From: Al Viro <viro@ZenIV.linux.org.uk>
To: netdev@vger.kernel.org
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
David Miller <davem@davemloft.net>,
linux-kernel@vger.kernel.org
Subject: [PATCH 2/5] {compat_,}verify_iovec(): switch to generic copying of iovecs
Date: Tue, 18 Nov 2014 19:42:06 +0000 [thread overview]
Message-ID: <20141118194206.GC14641@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20141118194053.GA14641@ZenIV.linux.org.uk>
use {compat_,}rw_copy_check_uvector(). As the result, we are
guaranteed that all iovecs seen in ->msg_iov by ->sendmsg()
and ->recvmsg() will pass access_ok(). The next commit removes
now redundant checks in callees...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
net/compat.c | 51 +++++++++++++++------------------------------------
net/core/iovec.c | 37 ++++++++++++++-----------------------
net/socket.c | 38 ++++++++------------------------------
3 files changed, 37 insertions(+), 89 deletions(-)
diff --git a/net/compat.c b/net/compat.c
index 562e920..7b4b6ad 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -31,33 +31,6 @@
#include <asm/uaccess.h>
#include <net/compat.h>
-static inline int iov_from_user_compat_to_kern(struct iovec *kiov,
- struct compat_iovec __user *uiov32,
- int niov)
-{
- int tot_len = 0;
-
- while (niov > 0) {
- compat_uptr_t buf;
- compat_size_t len;
-
- if (get_user(len, &uiov32->iov_len) ||
- get_user(buf, &uiov32->iov_base))
- return -EFAULT;
-
- if (len > INT_MAX - tot_len)
- len = INT_MAX - tot_len;
-
- tot_len += len;
- kiov->iov_base = compat_ptr(buf);
- kiov->iov_len = (__kernel_size_t) len;
- uiov32++;
- kiov++;
- niov--;
- }
- return tot_len;
-}
-
int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
{
compat_uptr_t tmp1, tmp2, tmp3;
@@ -80,13 +53,15 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
}
/* I've named the args so it is easy to tell whose space the pointers are in. */
-int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
+int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *iov,
struct sockaddr_storage *kern_address, int mode)
{
- int tot_len;
+ struct compat_iovec __user *p;
+ struct iovec *res;
+ int err;
if (kern_msg->msg_name && kern_msg->msg_namelen) {
- if (mode == VERIFY_READ) {
+ if (mode == WRITE) {
int err = move_addr_to_kernel(kern_msg->msg_name,
kern_msg->msg_namelen,
kern_address);
@@ -99,13 +74,17 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov,
kern_msg->msg_namelen = 0;
}
- tot_len = iov_from_user_compat_to_kern(kern_iov,
- (struct compat_iovec __user *)kern_msg->msg_iov,
- kern_msg->msg_iovlen);
- if (tot_len >= 0)
- kern_msg->msg_iov = kern_iov;
+ if (kern_msg->msg_iovlen > UIO_MAXIOV)
+ return -EMSGSIZE;
- return tot_len;
+ p = (struct compat_iovec __user *)kern_msg->msg_iov;
+ err = compat_rw_copy_check_uvector(mode, p, kern_msg->msg_iovlen,
+ UIO_FASTIOV, iov, &res);
+ if (err >= 0)
+ kern_msg->msg_iov = res;
+ else if (res != iov)
+ kfree(res);
+ return err;
}
/* Bleech... */
diff --git a/net/core/iovec.c b/net/core/iovec.c
index e1ec45a..86beeea 100644
--- a/net/core/iovec.c
+++ b/net/core/iovec.c
@@ -37,13 +37,13 @@
int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *address, int mode)
{
- int size, ct, err;
+ struct iovec *res;
+ int err;
if (m->msg_name && m->msg_namelen) {
- if (mode == VERIFY_READ) {
- void __user *namep;
- namep = (void __user __force *) m->msg_name;
- err = move_addr_to_kernel(namep, m->msg_namelen,
+ if (mode == WRITE) {
+ void __user *namep = (void __user __force *)m->msg_name;
+ int err = move_addr_to_kernel(namep, m->msg_namelen,
address);
if (err < 0)
return err;
@@ -53,24 +53,15 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a
m->msg_name = NULL;
m->msg_namelen = 0;
}
-
- size = m->msg_iovlen * sizeof(struct iovec);
- if (copy_from_user(iov, (void __user __force *) m->msg_iov, size))
- return -EFAULT;
-
- m->msg_iov = iov;
- err = 0;
-
- for (ct = 0; ct < m->msg_iovlen; ct++) {
- size_t len = iov[ct].iov_len;
-
- if (len > INT_MAX - err) {
- len = INT_MAX - err;
- iov[ct].iov_len = len;
- }
- err += len;
- }
-
+ if (m->msg_iovlen > UIO_MAXIOV)
+ return -EMSGSIZE;
+
+ err = rw_copy_check_uvector(mode, (void __user __force *)m->msg_iov,
+ m->msg_iovlen, UIO_FASTIOV, iov, &res);
+ if (err >= 0)
+ m->msg_iov = res;
+ else if (res != iov)
+ kfree(res);
return err;
}
diff --git a/net/socket.c b/net/socket.c
index 0ae8147..59020f0 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2032,24 +2032,14 @@ static int ___sys_sendmsg(struct socket *sock, struct user_msghdr __user *msg,
return err;
}
- if (msg_sys->msg_iovlen > UIO_FASTIOV) {
- err = -EMSGSIZE;
- if (msg_sys->msg_iovlen > UIO_MAXIOV)
- goto out;
- err = -ENOMEM;
- iov = kmalloc(msg_sys->msg_iovlen * sizeof(struct iovec),
- GFP_KERNEL);
- if (!iov)
- goto out;
- }
-
/* This will also move the address data into kernel space */
- if (MSG_CMSG_COMPAT & flags) {
- err = verify_compat_iovec(msg_sys, iov, &address, VERIFY_READ);
- } else
- err = verify_iovec(msg_sys, iov, &address, VERIFY_READ);
+ if (MSG_CMSG_COMPAT & flags)
+ err = verify_compat_iovec(msg_sys, iovstack, &address, WRITE);
+ else
+ err = verify_iovec(msg_sys, iovstack, &address, WRITE);
if (err < 0)
goto out_freeiov;
+ iov = msg_sys->msg_iov;
total_len = err;
err = -ENOBUFS;
@@ -2118,7 +2108,6 @@ out_freectl:
out_freeiov:
if (iov != iovstack)
kfree(iov);
-out:
return err;
}
@@ -2244,28 +2233,18 @@ static int ___sys_recvmsg(struct socket *sock, struct user_msghdr __user *msg,
return err;
}
- if (msg_sys->msg_iovlen > UIO_FASTIOV) {
- err = -EMSGSIZE;
- if (msg_sys->msg_iovlen > UIO_MAXIOV)
- goto out;
- err = -ENOMEM;
- iov = kmalloc(msg_sys->msg_iovlen * sizeof(struct iovec),
- GFP_KERNEL);
- if (!iov)
- goto out;
- }
-
/* Save the user-mode address (verify_iovec will change the
* kernel msghdr to use the kernel address space)
*/
uaddr = (__force void __user *)msg_sys->msg_name;
uaddr_len = COMPAT_NAMELEN(msg);
if (MSG_CMSG_COMPAT & flags)
- err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE);
+ err = verify_compat_iovec(msg_sys, iovstack, &addr, READ);
else
- err = verify_iovec(msg_sys, iov, &addr, VERIFY_WRITE);
+ err = verify_iovec(msg_sys, iovstack, &addr, READ);
if (err < 0)
goto out_freeiov;
+ iov = msg_sys->msg_iov;
total_len = err;
cmsg_ptr = (unsigned long)msg_sys->msg_control;
@@ -2306,7 +2285,6 @@ static int ___sys_recvmsg(struct socket *sock, struct user_msghdr __user *msg,
out_freeiov:
if (iov != iovstack)
kfree(iov);
-out:
return err;
}
--
1.7.10.4
next prev parent reply other threads:[~2014-11-18 19:42 UTC|newest]
Thread overview: 133+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-18 8:47 [RFC] situation with csum_and_copy_... API Al Viro
2014-11-18 19:40 ` [patches][RFC] " Al Viro
2014-11-18 19:41 ` [PATCH 1/5] separate kernel- and userland-side msghdr Al Viro
2014-11-18 19:42 ` Al Viro [this message]
2014-11-18 19:42 ` [PATCH 3/5] remove a bunch of now-pointless access_ok() in net Al Viro
2014-11-18 19:43 ` [PATCH 4/5] bury skb_copy_to_page() Al Viro
2014-11-18 19:43 ` [PATCH 5/5] fold verify_iovec() into copy_msghdr_from_user() Al Viro
2014-11-19 20:25 ` [patches][RFC] situation with csum_and_copy_... API David Miller
2014-11-18 20:49 ` [RFC] " Linus Torvalds
2014-11-18 21:23 ` Al Viro
2014-11-18 21:39 ` Linus Torvalds
2014-11-19 20:31 ` David Miller
2014-11-19 20:40 ` Linus Torvalds
2014-11-19 21:17 ` Al Viro
2014-11-19 21:17 ` David Miller
2014-11-19 21:30 ` Al Viro
2014-11-19 21:53 ` David Miller
2014-11-20 21:47 ` Al Viro
2014-11-20 21:55 ` Eric Dumazet
2014-11-20 22:25 ` Al Viro
2014-11-20 22:53 ` Eric Dumazet
2014-11-21 8:49 ` Al Viro
2014-11-21 15:01 ` Eric Dumazet
2014-11-21 17:42 ` David Laight
2014-11-21 19:39 ` Al Viro
2014-11-21 19:40 ` Linus Torvalds
2014-11-24 10:03 ` David Laight
2014-11-22 3:27 ` Al Viro
2014-11-22 3:36 ` Al Viro
2014-11-24 10:27 ` David Laight
2014-11-20 23:23 ` David Miller
2014-11-21 17:26 ` David Miller
2014-11-22 4:28 ` Al Viro
2014-11-22 4:29 ` [PATCH 01/17] new helper: skb_copy_and_csum_datagram_msg() Al Viro
2014-11-22 4:30 ` [PATCH 02/17] new helper: memcpy_from_msg() Al Viro
2014-11-22 4:30 ` [PATCH 03/17] switch ipxrtr_route_packet() from iovec to msghdr Al Viro
2014-11-22 4:31 ` [PATCH 04/17] new helper: memcpy_to_msg() Al Viro
2014-11-22 4:32 ` [PATCH 05/17] switch drivers/net/tun.c to ->read_iter() Al Viro
2014-11-22 4:32 ` [PATCH 06/17] switch macvtap " Al Viro
2014-11-23 23:29 ` Ben Hutchings
2014-11-22 4:33 ` [PATCH 07/17] new helpers: skb_copy_datagram_from_iter() and zerocopy_sg_from_iter() Al Viro
2014-11-24 0:02 ` Ben Hutchings
2014-11-24 0:29 ` Ben Hutchings
2014-11-24 5:34 ` Jason Wang
2014-11-24 10:03 ` Al Viro
2014-11-22 4:33 ` [PATCH 08/17] {macvtap,tun}_get_user(): switch to iov_iter Al Viro
2014-11-24 0:27 ` Ben Hutchings
2014-11-24 1:06 ` Ben Hutchings
2014-11-24 10:15 ` Al Viro
2014-11-22 4:34 ` [PATCH 09/17] kill zerocopy_sg_from_iovec() Al Viro
2014-11-22 4:35 ` [PATCH 10/17] switch AF_PACKET and AF_UNIX to skb_copy_datagram_from_iter() Al Viro
2014-11-22 4:36 ` PATCH 11/17] switch sctp_user_addto_chunk() and sctp_datamsg_from_user() to passing iov_iter Al Viro
2014-11-22 4:36 ` [PATCH 12/17] tipc_sendmsg(): pass msghdr instead of its ->msg_iov Al Viro
2014-11-22 4:37 ` [PATCH 13/17] tipc_msg_build(): " Al Viro
2014-11-22 4:37 ` [PATCH 14/17] vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr Al Viro
2014-11-22 4:38 ` [PATCH 15/17] [atm] switch vcc_sendmsg() to copy_from_iter() Al Viro
2014-11-22 4:38 ` [PATCH 16/17] rds: switch ->inc_copy_to_user() to passing iov_iter Al Viro
2014-11-22 4:39 ` [PATCH 17/17] rds: switch rds_message_copy_from_user() to iov_iter Al Viro
2014-11-24 2:00 ` Ben Hutchings
2014-11-24 10:17 ` Al Viro
2014-11-22 7:24 ` [RFC] situation with csum_and_copy_... API David Miller
2014-11-25 2:40 ` Al Viro
2014-11-25 14:02 ` [PATCH v2 01/17] new helper: skb_copy_and_csum_datagram_msg() Al Viro
2014-11-25 19:28 ` David Miller
2014-11-25 20:59 ` Al Viro
2014-11-26 17:27 ` David Miller
2014-12-05 5:56 ` the next chunk of iov_iter-net stuff for review Al Viro
2014-12-05 5:58 ` [PATCH 01/12] raw.c: stick msghdr into raw_frag_vec Al Viro
2014-12-05 5:58 ` [PATCH 02/12] ipv6 equivalent of "ipv4: Avoid reading user iov twice after raw_probe_proto_opt" Al Viro
2014-12-05 5:58 ` [PATCH 03/12] ip_generic_getfrag, udplite_getfrag: switch to passing msghdr Al Viro
2014-12-05 5:58 ` [PATCH 04/12] switch tcp_sock->ucopy from iovec (ucopy.iov) to msghdr (ucopy.msg) Al Viro
2014-12-05 5:58 ` [PATCH 05/12] switch l2cap ->memcpy_fromiovec() to msghdr Al Viro
2014-12-05 5:58 ` [PATCH 06/12] vmci: propagate msghdr all way down to __qp_memcpy_from_queue() Al Viro
2014-12-05 5:58 ` [PATCH 07/12] put iov_iter into msghdr Al Viro
2014-12-05 5:58 ` [PATCH 08/12] first fruits - kill l2cap ->memcpy_fromiovec() Al Viro
2014-12-05 5:58 ` [PATCH 09/12] switch memcpy_to_msg() and skb_copy{,_and_csum}_datagram_msg() to primitives Al Viro
2014-12-05 5:58 ` [PATCH 10/12] ppp_read(): switch to skb_copy_datagram_iter() Al Viro
2014-12-05 5:58 ` [PATCH 11/12] skb_copy_datagram_iovec() can die Al Viro
2014-12-05 5:58 ` [PATCH 12/12] bury memcpy_toiovec() Al Viro
2014-12-09 20:07 ` the next chunk of iov_iter-net stuff for review David Miller
2014-12-09 21:04 ` Al Viro
2014-12-09 21:17 ` David Miller
2014-12-09 21:23 ` Al Viro
2014-12-09 21:37 ` David Miller
2014-12-09 22:49 ` Al Viro
2014-12-09 22:50 ` [PATCH 01/25] iov_iter.c: macros for iterating over iov_iter Al Viro
2014-12-09 22:50 ` [PATCH 02/25] iov_iter.c: iterate_and_advance Al Viro
2014-12-09 22:50 ` [PATCH 03/25] iov_iter.c: convert iov_iter_npages() to iterate_all_kinds Al Viro
2014-12-09 22:50 ` [PATCH 04/25] iov_iter.c: convert iov_iter_get_pages() " Al Viro
2014-12-09 22:50 ` [PATCH 05/25] iov_iter.c: convert iov_iter_get_pages_alloc() " Al Viro
2014-12-09 22:50 ` [PATCH 06/25] iov_iter.c: convert iov_iter_zero() to iterate_and_advance Al Viro
2014-12-09 22:50 ` [PATCH 07/25] iov_iter.c: get rid of bvec_copy_page_{to,from}_iter() Al Viro
2014-12-09 22:50 ` [PATCH 08/25] iov_iter.c: convert copy_from_iter() to iterate_and_advance Al Viro
2014-12-09 22:50 ` [PATCH 09/25] iov_iter.c: convert copy_to_iter() " Al Viro
2014-12-09 22:50 ` [PATCH 10/25] iov_iter.c: handle ITER_KVEC directly Al Viro
2014-12-09 22:50 ` [PATCH 11/25] csum_and_copy_..._iter() Al Viro
2014-12-09 22:50 ` [PATCH 12/25] new helper: iov_iter_kvec() Al Viro
2014-12-09 22:50 ` [PATCH 13/25] copy_from_iter_nocache() Al Viro
2014-12-09 22:50 ` [PATCH 14/25] raw.c: stick msghdr into raw_frag_vec Al Viro
2014-12-09 22:50 ` [PATCH 15/25] ipv6 equivalent of "ipv4: Avoid reading user iov twice after raw_probe_proto_opt" Al Viro
2014-12-09 22:50 ` [PATCH 16/25] ip_generic_getfrag, udplite_getfrag: switch to passing msghdr Al Viro
2014-12-09 22:50 ` [PATCH 17/25] switch tcp_sock->ucopy from iovec (ucopy.iov) to msghdr (ucopy.msg) Al Viro
2014-12-09 22:50 ` [PATCH 18/25] switch l2cap ->memcpy_fromiovec() to msghdr Al Viro
2014-12-09 22:50 ` [PATCH 19/25] vmci: propagate msghdr all way down to __qp_memcpy_from_queue() Al Viro
2014-12-09 22:50 ` [PATCH 20/25] put iov_iter into msghdr Al Viro
2014-12-09 22:50 ` [PATCH 21/25] first fruits - kill l2cap ->memcpy_fromiovec() Al Viro
2014-12-09 22:50 ` [PATCH 22/25] switch memcpy_to_msg() and skb_copy{,_and_csum}_datagram_msg() to primitives Al Viro
2014-12-09 22:50 ` [PATCH 23/25] ppp_read(): switch to skb_copy_datagram_iter() Al Viro
2014-12-09 22:50 ` [PATCH 24/25] skb_copy_datagram_iovec() can die Al Viro
2014-12-09 22:50 ` [PATCH 25/25] bury memcpy_toiovec() Al Viro
2014-12-09 23:13 ` the next chunk of iov_iter-net stuff for review Al Viro
2014-12-10 18:25 ` David Miller
2014-11-25 14:02 ` [PATCH v2 02/17] new helper: memcpy_from_msg() Al Viro
2014-11-25 14:02 ` [PATCH v2 03/17] switch ipxrtr_route_packet() from iovec to msghdr Al Viro
2014-11-25 14:02 ` [PATCH v2 04/17] new helper: memcpy_to_msg() Al Viro
2014-11-25 14:02 ` [PATCH v2 05/17] switch drivers/net/tun.c to ->read_iter() Al Viro
2014-11-25 14:02 ` [PATCH v2 06/17] switch macvtap " Al Viro
2014-11-25 14:02 ` [PATCH v2 07/17] new helpers: skb_copy_datagram_from_iter() and zerocopy_sg_from_iter() Al Viro
2014-11-25 14:02 ` [PATCH v2 08/17] {macvtap,tun}_get_user(): switch to iov_iter Al Viro
2015-02-03 10:10 ` Michael S. Tsirkin
2015-02-03 14:27 ` Al Viro
2015-02-03 15:19 ` Michael S. Tsirkin
2014-11-25 14:02 ` [PATCH v2 09/17] kill zerocopy_sg_from_iovec() Al Viro
2014-11-25 14:02 ` [PATCH v2 10/17] switch AF_PACKET and AF_UNIX to skb_copy_datagram_from_iter() Al Viro
2014-11-25 14:02 ` [PATCH v2 11/17] switch sctp_user_addto_chunk() and sctp_datamsg_from_user() to passing iov_iter Al Viro
2014-11-25 14:02 ` [PATCH v2 12/17] tipc_sendmsg(): pass msghdr instead of its ->msg_iov Al Viro
2014-11-25 14:02 ` [PATCH v2 13/17] tipc_msg_build(): " Al Viro
2014-11-25 14:02 ` [PATCH v2 14/17] vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr Al Viro
2014-11-25 14:02 ` [PATCH v2 15/17] [atm] switch vcc_sendmsg() to copy_from_iter() Al Viro
2014-11-25 14:02 ` [PATCH v2 16/17] rds: switch ->inc_copy_to_user() to passing iov_iter Al Viro
2014-11-25 14:02 ` [PATCH v2 17/17] rds: switch rds_message_copy_from_user() to iov_iter Al Viro
2014-11-22 17:48 ` [RFC] situation with csum_and_copy_... API Linus Torvalds
2014-11-21 4:17 ` Nicholas A. Bellinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141118194206.GC14641@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.