Re: [RFC] get_compat_msghdr(): get rid of field-by-field copyin

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Al Viro <viro@ZenIV.linux.org.uk>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org
Subject: Re: [RFC] get_compat_msghdr(): get rid of field-by-field copyin
Date: Fri, 14 Jul 2017 02:37:50 +0100	[thread overview]
Message-ID: <20170714013750.GC13102@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20170711.202514.815304234636661456.davem@davemloft.net>

On Tue, Jul 11, 2017 at 08:25:14PM -0700, David Miller wrote:

> looks harmless, or if there is a bug in there I can't see it.
> 
> But whatever it is, that same problem could be hiding in some of these
> other transformations as well.
> 
> I think the bug might be that we are corrupting the user's stack
> somehow.  But the two user copies in that commit look perfectly fine
> to my eyes.
> 
> There shouldn't be any padding in that compat_rlimit structure, so
> it's not like we're copying extra bytes.  Well, we'd be exposing
> kernel stack memory if that were the case.

There isn't any padding in compat_rlimit; unfortunately, it was
mistakenly declared as struct rlimit instead.  Which, of course,
has different member sizes - otherwise we wouldn't have needed
a compat syscall there in the first place.

It was harder to spot since I combined move and a transformation
into one commit.  Shouldn't have done so...  Had those been two
separate commits, the bug would've stood out immediately.  Shouldn't
be the case here...

> Color me stumped, but cautious about ACK'ing these networking
> compat changes.

next prev parent reply	other threads:[~2017-07-14  1:37 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-07-08 18:21 [RFC] get_compat_msghdr(): get rid of field-by-field copyin Al Viro
2017-07-08 18:22 ` [RFC] copy_msghdr_from_user(): " Al Viro
2017-07-08 18:22 ` [RFC] get_compat_bpf_fprog(): don't copyin field-by-field Al Viro
2017-07-10 19:04   ` Daniel Borkmann
2017-07-12  3:25 ` [RFC] get_compat_msghdr(): get rid of field-by-field copyin David Miller
2017-07-14  1:37   ` Al Viro [this message]
2017-07-14  2:36     ` David Miller
2017-07-14  2:50       ` [git pull] vfs.git network field-by-field copyin patches Al Viro

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170714013750.GC13102@ZenIV.linux.org.uk \
    --to=viro@zeniv.linux.org.uk \
    --cc=davem@davemloft.net \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.