From: ebiederm@xmission.com (Eric W. Biederman)
To: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>, Arnd Bergmann <arnd@arndb.de>,
Brian Gerst <brgerst@gmail.com>,
Luis Chamberlain <mcgrof@kernel.org>,
linux-arm-kernel@lists.infradead.org, x86@kernel.org,
linux-mips@vger.kernel.org, linux-parisc@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org,
sparclinux@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 3/4] exec: simplify the compat syscall handling
Date: Fri, 26 Mar 2021 16:22:33 -0500 [thread overview]
Message-ID: <m1y2e9vcdi.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <20210326143831.1550030-4-hch@lst.de> (Christoph Hellwig's message of "Fri, 26 Mar 2021 15:38:30 +0100")
Christoph Hellwig <hch@lst.de> writes:
> diff --git a/fs/exec.c b/fs/exec.c
> index 06e07278b456fa..b34c1eb9e7ad8e 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -391,47 +391,34 @@ static int bprm_mm_init(struct linux_binprm *bprm)
> return err;
> }
>
> -struct user_arg_ptr {
> -#ifdef CONFIG_COMPAT
> - bool is_compat;
> -#endif
> - union {
> - const char __user *const __user *native;
> -#ifdef CONFIG_COMPAT
> - const compat_uptr_t __user *compat;
> -#endif
> - } ptr;
> -};
> -
> -static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
> +static const char __user *
> +get_user_arg_ptr(const char __user *const __user *argv, int nr)
> {
> - const char __user *native;
> -
> -#ifdef CONFIG_COMPAT
> - if (unlikely(argv.is_compat)) {
> + if (in_compat_syscall()) {
> + const compat_uptr_t __user *compat_argv =
> + compat_ptr((unsigned long)argv);
Ouch! Passing a pointer around as the wrong type through the kernel!
Perhaps we should reduce everything to do_execveat and
do_execveat_compat. Then there would be no need for anything
to do anything odd with the pointer types.
I think the big change would be to factor out a copy_string out
of copy_strings, that performs all of the work once we know the proper
pointer value.
Casting pointers from one type to another scares me as one mistake means
we are doing something wrong and probably exploitable.
Eric
> compat_uptr_t compat;
>
> - if (get_user(compat, argv.ptr.compat + nr))
> + if (get_user(compat, compat_argv + nr))
> return ERR_PTR(-EFAULT);
> -
> return compat_ptr(compat);
> - }
> -#endif
> -
> - if (get_user(native, argv.ptr.native + nr))
> - return ERR_PTR(-EFAULT);
> + } else {
> + const char __user *native;
>
> - return native;
> + if (get_user(native, argv + nr))
> + return ERR_PTR(-EFAULT);
> + return native;
> + }
> }
>
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Christoph Hellwig <hch@lst.de>
Cc: linux-arch@vger.kernel.org, linux-s390@vger.kernel.org,
linux-parisc@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>,
Brian Gerst <brgerst@gmail.com>,
x86@kernel.org, linux-mips@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
Luis Chamberlain <mcgrof@kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
sparclinux@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH 3/4] exec: simplify the compat syscall handling
Date: Fri, 26 Mar 2021 16:22:33 -0500 [thread overview]
Message-ID: <m1y2e9vcdi.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <20210326143831.1550030-4-hch@lst.de> (Christoph Hellwig's message of "Fri, 26 Mar 2021 15:38:30 +0100")
Christoph Hellwig <hch@lst.de> writes:
> diff --git a/fs/exec.c b/fs/exec.c
> index 06e07278b456fa..b34c1eb9e7ad8e 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -391,47 +391,34 @@ static int bprm_mm_init(struct linux_binprm *bprm)
> return err;
> }
>
> -struct user_arg_ptr {
> -#ifdef CONFIG_COMPAT
> - bool is_compat;
> -#endif
> - union {
> - const char __user *const __user *native;
> -#ifdef CONFIG_COMPAT
> - const compat_uptr_t __user *compat;
> -#endif
> - } ptr;
> -};
> -
> -static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
> +static const char __user *
> +get_user_arg_ptr(const char __user *const __user *argv, int nr)
> {
> - const char __user *native;
> -
> -#ifdef CONFIG_COMPAT
> - if (unlikely(argv.is_compat)) {
> + if (in_compat_syscall()) {
> + const compat_uptr_t __user *compat_argv =
> + compat_ptr((unsigned long)argv);
Ouch! Passing a pointer around as the wrong type through the kernel!
Perhaps we should reduce everything to do_execveat and
do_execveat_compat. Then there would be no need for anything
to do anything odd with the pointer types.
I think the big change would be to factor out a copy_string out
of copy_strings, that performs all of the work once we know the proper
pointer value.
Casting pointers from one type to another scares me as one mistake means
we are doing something wrong and probably exploitable.
Eric
> compat_uptr_t compat;
>
> - if (get_user(compat, argv.ptr.compat + nr))
> + if (get_user(compat, compat_argv + nr))
> return ERR_PTR(-EFAULT);
> -
> return compat_ptr(compat);
> - }
> -#endif
> -
> - if (get_user(native, argv.ptr.native + nr))
> - return ERR_PTR(-EFAULT);
> + } else {
> + const char __user *native;
>
> - return native;
> + if (get_user(native, argv + nr))
> + return ERR_PTR(-EFAULT);
> + return native;
> + }
> }
>
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>, Arnd Bergmann <arnd@arndb.de>,
Brian Gerst <brgerst@gmail.com>,
Luis Chamberlain <mcgrof@kernel.org>,
linux-arm-kernel@lists.infradead.org, x86@kernel.org,
linux-mips@vger.kernel.org, linux-parisc@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org,
sparclinux@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 3/4] exec: simplify the compat syscall handling
Date: Fri, 26 Mar 2021 16:22:33 -0500 [thread overview]
Message-ID: <m1y2e9vcdi.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <20210326143831.1550030-4-hch@lst.de> (Christoph Hellwig's message of "Fri, 26 Mar 2021 15:38:30 +0100")
Christoph Hellwig <hch@lst.de> writes:
> diff --git a/fs/exec.c b/fs/exec.c
> index 06e07278b456fa..b34c1eb9e7ad8e 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -391,47 +391,34 @@ static int bprm_mm_init(struct linux_binprm *bprm)
> return err;
> }
>
> -struct user_arg_ptr {
> -#ifdef CONFIG_COMPAT
> - bool is_compat;
> -#endif
> - union {
> - const char __user *const __user *native;
> -#ifdef CONFIG_COMPAT
> - const compat_uptr_t __user *compat;
> -#endif
> - } ptr;
> -};
> -
> -static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
> +static const char __user *
> +get_user_arg_ptr(const char __user *const __user *argv, int nr)
> {
> - const char __user *native;
> -
> -#ifdef CONFIG_COMPAT
> - if (unlikely(argv.is_compat)) {
> + if (in_compat_syscall()) {
> + const compat_uptr_t __user *compat_argv =
> + compat_ptr((unsigned long)argv);
Ouch! Passing a pointer around as the wrong type through the kernel!
Perhaps we should reduce everything to do_execveat and
do_execveat_compat. Then there would be no need for anything
to do anything odd with the pointer types.
I think the big change would be to factor out a copy_string out
of copy_strings, that performs all of the work once we know the proper
pointer value.
Casting pointers from one type to another scares me as one mistake means
we are doing something wrong and probably exploitable.
Eric
> compat_uptr_t compat;
>
> - if (get_user(compat, argv.ptr.compat + nr))
> + if (get_user(compat, compat_argv + nr))
> return ERR_PTR(-EFAULT);
> -
> return compat_ptr(compat);
> - }
> -#endif
> -
> - if (get_user(native, argv.ptr.native + nr))
> - return ERR_PTR(-EFAULT);
> + } else {
> + const char __user *native;
>
> - return native;
> + if (get_user(native, argv + nr))
> + return ERR_PTR(-EFAULT);
> + return native;
> + }
> }
>
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2021-03-26 21:24 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-26 14:38 cleanup compat exec handling Christoph Hellwig
2021-03-26 14:38 ` Christoph Hellwig
2021-03-26 14:38 ` Christoph Hellwig
2021-03-26 14:38 ` [PATCH 1/4] exec: remove do_execve Christoph Hellwig
2021-03-26 14:38 ` Christoph Hellwig
2021-03-26 14:38 ` Christoph Hellwig
2021-03-26 15:04 ` Arnd Bergmann
2021-03-26 15:04 ` Arnd Bergmann
2021-03-26 15:04 ` Arnd Bergmann
2021-03-26 14:38 ` [PATCH 2/4] exec: remove compat_do_execve Christoph Hellwig
2021-03-26 14:38 ` Christoph Hellwig
2021-03-26 14:38 ` Christoph Hellwig
2021-03-26 15:42 ` Andreas Schwab
2021-03-26 15:42 ` Andreas Schwab
2021-03-26 15:42 ` Andreas Schwab
2021-03-27 19:56 ` Sergei Shtylyov
2021-03-27 19:56 ` Sergei Shtylyov
2021-03-27 19:56 ` Sergei Shtylyov
2021-03-26 14:38 ` [PATCH 3/4] exec: simplify the compat syscall handling Christoph Hellwig
2021-03-26 14:38 ` Christoph Hellwig
2021-03-26 14:38 ` Christoph Hellwig
2021-03-26 15:02 ` Arnd Bergmann
2021-03-26 15:02 ` Arnd Bergmann
2021-03-26 15:02 ` Arnd Bergmann
2021-03-26 16:12 ` Al Viro
2021-03-26 16:12 ` Al Viro
2021-03-26 16:12 ` Al Viro
2021-03-26 16:44 ` David Laight
2021-03-26 16:44 ` David Laight
2021-03-26 16:44 ` David Laight
2021-03-26 21:22 ` Eric W. Biederman [this message]
2021-03-26 21:22 ` Eric W. Biederman
2021-03-26 21:22 ` Eric W. Biederman
2021-03-26 14:38 ` [PATCH 4/4] exec: move the call to getname_flags into do_execveat Christoph Hellwig
2021-03-26 14:38 ` Christoph Hellwig
2021-03-26 14:38 ` Christoph Hellwig
2021-03-26 15:12 ` Arnd Bergmann
2021-03-26 15:12 ` Arnd Bergmann
2021-03-26 15:12 ` Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1y2e9vcdi.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=arnd@arndb.de \
--cc=brgerst@gmail.com \
--cc=hch@lst.de \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@vger.kernel.org \
--cc=linux-parisc@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mcgrof@kernel.org \
--cc=sparclinux@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.