public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Josh Triplett <josh@joshtriplett.org>
To: Kees Cook <keescook@chromium.org>
Cc: David Drysdale <drysdale@google.com>,
	Ingo Molnar <mingo@kernel.org>,
	Linux API <linux-api@vger.kernel.org>,
	Michael Kerrisk <mtk.manpages@gmail.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Arnd Bergmann <arnd@arndb.de>,
	Shuah Khan <shuahkh@osg.samsung.com>,
	Jonathan Corbet <corbet@lwn.net>,
	Eric B Munson <emunson@akamai.com>,
	Randy Dunlap <rdunlap@infradead.org>,
	Andrea Arcangeli <aarcange@redhat.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
	Oleg Nesterov <oleg@redhat.com>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Andy Lutomirski <luto@amacapital.net>,
	Al Viro <viro@zeniv.linux.org.uk>,
	Rusty Russell <rusty@rustcorp.com.au>,
	Peter Zijlstra <peterz@infradead.org>,
	Vivek Goyal <vgoyal@redhat.com>,
	Alexei Starovoitov <ast@plumgrid.com>,
	David Herrmann <dh.herrmann@gmail.com>,
	"Theodore Ts'o" <tytso@mit.edu>, Milosz Tanski <milosz@adfin.com>,
	Fam Zheng <famz@redhat.com>,
	Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
	"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Peter Zijlstra <a.p.zijlstra@chello.nl>
Subject: Re: [PATCHv2 1/1] Documentation: describe how to add a system call
Date: Thu, 30 Jul 2015 18:03:44 -0700	[thread overview]
Message-ID: <20150731010344.GA8050@x> (raw)
In-Reply-To: <20150731010234.GA7265@x>

On Thu, Jul 30, 2015 at 06:02:34PM -0700, Josh Triplett wrote:
> On Thu, Jul 30, 2015 at 01:03:43PM -0700, Kees Cook wrote:
> > On Thu, Jul 30, 2015 at 12:04 PM, Josh Triplett <josh@joshtriplett.org> wrote:
> > > On Thu, Jul 30, 2015 at 11:21:54AM -0700, Kees Cook wrote:
> > >> I like this, it's a good description of both options. I'm still biased
> > >> about the approach: I prefer flags, since pointers to user structures
> > >> complicate syscall filtering. ;)
> > >
> > > Seems like we should do two things to make that easier:
> > >
> > > 1) Create a standardized kernel mechanism for parameter-struct handling,
> > >    implementing the recommendations mentioned here.
> > 
> > It's been suggested in the past that nlmsg is appropriate for such a
> > thing, but I remain suspicious. :)
> 
> Likewise. :)
> 
> > > 2) Integrate into that mechanism a way to filter the resulting parameter
> > >    struct with BPF *after* it has been copied to kernel space (and thus
> > >    can no longer be tampered with).
> > 
> > Yeah, this is a irritating part: the structures operated on are copied
> > from userspace adhoc in each syscall. Doing argument checking would
> > mean double copies initially, and perhaps teaching syscalls about
> > optional "already copied" arguments or something as an optimization.
> 
> No, double copies can't work for security reasons.  Because otherwise
> you could race the kernel from another thread, substituting different
> values after the check and before the use.
> 
> I think the right API looks *roughly* like this:
> 
> int _copy_param_struct(size_t kernel_len, void *kernel_struct, size_t user_len, void __user *user_struct)
> {
> 	if (user_len > kernel_len)
> 		return -EINVAL;
> 	if (user_len && copy_from_user(kernel_struct, user_struct, user_len))
> 		return -EFAULT;
> 	if (user_len < kernel_len)
> 		memset(kernel_struct + user_len, 0, kernel_len - user_len);
> 	return 0;
> }
> 
> #define copy_param_struct(kernel_struct, user_len, user_struct) _copy_param_struct( \
> 		sizeof(*kernel_struct) + BUILD_BUG_ON_ZERO(!__same_type(*kernel_struct, *user_struct)), \
> 		kernel_struct, user_len, user_struct)
> 
> 
> Then the syscall looks like this:
> 
> SYSCALL_DEFINEn(xyzzy, ..., ..., size_t user_params_len, struct xyzzy_params __user *user_params)

Missed a couple of commas here (after the types and before the names).

> {
> 	int ret;
> 	struct xyzzy_params params;
> 
> 	ret = copy_param_struct(&params, user_params_len, user_params);
> 	if (ret)
> 		return ret;
> 	...
> 
> 
> And you could then hook copy_params_struct to add arbitrary additional
> syscall parameter validation.  Bonus if there's some way to make the
> copy and validation occur before the syscall is ever invoked, rather
> than inside the syscall, but that would require adding fancier syscall
> definition mechanisms that autogenerate such code.
> 
> - Josh Triplett

  reply	other threads:[~2015-07-31  1:04 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-07-30  7:52 [PATCHv2 0/1] Document how to add a new syscall David Drysdale
2015-07-30  7:52 ` [PATCHv2 1/1] Documentation: describe how to add a system call David Drysdale
2015-07-30  8:38   ` Ingo Molnar
2015-07-30 11:10     ` David Drysdale
2015-07-30 18:21       ` Kees Cook
2015-07-30 19:04         ` Josh Triplett
2015-07-30 20:03           ` Kees Cook
2015-07-31  1:02             ` Josh Triplett
2015-07-31  1:03               ` Josh Triplett [this message]
2015-07-31 18:56               ` Kees Cook
2015-07-31 20:59                 ` josh
2015-07-31 21:19                   ` Andy Lutomirski
2015-07-31 22:08                     ` josh
2015-07-31 22:54                       ` Andy Lutomirski
2015-08-01  4:32                         ` Josh Triplett
2015-08-01  4:56                           ` H. Peter Anvin
2015-08-01  6:18                             ` Josh Triplett
2015-08-01  6:28                               ` H. Peter Anvin
2015-07-30 18:22     ` Josh Triplett
2015-07-30 16:30   ` Cyril Hrubis
2015-07-30 16:45     ` Greg Kroah-Hartman
2015-07-30 18:50   ` Josh Triplett
2015-07-31  9:48     ` David Drysdale
2015-07-31 13:06       ` Josh Triplett
2015-07-31 14:42         ` David Drysdale

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150731010344.GA8050@x \
    --to=josh@joshtriplett.org \
    --cc=a.p.zijlstra@chello.nl \
    --cc=aarcange@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=arnd@arndb.de \
    --cc=ast@plumgrid.com \
    --cc=corbet@lwn.net \
    --cc=dh.herrmann@gmail.com \
    --cc=drysdale@google.com \
    --cc=emunson@akamai.com \
    --cc=famz@redhat.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=hpa@zytor.com \
    --cc=keescook@chromium.org \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mathieu.desnoyers@efficios.com \
    --cc=milosz@adfin.com \
    --cc=mingo@kernel.org \
    --cc=mingo@redhat.com \
    --cc=mtk.manpages@gmail.com \
    --cc=oleg@redhat.com \
    --cc=peterz@infradead.org \
    --cc=rdunlap@infradead.org \
    --cc=rusty@rustcorp.com.au \
    --cc=shuahkh@osg.samsung.com \
    --cc=tglx@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    --cc=vgoyal@redhat.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox