From: Al Viro <viro@zeniv.linux.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Vineet Gupta <Vineet.Gupta1@synopsys.com>,
Arnd Bergmann <arnd@arndb.de>,
Khalid Aziz <khalid.aziz@oracle.com>,
Andrey Konovalov <andreyknvl@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Peter Zijlstra <peterz@infradead.org>,
Christian Brauner <christian.brauner@ubuntu.com>,
Kees Cook <keescook@chromium.org>, Ingo Molnar <mingo@kernel.org>,
Aleksa Sarai <cyphar@cyphar.com>,
linux-snps-arc@lists.infradead.org,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-arch <linux-arch@vger.kernel.org>
Subject: Re: [RFC 2/4] lib/strncpy_from_user: Remove redundant user space pointer range check
Date: Tue, 14 Jan 2020 23:46:00 +0000 [thread overview]
Message-ID: <20200114234600.GD8904@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CAHk-=wgoc5DaF6=WxsAcft_Lp4XUYTiRhhCJGcmM5PwEDXY6Gw@mail.gmail.com>
On Tue, Jan 14, 2020 at 01:22:07PM -0800, Linus Torvalds wrote:
> The fact is, copying a string from user space is *very* different from
> copying a fixed number of bytes, and that whole dance with
>
> max_addr = user_addr_max();
>
> is absolutely required and necessary.
>
> You completely broke string copying.
BTW, a quick grep through the callers has found something odd -
static ssize_t kmemleak_write(struct file *file, const char __user *user_buf,
size_t size, loff_t *ppos)
{
char buf[64];
int buf_size;
int ret;
buf_size = min(size, (sizeof(buf) - 1));
if (strncpy_from_user(buf, user_buf, buf_size) < 0)
return -EFAULT;
buf[buf_size] = 0;
What the hell? If somebody is calling write(fd, buf, n) they'd
better be ready to see any byte from buf[0] up to buf[n - 1]
fetched, and if something is unmapped - deal with -EFAULT.
Is something really doing that and if so, why does kmemleak
try to accomodate that idiocy?
The same goes for several more ->write() instances - mtrr_write(),
armada_debugfs_crtc_reg_write() and cio_ignore_write(); IMO that's
seriously misguided (and cio one ought use vmemdup_user() instead
of what it's doing)...
WARNING: multiple messages have this Message-ID (diff)
From: Al Viro <viro@zeniv.linux.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-arch <linux-arch@vger.kernel.org>,
Kees Cook <keescook@chromium.org>, Arnd Bergmann <arnd@arndb.de>,
Peter Zijlstra <peterz@infradead.org>,
Andrey Konovalov <andreyknvl@google.com>,
Vineet Gupta <Vineet.Gupta1@synopsys.com>,
Aleksa Sarai <cyphar@cyphar.com>, Ingo Molnar <mingo@kernel.org>,
Khalid Aziz <khalid.aziz@oracle.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-snps-arc@lists.infradead.org,
Christian Brauner <christian.brauner@ubuntu.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [RFC 2/4] lib/strncpy_from_user: Remove redundant user space pointer range check
Date: Tue, 14 Jan 2020 23:46:00 +0000 [thread overview]
Message-ID: <20200114234600.GD8904@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CAHk-=wgoc5DaF6=WxsAcft_Lp4XUYTiRhhCJGcmM5PwEDXY6Gw@mail.gmail.com>
On Tue, Jan 14, 2020 at 01:22:07PM -0800, Linus Torvalds wrote:
> The fact is, copying a string from user space is *very* different from
> copying a fixed number of bytes, and that whole dance with
>
> max_addr = user_addr_max();
>
> is absolutely required and necessary.
>
> You completely broke string copying.
BTW, a quick grep through the callers has found something odd -
static ssize_t kmemleak_write(struct file *file, const char __user *user_buf,
size_t size, loff_t *ppos)
{
char buf[64];
int buf_size;
int ret;
buf_size = min(size, (sizeof(buf) - 1));
if (strncpy_from_user(buf, user_buf, buf_size) < 0)
return -EFAULT;
buf[buf_size] = 0;
What the hell? If somebody is calling write(fd, buf, n) they'd
better be ready to see any byte from buf[0] up to buf[n - 1]
fetched, and if something is unmapped - deal with -EFAULT.
Is something really doing that and if so, why does kmemleak
try to accomodate that idiocy?
The same goes for several more ->write() instances - mtrr_write(),
armada_debugfs_crtc_reg_write() and cio_ignore_write(); IMO that's
seriously misguided (and cio one ought use vmemdup_user() instead
of what it's doing)...
_______________________________________________
linux-snps-arc mailing list
linux-snps-arc@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-snps-arc
next prev parent reply other threads:[~2020-01-14 23:46 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-14 20:08 [RFC 0/4] Switching ARC to optimized generic strncpy_from_user Vineet Gupta
2020-01-14 20:08 ` Vineet Gupta
2020-01-14 20:08 ` Vineet Gupta
2020-01-14 20:08 ` [RFC 1/4] asm-generic/uaccess: don't define inline functions if noinline lib/* in use Vineet Gupta
2020-01-14 20:08 ` Vineet Gupta
2020-01-14 20:57 ` Arnd Bergmann
2020-01-14 20:57 ` Arnd Bergmann
2020-01-15 23:01 ` Vineet Gupta
2020-01-15 23:01 ` Vineet Gupta
2020-01-16 11:43 ` Arnd Bergmann
2020-01-16 11:43 ` Arnd Bergmann
2020-01-14 21:32 ` Linus Torvalds
2020-01-14 21:32 ` Linus Torvalds
2020-01-15 9:08 ` Arnd Bergmann
2020-01-15 9:08 ` Arnd Bergmann
2020-01-15 14:12 ` Al Viro
2020-01-15 14:12 ` Al Viro
2020-01-15 14:21 ` Arnd Bergmann
2020-01-15 14:21 ` Arnd Bergmann
2020-01-14 20:08 ` [RFC 2/4] lib/strncpy_from_user: Remove redundant user space pointer range check Vineet Gupta
2020-01-14 20:08 ` Vineet Gupta
2020-01-14 21:22 ` Linus Torvalds
2020-01-14 21:22 ` Linus Torvalds
2020-01-14 21:52 ` Vineet Gupta
2020-01-14 21:52 ` Vineet Gupta
2020-01-14 23:46 ` Al Viro [this message]
2020-01-14 23:46 ` Al Viro
2020-01-15 14:42 ` Andrey Konovalov
2020-01-15 14:42 ` Andrey Konovalov
2020-01-15 14:42 ` Andrey Konovalov
2020-01-15 23:00 ` Vineet Gupta
2020-01-15 23:00 ` Vineet Gupta
2020-01-14 20:08 ` [RFC 3/4] ARC: uaccess: remove noinline variants of __strncpy_from_user() and friends Vineet Gupta
2020-01-14 20:08 ` Vineet Gupta
2020-01-14 20:08 ` [RFC 4/4] ARC: uaccess: use optimized generic __strnlen_user/__strncpy_from_user Vineet Gupta
2020-01-14 20:08 ` Vineet Gupta
2020-01-14 20:42 ` Arnd Bergmann
2020-01-14 20:42 ` Arnd Bergmann
2020-01-14 21:36 ` Vineet Gupta
2020-01-14 21:36 ` Vineet Gupta
2020-01-14 21:49 ` Linus Torvalds
2020-01-14 21:49 ` Linus Torvalds
2020-01-14 22:14 ` Vineet Gupta
2020-01-14 22:14 ` Vineet Gupta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200114234600.GD8904@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=Vineet.Gupta1@synopsys.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@google.com \
--cc=arnd@arndb.de \
--cc=christian.brauner@ubuntu.com \
--cc=cyphar@cyphar.com \
--cc=keescook@chromium.org \
--cc=khalid.aziz@oracle.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-snps-arc@lists.infradead.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.