Re: [Ksummit-discuss] [CORE TOPIC] More useful types in the linux kernel

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Michael S. Tsirkin" <mst@redhat.com>
To: NeilBrown <nfbrown@novell.com>
Cc: ksummit-discuss@lists.linuxfoundation.org
Subject: Re: [Ksummit-discuss] [CORE TOPIC] More useful types in the linux kernel
Date: Fri, 12 Aug 2016 08:34:12 +0300	[thread overview]
Message-ID: <20160812082417-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <871t1ulfvz.fsf@notabene.neil.brown.name>

On Fri, Aug 12, 2016 at 03:23:28PM +1000, NeilBrown wrote:
> On Fri, Aug 12 2016, Michael S. Tsirkin wrote:
> 
> > On Tue, Jul 19, 2016 at 10:32:51AM -0500, Eric W. Biederman wrote:
> >> I would really like to get a feel among kernel maintainers and
> >> developers if this is something that is interesting, and what kind of
> >> constraints they think something like this would need to be usable for
> >> the kernel?
> >> 
> >> Eric
> >
> > Surprised that no one mentioned this yet - I think tagging
> > integers/structs as coming from userspace could be useful,
> > if we can teach e.g. smatch that access to a kernel
> > pointer through this offset might fault.
> 
> We already have that.
> Sparse recognizes
>     __attribute__((noderef, address_space(1)))
>  to mean "this is a pointer to a different address space which
>  cannot be dereferened" and linux has
> 
> # define __user                __attribute__((noderef, address_space(1)))
> 
> so if you mark a pointer as "__user", then sparse will complain
> if you dereference it.
> 
> We've had this for over a decade :-)
> 
>   https://lwn.net/Articles/87538/
> 
> NeilBrown

Of course, everyone uses these.  But what I mean is tagging index types:

	int data[256];

	int foo(u32 __user *ptr)
	{
		u32 i;
		if (get_user(i, ptr))
			return -EFAULT;

		data[i] = 0;
			^^^ security vulnerability

	}

Above, i is coming from userspace and so must always be range-checked
before it's used as an index.

Maybe we could change get_user return a tagged result: __from_user int.
And have above warn because __from_user can not be assigned to plain
int.

Then rework the code along the following lines:

	int data[256];

	int force_range(__unsafe u32 value, unsigned idx)
	{
		return ((__force int)value) % idx;
	}

	int foo(u32 __user *ptr)
	{
		__unsafe u32 i;
		int ichecked;
		if (get_user(i, ptr))
			return -EFAULT;

		ichecked = force_range(i, sizeof data);
		data[ichecked] = 0;
			^^^ ok now

	}

-- 
MST

next prev parent reply	other threads:[~2016-08-12  5:34 UTC|newest]

Thread overview: 82+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-07-19 15:32 [Ksummit-discuss] [CORE TOPIC] More useful types in the linux kernel Eric W. Biederman
2016-07-19 17:31 ` Mark Brown
2016-07-19 18:52   ` Jiri Kosina
2016-07-19 20:39     ` Eric W. Biederman
2016-07-20 15:53     ` Mark Brown
2016-07-20 17:04       ` [Ksummit-discuss] [CORE TOPIC] [TECH TOPIC] Support (or move towards to) LLVM Jiri Kosina
2016-07-20 18:35         ` Alexey Dobriyan
2016-07-20 18:52           ` Mark Brown
2016-07-21  9:54         ` David Woodhouse
2016-07-21 13:41           ` Shuah Khan
2016-07-21 14:02             ` David Woodhouse
2016-07-21 16:21               ` Mark Brown
2016-07-23  3:28                 ` Behan Webster
2016-07-21 18:38           ` Jiri Kosina
2016-07-21 20:47             ` Paul Turner
2016-07-26 11:22             ` David Woodhouse
2016-07-22 11:19   ` [Ksummit-discuss] [CORE TOPIC] More useful types in the linux kernel David Howells
2016-07-22 12:44     ` Linus Walleij
2016-07-22 13:26       ` David Howells
2016-07-19 21:08 ` James Bottomley
2016-07-20  0:08   ` Eric W. Biederman
2016-07-20  7:32     ` Julia Lawall
2016-07-20 12:11     ` Jan Kara
2016-07-28  3:33       ` Steven Rostedt
2016-07-19 21:26 ` Josh Triplett
2016-07-20  2:36   ` Eric W. Biederman
2016-07-30 18:03   ` Eric W. Biederman
2016-07-30 18:49     ` Josh Triplett
2016-07-30 19:34       ` Eric W. Biederman
2016-07-30 20:56         ` Josh Triplett
2016-07-30 22:21           ` Eric W. Biederman
2016-07-21 15:05 ` David Howells
2016-07-21 23:33   ` Dmitry Torokhov
2016-07-22  7:03     ` David Howells
2016-07-22 10:10       ` Alexey Dobriyan
2016-07-22 10:13         ` David Howells
2016-07-22 10:22           ` Alexey Dobriyan
2016-07-22 10:53             ` Vlastimil Babka
2016-07-22 11:05               ` David Howells
2016-07-22 17:18                 ` Julia Lawall
2016-07-22 18:19       ` Dmitry Torokhov
2016-07-22 19:43         ` Guenter Roeck
2016-07-22  6:00   ` Hannes Reinecke
2016-07-22  6:14     ` Julia Lawall
2016-07-22 13:57       ` Hannes Reinecke
2016-07-22 14:40         ` Julia Lawall
2016-07-22 19:12         ` Arnd Bergmann
2016-07-26 11:48         ` David Woodhouse
2016-07-26 12:53           ` Hannes Reinecke
2016-07-26 13:59             ` Alexey Dobriyan
2016-07-26 13:53           ` Alexey Dobriyan
2016-07-27 12:40           ` Julia Lawall
2016-07-27 13:25             ` James Bottomley
2016-07-27 13:33               ` David Woodhouse
2016-07-27 17:21                 ` Bird, Timothy
2016-08-01 22:17                   ` Rob Herring
2016-08-12  1:29                     ` Stephen Boyd
2016-08-11 15:44         ` Dan Carpenter
2016-08-12  0:38           ` NeilBrown
2016-08-12 20:56             ` Dan Carpenter
2016-08-12  3:51           ` Matthew Wilcox
2016-08-12  4:01             ` Josh Triplett
2016-08-12  4:07               ` Matthew Wilcox
2016-08-12  5:29                 ` Alexey Dobriyan
2016-08-12  5:38                   ` Michael S. Tsirkin
2016-08-12  6:04                     ` Julia Lawall
2016-08-12  6:09                       ` Michael S. Tsirkin
2016-08-12  6:23                         ` Matthew Wilcox
2016-08-12  6:37                         ` Julia Lawall
2016-08-12  5:50                   ` Matthew Wilcox
2016-08-04  7:15       ` NeilBrown
2016-08-04 11:19         ` Julia Lawall
2016-07-28  3:40   ` Steven Rostedt
2016-07-28  7:12     ` David Howells
2016-08-02 10:48   ` Jani Nikula
2016-08-04 11:31     ` David Woodhouse
2016-08-04 12:07       ` Jani Nikula
2016-08-12  4:42 ` Michael S. Tsirkin
     [not found]   ` <871t1ulfvz.fsf@notabene.neil.brown.name>
2016-08-12  5:34     ` Michael S. Tsirkin [this message]
2016-08-12  6:23       ` NeilBrown
     [not found]       ` <87y442jytb.fsf@notabene.neil.brown.name>
2016-08-15 23:26         ` Michael S. Tsirkin
2016-08-12  6:23   ` NeilBrown

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160812082417-mutt-send-email-mst@kernel.org \
    --to=mst@redhat.com \
    --cc=ksummit-discuss@lists.linuxfoundation.org \
    --cc=nfbrown@novell.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.