From: Al Viro <viro@ZenIV.linux.org.uk>
To: Christoph Hellwig <hch@infradead.org>
Cc: "Andy Lutomirski" <luto@kernel.org>,
"Ingo Molnar" <mingo@kernel.org>, "Greg KH" <greg@kroah.com>,
"Thomas Garnier" <thgarnie@google.com>,
"Martin Schwidefsky" <schwidefsky@de.ibm.com>,
"Heiko Carstens" <heiko.carstens@de.ibm.com>,
"Dave Hansen" <dave.hansen@intel.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Thomas Gleixner" <tglx@linutronix.de>,
"David Howells" <dhowells@redhat.com>,
"René Nyffenegger" <mail@renenyffenegger.ch>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Paul E . McKenney" <paulmck@linux.vnet.ibm.com>,
"Eric W . Biederman" <ebiederm@xmission.com>,
"Oleg Nesterov" <oleg@redhat.com>,
"Pavel Tikhomirov" <ptikhomirov@virtuozzo.com>,
"Ingo Molnar" <mingo@redhat.com>,
"H . Peter Anvin" <hpa@zytor.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Rik van Riel" <riel@redhat.com>,
"Kees Cook" <keescook@chromium.org>,
"Josh Poimboeuf" <jpoimboe@redhat.com>,
"Borislav Petkov" <bp@alien8.de>,
"Brian Gerst" <brgerst@gmail.com>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
"Christian Borntraeger" <borntraeger@de.ibm.com>,
"Russell King" <linux@armlinux.org.uk>,
"Will Deacon" <will.deacon@arm.com>,
"Catalin Marinas" <catalin.marinas@arm.com>,
"Mark Rutland" <mark.rutland@arm.com>,
"James Morse" <james.morse@arm.com>,
linux-s390 <linux-s390@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
"Linux API" <linux-api@vger.kernel.org>,
"the arch/x86 maintainers" <x86@kernel.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"Kernel Hardening" <kernel-hardening@lists.openwall.com>,
"Linus Torvalds" <torvalds@linux-foundation.org>,
"Peter Zijlstra" <a.p.zijlstra@chello.nl>
Subject: Re: [kernel-hardening] Re: [PATCH v9 1/4] syscalls: Verify address limit before returning to user-mode
Date: Wed, 10 May 2017 08:27:47 +0100 [thread overview]
Message-ID: <20170510072746.GF390@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20170510065301.GC4115@infradead.org>
On Tue, May 09, 2017 at 11:53:01PM -0700, Christoph Hellwig wrote:
> On Wed, May 10, 2017 at 04:12:54AM +0100, Al Viro wrote:
> > What's the point? What's wrong with having kernel_read()/kernel_readv()/etc.?
> > You still have set_fs() in there; doing that one level up in call chain would
> > be just fine... IDGI.
>
> The problem is that they modify the address limit, which the whole
> subthread here wants to get rid of.
And you *still* do the same. Christoph, this is ridiculous - the worst
part of the area is not a couple of functions in fs/read_write.c, it's
a fucking lot of ->read() and ->write() instances in shitty driver code,
pardon the redundance. And _that_ is still done under set_fs(KERNEL_DS).
Claiming that set_fs() done one function deeper in callchain (both in
fs/read_write.c) is somehow better because it reduces the amount of code
under that thing... Get real, please - helpers that encapsulate those
set_fs() pairs (a-la kernel_read(), etc.) absolutely make sense and
converting their open-coded instances to calls of those helpers is clearly
a good thing. However, we are not
* getting rid of low-quality code run under KERNEL_DS
* gettind rid of set_fs() itself
* getting a generic kernel_read() variant that would really take
an iov_iter.
That's what I'm objecting to. Centralized kernel_readv() et.al. - sure,
and fs/read_write.c is the right place for those. No arguments here.
Conversion to those - absolutely; drivers have no fucking business touching
set_fs() at all. But your primitives are trouble waiting to happen.
Let them take kvec arrays. And let them, in case when there's no
->read_iter()/->write_iter(), do set_fs(). Statically, without this
if (iter->type & ITER_KVEC) ... stuff.
> > Another delicate place: you can't assume that write() always advances
> > file position by its (positive) return value. btrfs stuff is sensitive
> > to that.
>
> If we don't want to assume that we need to pass pointer to pos to
> kernel_read/write. Which might be a good idea in general.
Yes.
> > ashmem probably _is_ OK with demanding ->read_iter(), but I'm not sure
> > about blind asma->file->f_pos += ret. That's begging for races. Actually,
> > scratch that - it *is* racy.
>
> I think the proper fix is to not even bother to maintain f_pos of the
> backing file, as we don't ever use it - all reads from it pass in
> an explicit position anyway.
vfs_llseek() used by ashmem_llseek()...
next prev parent reply other threads:[~2017-05-10 7:29 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-28 15:32 [PATCH v9 1/4] syscalls: Verify address limit before returning to user-mode Thomas Garnier
2017-04-28 15:32 ` [PATCH v9 2/4] x86/syscalls: Optimize address limit check Thomas Garnier
2017-04-28 15:32 ` [PATCH v9 3/4] arm/syscalls: " Thomas Garnier
2017-04-28 15:32 ` [PATCH v9 4/4] arm64/syscalls: " Thomas Garnier
2017-05-05 22:18 ` [PATCH v9 1/4] syscalls: Verify address limit before returning to user-mode Thomas Garnier
2017-05-08 7:33 ` Ingo Molnar
2017-05-08 7:52 ` Ingo Molnar
2017-05-08 15:22 ` [kernel-hardening] " Daniel Micay
2017-05-08 15:26 ` Kees Cook
2017-05-08 19:51 ` Thomas Garnier
2017-05-09 6:56 ` Ingo Molnar
2017-05-09 11:10 ` Greg KH
2017-05-09 14:29 ` Thomas Garnier
2017-05-11 23:17 ` Thomas Garnier
2017-05-11 23:44 ` Linus Torvalds
2017-05-12 5:28 ` Martin Schwidefsky
2017-05-12 5:34 ` Kees Cook
2017-05-12 5:54 ` Martin Schwidefsky
2017-05-12 19:01 ` Kees Cook
2017-05-12 19:08 ` Russell King - ARM Linux
2017-05-12 19:08 ` Linus Torvalds
2017-05-12 19:30 ` Kees Cook
2017-05-12 20:21 ` Russell King - ARM Linux
2017-05-12 20:30 ` Peter Zijlstra
2017-05-12 20:45 ` Russell King - ARM Linux
2017-05-12 21:00 ` Kees Cook
2017-05-12 21:04 ` Kees Cook
2017-05-13 7:21 ` Christoph Hellwig
2017-05-12 21:06 ` Al Viro
2017-05-12 21:16 ` Daniel Micay
2017-05-12 21:17 ` Kees Cook
2017-05-12 21:23 ` Daniel Micay
2017-05-12 21:41 ` Al Viro
2017-05-12 21:47 ` Rik van Riel
2017-05-12 22:57 ` Al Viro
2017-05-12 21:50 ` Kees Cook
2017-05-12 6:57 ` Ingo Molnar
2017-05-12 6:13 ` Andy Lutomirski
2017-05-12 6:58 ` Ingo Molnar
2017-05-12 17:05 ` Thomas Garnier
2017-05-09 16:30 ` Kees Cook
2017-05-08 12:46 ` Greg KH
2017-05-09 6:45 ` Ingo Molnar
2017-05-09 8:56 ` Christoph Hellwig
2017-05-09 13:00 ` Andy Lutomirski
2017-05-09 13:02 ` Christoph Hellwig
2017-05-09 16:03 ` Christoph Hellwig
2017-05-09 16:50 ` Kees Cook
2017-05-09 22:52 ` Andy Lutomirski
2017-05-09 23:31 ` Kees Cook
2017-05-10 1:59 ` Andy Lutomirski
2017-05-10 7:15 ` Christoph Hellwig
2017-05-11 11:22 ` Borislav Petkov
2017-05-10 6:46 ` Christoph Hellwig
2017-05-10 2:11 ` Al Viro
2017-05-10 2:45 ` Al Viro
2017-05-10 3:12 ` Al Viro
2017-05-10 3:21 ` Al Viro
2017-05-10 3:39 ` Al Viro
2017-05-10 6:54 ` Christoph Hellwig
2017-05-10 6:53 ` Christoph Hellwig
2017-05-10 7:27 ` Al Viro [this message]
2017-05-10 7:35 ` Christoph Hellwig
2017-05-10 6:49 ` Christoph Hellwig
2017-05-10 7:28 ` Arnd Bergmann
2017-05-10 7:35 ` Christoph Hellwig
2017-05-09 16:05 ` Brian Gerst
2017-05-10 7:37 ` Arnd Bergmann
2017-05-10 8:08 ` Al Viro
2017-05-10 8:14 ` Christoph Hellwig
2017-05-11 0:18 ` Andy Lutomirski
2017-05-12 7:00 ` Ingo Molnar
2017-05-12 7:15 ` Al Viro
2017-05-12 7:35 ` Christoph Hellwig
2017-05-12 7:43 ` Arnd Bergmann
2017-05-12 8:11 ` Christoph Hellwig
2017-05-12 8:16 ` Al Viro
2017-05-12 8:11 ` Al Viro
2017-05-12 8:20 ` Arnd Bergmann
2017-05-12 23:20 ` Andy Lutomirski
2017-05-08 13:09 ` Kees Cook
2017-05-08 14:02 ` Ingo Molnar
2017-05-08 14:06 ` Jann Horn
2017-05-08 20:48 ` Al Viro
2017-05-12 23:15 ` Andy Lutomirski
2017-05-08 15:24 ` Kees Cook
2017-05-09 6:34 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170510072746.GF390@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=borntraeger@de.ibm.com \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=catalin.marinas@arm.com \
--cc=dave.hansen@intel.com \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=greg@kroah.com \
--cc=hch@infradead.org \
--cc=heiko.carstens@de.ibm.com \
--cc=hpa@zytor.com \
--cc=james.morse@arm.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=luto@kernel.org \
--cc=mail@renenyffenegger.ch \
--cc=mark.rutland@arm.com \
--cc=mingo@kernel.org \
--cc=mingo@redhat.com \
--cc=oleg@redhat.com \
--cc=paulmck@linux.vnet.ibm.com \
--cc=pbonzini@redhat.com \
--cc=ptikhomirov@virtuozzo.com \
--cc=riel@redhat.com \
--cc=schwidefsky@de.ibm.com \
--cc=tglx@linutronix.de \
--cc=thgarnie@google.com \
--cc=torvalds@linux-foundation.org \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox