From: Al Viro <viro@ZenIV.linux.org.uk>
To: David Miller <davem@redhat.com>
Cc: herbert@gondor.apana.org.au, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, bcrl@kvack.org
Subject: Re: [PATCH 1/4] inet: Add skb_copy_datagram_iter
Date: Fri, 7 Nov 2014 22:11:14 +0000 [thread overview]
Message-ID: <20141107221114.GB7996@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20141107.164859.951682597018909290.davem@redhat.com>
On Fri, Nov 07, 2014 at 04:48:59PM -0500, David Miller wrote:
> From: Al Viro <viro@ZenIV.linux.org.uk>
> Date: Thu, 6 Nov 2014 03:25:34 +0000
>
> > OK, I've taken the beginning of the old queue on top of net-next; it's
> > in git://git.kernel.org//pub/scm/linux/kernel/git/viro/vfs.git iov_iter-net.
>
> What I see in there looks good. I wonder if we can somehow make msghdr
> pointer args const... but this is not so important now.
>
> Some minor coding style nits, comments:
>
> /* Like
> * this.
> */
>
> and for multi-line function calls in the networking, align the second
> and subsequent lines at the first column after the openning parenthesis
> of the first line.
OK... I played with csum side of things a bit, and I've noticed something
really nasty - iov_iter primitives all assume that iovec has been validated,
_including_ access_ok() on all ranges. That allows us to use __copy_...()
in primitives, and on the read/write/readv/writev/aio side of things we have
that validation done when we copy iovec from userland (or set a single-element
iovec over the userland-supplied range, as in read(2)/write(2)).
net/* primitives, OTOH, do access_ok() themselves - syscalls do _not_ check
access_ok() on iovec from untrusted source and rely on the low-level stuff
to do such checks.
Result: regular IO syscalls on sockets (i.e. not recvmsg/sendmsg, usual
read/write) do these checks (at least) twice and use of copy_from_iter()
in ->recvmsg() opens quite a nasty hole - one can call recvmsg(2) with
kernel address in ->msg_iov[0].base and have such an instance of ->recvmsg()
stomp on the kernel memory. At the very least, with Herbert's patches
we need to validate that somewhere on the way to tun and macvtap recvmsg
instances. We can do that right there, and as a stopgap measure it might
be a good idea. However, it's not a sane long-term solution.
We could, of course, add those access_ok() in mm/iov_iter.c and drop them
from fs/read_write.c and fs/aio.c, but I really don't see the point - why
not do that along with the checks we do in verify_iovec() anyway? And drop
them from memcpy_fromiovec() et.al.
I'm looking through the tree right now; so far it looks like we can just
move those suckers to the point where we validate iovec and lose them
from low-level iovec and csum copying completely. I still haven't finished
tracing all possible paths for address to arrive at the points where we
currently check that stuff, but so far it looks very doable.
Comments?
next prev parent reply other threads:[~2014-11-07 22:11 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-02 23:05 fs: Use non-const iov in aio_read/aio_write Herbert Xu
2014-11-03 0:16 ` Al Viro
2014-11-03 0:21 ` Al Viro
2014-11-03 0:22 ` Herbert Xu
2014-11-03 0:45 ` Al Viro
2014-11-03 5:37 ` [0/3] net: Kill skb_copy_datagram_const_iovec Herbert Xu
2014-11-03 5:44 ` [PATCH 1/3] tun: Modify const aio_read iovec per do_sock_read Herbert Xu
2014-11-03 5:44 ` [PATCH 2/3] macvtap: " Herbert Xu
2014-11-03 5:44 ` [PATCH 3/3] net: Kill skb_copy_datagram_const_iovec Herbert Xu
2014-11-03 20:05 ` [0/3] " David Miller
2014-11-04 3:38 ` Herbert Xu
2014-11-04 8:31 ` [PATCH 2/4] tun: Use iovec iterators Herbert Xu
2014-11-04 8:37 ` Herbert Xu
2014-11-05 2:49 ` YOSHIFUJI Hideaki
2014-11-05 3:41 ` Herbert Xu
2014-11-04 8:31 ` [PATCH 1/4] inet: Add skb_copy_datagram_iter Herbert Xu
2014-11-04 14:32 ` Al Viro
2014-11-04 14:35 ` Al Viro
2014-11-04 14:44 ` Herbert Xu
2014-11-04 14:52 ` Al Viro
2014-11-04 14:55 ` Herbert Xu
2014-11-04 14:42 ` Herbert Xu
2014-11-04 15:13 ` Al Viro
2014-11-05 2:22 ` Herbert Xu
2014-11-05 3:27 ` David Miller
2014-11-05 3:55 ` Al Viro
2014-11-05 4:12 ` Al Viro
2014-11-05 20:51 ` David Miller
2014-11-05 20:50 ` David Miller
2014-11-05 21:07 ` Al Viro
2014-11-05 21:57 ` David Miller
2014-11-06 3:25 ` Al Viro
2014-11-06 5:50 ` ipv4: Use standard iovec primitive in raw_probe_proto_opt Herbert Xu
2014-11-06 6:43 ` Al Viro
2014-11-06 6:46 ` Herbert Xu
2014-11-06 7:11 ` Al Viro
2014-11-06 9:55 ` Jon Maloy
2014-11-06 22:16 ` Al Viro
2014-11-28 5:14 ` Al Viro
2014-11-06 21:28 ` David Miller
2014-11-07 2:00 ` Herbert Xu
2014-11-07 13:25 ` [PATCH 0/2] ipv4: Simplify raw_probe_proto_opt and avoid reading user iov twice Herbert Xu
2014-11-07 13:27 ` [PATCH 1/2] ipv4: Use standard iovec primitive in raw_probe_proto_opt Herbert Xu
2014-11-07 13:27 ` [PATCH 2/2] ipv4: Avoid reading user iov twice after raw_probe_proto_opt Herbert Xu
2014-11-10 19:26 ` [PATCH 0/2] ipv4: Simplify raw_probe_proto_opt and avoid reading user iov twice David Miller
2014-11-06 9:50 ` [PATCH 1/4] inet: Add skb_copy_datagram_iter Jon Maloy
2014-11-07 21:48 ` David Miller
2014-11-07 22:11 ` Al Viro [this message]
2014-11-07 22:31 ` Al Viro
2014-11-07 22:35 ` Al Viro
2014-11-07 23:42 ` Al Viro
2014-11-08 2:21 ` Herbert Xu
2014-11-09 21:19 ` Al Viro
2014-11-10 5:20 ` David Miller
2014-11-10 6:58 ` Al Viro
2014-11-10 7:30 ` David Miller
2014-11-10 9:09 ` Al Viro
2014-11-10 16:18 ` David Miller
2014-11-10 10:14 ` Michael S. Tsirkin
2014-11-07 21:52 ` David Miller
2014-11-05 20:24 ` David Miller
2014-11-06 8:23 ` Herbert Xu
2014-11-06 17:25 ` David Miller
2014-11-07 1:59 ` Herbert Xu
2014-11-07 3:13 ` David Miller
2014-11-07 13:21 ` [PATCH 0/4] Replace skb_copy_datagram_const_iovec with iterator version Herbert Xu
2014-11-07 13:22 ` [PATCH 1/4] inet: Add skb_copy_datagram_iter Herbert Xu
2014-11-07 13:22 ` [PATCH 2/4] tun: Use iovec iterators Herbert Xu
2014-11-07 13:22 ` [PATCH 3/4] macvtap: " Herbert Xu
2014-11-07 13:22 ` [PATCH 4/4] net: Kill skb_copy_datagram_const_iovec Herbert Xu
2014-11-06 8:27 ` [PATCH 0/4] Replace skb_copy_datagram_const_iovec with iterator version Herbert Xu
2014-11-06 8:28 ` [PATCH 1/4] inet: Add skb_copy_datagram_iter Herbert Xu
2014-11-06 17:30 ` Al Viro
2014-11-07 1:58 ` Herbert Xu
2014-11-06 8:28 ` [PATCH 2/4] tun: Use iovec iterators Herbert Xu
2014-11-06 8:28 ` [PATCH 3/4] macvtap: " Herbert Xu
2014-11-06 17:33 ` Al Viro
2014-11-06 8:28 ` [PATCH 4/4] net: Kill skb_copy_datagram_const_iovec Herbert Xu
2014-11-04 8:31 ` [PATCH 3/4] macvtap: Use iovec iterators Herbert Xu
2014-11-04 8:31 ` [PATCH 4/4] net: Kill skb_copy_datagram_const_iovec Herbert Xu
2014-11-04 5:45 ` [0/3] " Al Viro
2014-11-05 1:53 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141107221114.GB7996@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=bcrl@kvack.org \
--cc=davem@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.