copy_mount_options() problem

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* copy_mount_options() problem
@ 2019-10-15 18:09 Pavel V. Panteleev
  2019-10-15 18:40 ` Al Viro
  0 siblings, 1 reply; 6+ messages in thread
From: Pavel V. Panteleev @ 2019-10-15 18:09 UTC (permalink / raw)
  To: linux-fsdevel

Hello,

copy_mount_options() checks that data doesn't cross TASK_SIZE boundary. 
It's not correct. Really it should check USER_DS boudary, because some 
archs have TASK_SIZE not equal to USER_DS. In this case (USER_DS != 
TASK_SIZE) exact_copy_from_user() will stop on access_ok() check, if 
data cross USER_DS, but doesn't cross TASK_SIZE.

Best regards,
Pavel V. Panteleev

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: copy_mount_options() problem
  2019-10-15 18:09 copy_mount_options() problem Pavel V. Panteleev
@ 2019-10-15 18:40 ` Al Viro
  2019-10-15 22:03   ` Al Viro
  2019-10-16  7:31   ` Pavel V. Panteleev
  0 siblings, 2 replies; 6+ messages in thread
From: Al Viro @ 2019-10-15 18:40 UTC (permalink / raw)
  To: Pavel V. Panteleev; +Cc: linux-fsdevel

On Tue, Oct 15, 2019 at 09:09:02PM +0300, Pavel V. Panteleev wrote:
> Hello,
> 
> copy_mount_options() checks that data doesn't cross TASK_SIZE boundary. It's
> not correct. Really it should check USER_DS boudary, because some archs have
> TASK_SIZE not equal to USER_DS. In this case (USER_DS != TASK_SIZE)
> exact_copy_from_user() will stop on access_ok() check, if data cross
> USER_DS, but doesn't cross TASK_SIZE.

Details of the call chain, please.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: copy_mount_options() problem
  2019-10-15 18:40 ` Al Viro
@ 2019-10-15 22:03   ` Al Viro
  2019-10-16  7:39     ` Pavel V. Panteleev
  2019-10-16  7:31   ` Pavel V. Panteleev
  1 sibling, 1 reply; 6+ messages in thread
From: Al Viro @ 2019-10-15 22:03 UTC (permalink / raw)
  To: Pavel V. Panteleev; +Cc: linux-fsdevel

On Tue, Oct 15, 2019 at 07:40:34PM +0100, Al Viro wrote:
> On Tue, Oct 15, 2019 at 09:09:02PM +0300, Pavel V. Panteleev wrote:
> > Hello,
> > 
> > copy_mount_options() checks that data doesn't cross TASK_SIZE boundary. It's
> > not correct. Really it should check USER_DS boudary, because some archs have
> > TASK_SIZE not equal to USER_DS. In this case (USER_DS != TASK_SIZE)
> > exact_copy_from_user() will stop on access_ok() check, if data cross
> > USER_DS, but doesn't cross TASK_SIZE.
> 
> Details of the call chain, please.

FWIW, what I want to do with copy_mount_options() is this:
void *copy_mount_options(const void __user * data)
{
	unsigned offs, size;
	char *copy;

	if (!data)
		return NULL;

	copy = kmalloc(PAGE_SIZE, GFP_KERNEL);
	if (!copy)
		return ERR_PTR(-ENOMEM);

	offs = (unsigned long)data & (PAGE_SIZE - 1);

	if (copy_from_user(copy, data, PAGE_SIZE - offs)) {
		kfree(copy);
		return ERR_PTR(-EFAULT);
	}
	if (offs) {
		if (copy_from_user(copy, data + PAGE_SIZE - offs, offs))
			memset(copy + PAGE_SIZE - offs, 0, offs);
	}
	return copy;
}

which should get rid of any TASK_SIZE references whatsoever, but I really
wonder where have you run into the problem.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: copy_mount_options() problem
  2019-10-15 22:03   ` Al Viro
@ 2019-10-16  7:39     ` Pavel V. Panteleev
  0 siblings, 0 replies; 6+ messages in thread
From: Pavel V. Panteleev @ 2019-10-16  7:39 UTC (permalink / raw)
  To: Al Viro; +Cc: linux-fsdevel

This works, thanks.

On 16.10.2019 01:03, Al Viro wrote:
> On Tue, Oct 15, 2019 at 07:40:34PM +0100, Al Viro wrote:
>> On Tue, Oct 15, 2019 at 09:09:02PM +0300, Pavel V. Panteleev wrote:
>>> Hello,
>>>
>>> copy_mount_options() checks that data doesn't cross TASK_SIZE boundary. It's
>>> not correct. Really it should check USER_DS boudary, because some archs have
>>> TASK_SIZE not equal to USER_DS. In this case (USER_DS != TASK_SIZE)
>>> exact_copy_from_user() will stop on access_ok() check, if data cross
>>> USER_DS, but doesn't cross TASK_SIZE.
>> Details of the call chain, please.
> FWIW, what I want to do with copy_mount_options() is this:
> void *copy_mount_options(const void __user * data)
> {
> 	unsigned offs, size;
> 	char *copy;
>
> 	if (!data)
> 		return NULL;
>
> 	copy = kmalloc(PAGE_SIZE, GFP_KERNEL);
> 	if (!copy)
> 		return ERR_PTR(-ENOMEM);
>
> 	offs = (unsigned long)data & (PAGE_SIZE - 1);
>
> 	if (copy_from_user(copy, data, PAGE_SIZE - offs)) {
> 		kfree(copy);
> 		return ERR_PTR(-EFAULT);
> 	}
> 	if (offs) {
> 		if (copy_from_user(copy, data + PAGE_SIZE - offs, offs))
> 			memset(copy + PAGE_SIZE - offs, 0, offs);
> 	}
> 	return copy;
> }
>
> which should get rid of any TASK_SIZE references whatsoever, but I really
> wonder where have you run into the problem.
>
>


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: copy_mount_options() problem
  2019-10-15 18:40 ` Al Viro
  2019-10-15 22:03   ` Al Viro
@ 2019-10-16  7:31   ` Pavel V. Panteleev
  1 sibling, 0 replies; 6+ messages in thread
From: Pavel V. Panteleev @ 2019-10-16  7:31 UTC (permalink / raw)
  To: Al Viro; +Cc: linux-fsdevel

# tracer: nop
#
# entries-in-buffer/entries-written: 3/3   #P:16
#
#                              _-----=> irqs-off
#                             / _----=> need-resched
#                            |/  _-----=> need-resched_lazy
#                            || / _---=> hardirq/softirq
#                            ||| / _--=> preempt-depth
#                            |||| / _-=> preempt-lazy-depth
#                            ||||| / _-=> migrate-disable
#                            |||||| /    delay
#           TASK-PID   CPU#  |||||||   TIMESTAMP  FUNCTION
#              | |       |   |||||||      |         |
        automount-5999  [001] .......   170.320000: 0: 
copy_mount_options(): copy 0xd017d560b000 data 0xc2dfffffe340 size 
0x1000 USER_DS 0xc2dffffff000 TASK_SIZE 0xd00000000000
        automount-5999  [001] .......   170.320000: : 
exact_copy_from_user(): !access_ok
        automount-5999  [001] .......   170.320000: : 
copy_mount_options(): return -EFAULT

On 15.10.2019 21:40, Al Viro wrote:
> On Tue, Oct 15, 2019 at 09:09:02PM +0300, Pavel V. Panteleev wrote:
>> Hello,
>>
>> copy_mount_options() checks that data doesn't cross TASK_SIZE boundary. It's
>> not correct. Really it should check USER_DS boudary, because some archs have
>> TASK_SIZE not equal to USER_DS. In this case (USER_DS != TASK_SIZE)
>> exact_copy_from_user() will stop on access_ok() check, if data cross
>> USER_DS, but doesn't cross TASK_SIZE.
> Details of the call chain, please.
>
>


^ permalink raw reply	[flat|nested] 6+ messages in thread

* copy_mount_options() problem
@ 2019-10-15 15:12 Pavel V. Panteleev
  0 siblings, 0 replies; 6+ messages in thread
From: Pavel V. Panteleev @ 2019-10-15 15:12 UTC (permalink / raw)
  To: linux-fsdevel

Hello,

copy_mount_options() checks that data doesn' cross TASK_SIZE boundary. It's not correct. Really it should check USER_DS boudary, because some archs have TASK_SIZE not equal to USER_DS. In this case (USER_DS != TASK_SIZE) exact_copy_from_user() will stop on access_ok() check, if data cross USER_DS, but doesn't cross TASK_SIZE.

Best regards,
Pavel V. Panteleev

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2019-10-16  7:40 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-10-15 18:09 copy_mount_options() problem Pavel V. Panteleev
2019-10-15 18:40 ` Al Viro
2019-10-15 22:03   ` Al Viro
2019-10-16  7:39     ` Pavel V. Panteleev
2019-10-16  7:31   ` Pavel V. Panteleev
  -- strict thread matches above, loose matches on Subject: below --
2019-10-15 15:12 Pavel V. Panteleev

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).