How does __user works?

How does __user works?

[Grzegorz Dwornicki]

How does __user macro works? I know it is defined in
include/linux/compiler.h as:
# define __user.        __attribute__((noderef, address_space(1)))
I could write thesse macros defs too but my real problem is: what does this
stuff do? Some functions use this macro and other does not. For example
compat_do_execve (from include/linux/comtap.h) use normal pointer named
filename and second pointer named argv as __user pointer. Why does argv
needs __user but filename not?

Gregory
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20130119/2112829f/attachment.html 

How does __user works?

[Valdis.Kletnieks at vt.edu]

On Sat, 19 Jan 2013 17:34:15 +0100, Grzegorz Dwornicki said:

> I could write thesse macros defs too but my real problem is: what does this
> stuff do? Some functions use this macro and other does not. For example
> compat_do_execve (from include/linux/comtap.h) use normal pointer named
> filename and second pointer named argv as __user pointer. Why does argv
> needs __user but filename not?

Hint:  Look to see what memory the actual argv[] lives in, and then see what
memory the filename lives in.  In general, syscalls like to make a *copy*
of parameters that need security validation, and then validate and use
the copy.  This is to prevent a "time-of-check-time-of-use" (TOCTOU) security
issue - otherwise, it would be possible for some nefarious person to issue
a syscall pointing at a filename in shared memory, wait till just after the
security check was done, and then replace the filename with something else
more dastardly (it's a variant on the concept of symlink races).  So that
'filename' probably lives in a kmalloc buffer someplace.  The argv[] however
is actually in a user page.

That help?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 865 bytes
Desc: not available
Url : http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20130119/9654c6a0/attachment.bin 

How does __user works?

[Bernd Petrovitsch]

On Sam, 2013-01-19 at 17:34 +0100, Grzegorz Dwornicki wrote:
> How does __user macro works? I know it is defined in
> include/linux/compiler.h as:
> # define __user.        __attribute__((noderef, address_space(1)))
> I could write thesse macros defs too but my real problem is: what does this
> stuff do? Some functions use this macro and other does not. For example
> compat_do_execve (from include/linux/comtap.h) use normal pointer named
> filename and second pointer named argv as __user pointer. Why does argv
> needs __user but filename not?

In the kernel, some memory is the user-space memory (which can be
swapped out and - therefore - shouldn't dereferenced directly) and some
of it is kernel-space memory (which is always in real RAM).
That macro tells static checkers in which of those the pointer points to
so that errors are compile-time visible.

	Bernd
-- 
Bernd Petrovitsch                  Email : bernd at petrovitsch.priv.at
                     LUGA : http://www.luga.at