLynjBoFZOf3Z4BhaZkc5hx_kHfsjiW+UWLoB=w33LvScw@xxxxxxxxxxxxxx >> Signed-off-by: Hou Tao <houtao1@xxxxxxxxxx> >> --- >> arch/x86/mm/maccess.c | 9 +++++++++ >> 1 file changed, 9 insertions(+) >> >> diff --git a/arch/x86/mm/maccess.c b/arch/x86/mm/maccess.c >> index 6993f026adec9..d9272e1db5224 100644 >> --- a/arch/x86/mm/maccess.c >> +++ b/arch/x86/mm/maccess.c >> @@ -3,6 +3,8 @@ >> #include <linux/uaccess.h> >> #include <linux/kernel.h> >> >> +#include <asm/vsyscall.h> >> + >> #ifdef CONFIG_X86_64 >> bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size) >> { >> @@ -15,6 +17,13 @@ bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size) >> if (vaddr < TASK_SIZE_MAX + PAGE_SIZE) >> return false; >> >> + /* Also consider the vsyscall page as userspace address. Otherwise, >> + * reading the vsyscall page in copy_from_kernel_nofault() may >> + * trigger an oops due to an unhandled page fault. >> + */ > x86 prefers a slightly different style for multi-line comments. Please > refer to https://docs.kernel.org/process/maintainer-tip.html#comment-style. I see. Will update. > > How about rewording the above as: > > /* > * Reading from the vsyscall page may cause an unhandled fault in > * certain cases. Though it is at an address above TASK_SIZE_MAX, it is > * usually considered as a user space address. > */ Thanks for the rewording. Will do in v3. > >> + if (is_vsyscall_vaddr(vaddr)) >> + return false; >> + > It would have been convenient if we had a common check for whether a > particular address is a kernel address or not. fault_in_kernel_space() > serves that purpose to an extent in other places. > > I thought we could rename fault_in_kernel_space() to > vaddr_in_kernel_space() and use it here. But the check in > copy_from_kernel_nofault_allowed() includes the user guard page as well. > So the checks wouldn't exactly be the same. > > I am unsure of the implications if we get rid of that difference. Maybe > we can leave it as-is for now unless someone else chimes in. There is other difference between fault_in_kernel_space() and copy_from_kernel_nofault_allowed(). fault_in_kernel_space() uses address >= TASK_SIZE_MAX to check the kernel space address, but copy_from_kernel_nofault_allowed() uses vaddr >= TASK_SIZE_MAX + PAGE_SIZE to check the kernel space address, so I prefer to keep it as-is. > > Sohil
