From: David Laight <david.laight.linux@gmail.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
Alexander Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
Arnd Bergmann <arnd@arndb.de>, Kees Cook <kees@kernel.org>
Subject: Re: [PATCH 1/2] uaccess: Simplify code pattern for masked user copies
Date: Sun, 9 Feb 2025 19:47:56 +0000 [thread overview]
Message-ID: <20250209194756.4cd45e12@pumpkin> (raw)
In-Reply-To: <CAHk-=wgu0B+9ZSmXaL6EyYQyDsWRGZv48jRGKJMphpO4bNiu_A@mail.gmail.com>
On Sun, 9 Feb 2025 09:40:05 -0800
Linus Torvalds <torvalds@linux-foundation.org> wrote:
> On Sun, 9 Feb 2025 at 02:56, David Laight <david.laight.linux@gmail.com> wrote:
> >
> > Code can then be changed:
> > - if (!user_read_access_begin(from, sizeof(*from)))
> > + if (!masked_user_read_access_begin(&from, sizeof(*from)))
> > return -EFAULT;
>
> I really dislike the use of "pass pointer to simple variable you are
> going to change" interfaces which is why I didn't do it this way.
I'm not sure the 'goto' model works here.
The issue is that the calling code mustn't use the unmasked address.
You really want to make that as hard as possible.
So the 'function' really does need to do an in-situ update.
I did do a test compile without the &, it exploded but I didn't
check whether it always would.
IIRC there is a sparse check for 'user' pointers that would help.
Even with the current functions, someone is bound to write:
if (!masked_user_access_begin(uaddr))
return -EFAULT;
unsafe_get_user(kaddr, uaddr, label);
and it will all appear to be fine...
(objtool might detect something because of the NULL pointer path.)
You almost need it to be 'void masked_user_access_begin(&uaddr)'.
David
next prev parent reply other threads:[~2025-02-09 19:47 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-09 10:55 [PATCH 0/2] uaccess: Add masked_user_read_access_begin David Laight
2025-02-09 10:55 ` [PATCH 1/2] uaccess: Simplify code pattern for masked user copies David Laight
2025-02-09 17:40 ` Linus Torvalds
2025-02-09 18:34 ` David Laight
2025-02-09 18:40 ` Linus Torvalds
2025-02-09 18:46 ` Linus Torvalds
2025-02-09 19:02 ` David Laight
2025-02-09 19:47 ` David Laight [this message]
2025-02-09 20:40 ` Linus Torvalds
2025-02-09 21:18 ` David Laight
2025-02-09 21:38 ` Linus Torvalds
2025-02-09 10:56 ` [PATCH 2/2] fs: Use masked_user_read_access_begin() David Laight
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250209194756.4cd45e12@pumpkin \
--to=david.laight.linux@gmail.com \
--cc=arnd@arndb.de \
--cc=brauner@kernel.org \
--cc=jack@suse.cz \
--cc=kees@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).