Catalin, doesn't this mean that access_ok() on arm64 could use untagged_addr(addr) unconditionally without any security risk? On 03/30, Catalin Marinas wrote: > > On Thu, Mar 30, 2023 at 05:21:22PM -0400, Gregory Price wrote: > > diff --git a/kernel/entry/syscall_user_dispatch.c b/kernel/entry/syscall_user_dispatch.c > > index 22396b234854..16086226b41c 100644 > > --- a/kernel/entry/syscall_user_dispatch.c > > +++ b/kernel/entry/syscall_user_dispatch.c > > @@ -87,7 +87,18 @@ static int task_set_syscall_user_dispatch(struct task_struct *task, unsigned lon > > if (offset && offset + len <= offset) > > return -EINVAL; > > > > - if (selector && !access_ok(selector, sizeof(*selector))) > > + /* > > + * access_ok will clear memory tags for tagged addresses on tasks where > > + * memory tagging is enabled. To enable a tracer to set a tracee's > > + * selector not in the same tagging state, the selector address must be > > + * untagged for access_ok, otherwise an untagged tracer will always fail > > + * to set a tagged tracee's selector. > > + * > > + * The result of this is that a tagged tracer may be capable of setting > > + * an invalid address, and the tracee will SIGSEGV on the next syscall. > > + * This is equivalent to a task setting a bad selector (selector=0x1). > > + */ > > I'd drop the last paragraph above. Even without tagged pointers, a tracer > can set an invalid address (as you already mentioned) but the phrasing > some implies (to me) that if we did it differently, the tracer would not be > able to set an invalid pointer. > > Either way, > > Reviewed-by: Catalin Marinas <catalin.marinas@xxxxxxx> > > -- > Catalin >
