On Thu, May 11, 2017 at 10:28 PM, Martin Schwidefsky <schwidefsky@xxxxxxxxxx> wrote: > On Thu, 11 May 2017 16:44:07 -0700 > Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > >> On Thu, May 11, 2017 at 4:17 PM, Thomas Garnier <thgarnie@xxxxxxxxxx> wrote: >> > >> > Ingo: Do you want the change as-is? Would you like it to be optional? >> > What do you think? >> >> I'm not ingo, but I don't like that patch. It's in the wrong place - >> that system call return code is too timing-critical to add address >> limit checks. >> >> Now what I think you *could* do is: >> >> - make "set_fs()" actually set a work flag in the current thread flags >> >> - do the test in the slow-path (syscall_return_slowpath). >> >> Yes, yes, that ends up being architecture-specific, but it's fairly simple. >> >> And it only slows down the system calls that actually use "set_fs()". >> Sure, it will slow those down a fair amount, but they are hopefully a >> small subset of all cases. >> >> How does that sound to people? Thats' where we currently do that >> >> if (IS_ENABLED(CONFIG_PROVE_LOCKING) && >> WARN(irqs_disabled(), "syscall %ld left IRQs disabled", >> regs->orig_ax)) >> local_irq_enable(); >> >> check too, which is a fairly similar issue. > > This is exactly what Heiko did for the s390 backend as a result of this > discussion. See the _CIF_ASCE_SECONDARY bit in arch/s390/kernel/entry.S, > for the hot patch the check for the bit is included in the general > _CIF_WORK test. Only the slow patch gets a bit slower. > > git commit b5a882fcf146c87cb6b67c6df353e1c042b8773d > "s390: restore address space when returning to user space". If I'm understanding this, it won't catch corruption of addr_limit during fast-path syscalls, though (i.e. addr_limit changed without a call to set_fs()). :( This addr_limit corruption is mostly only a risk archs without THREAD_INFO_IN_TASK, but it would still be nice to catch unbalanced set_fs() code, so I like the idea. I like getting rid of addr_limit entirely even more, but that'll take some time. :) -Kees -- Kees Cook Pixel Security -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
