From: Arjan van de Ven <arjan@linux.intel.com>
To: Jan Beulich <JBeulich@suse.com>
Cc: mingo@elte.hu, tglx@linutronix.de, hpa@zytor.com,
linux@roeck-us.net, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] x86: unify copy_from_user() checking
Date: Wed, 16 Oct 2013 07:00:23 -0700 [thread overview]
Message-ID: <525E9BF7.7020706@linux.intel.com> (raw)
In-Reply-To: <525E964402000078000FB70C@nat28.tlf.novell.com>
>
> It also puzzles me that similar checking isn't done for copy_to_user():
> While not resulting in (kernel) buffer overflows, size mistakes there
> would still lead to information leaks.
at the time I went for the highest payoff only; e.g. the mistake of copying
to a fixed size kernel buffer.
Adding the other direction is a good idea of course.
>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> Cc: Arjan van de Ven <arjan@linux.intel.com>
> Cc: Guenter Roeck <linux@roeck-us.net>
> +static inline unsigned long __must_check copy_from_user(void *to,
> + const void __user *from,
> + unsigned long n)
> +{
> + int sz = __compiletime_object_size(to);
> +
> + might_fault();
> + if (likely(sz == -1 || sz >= n))
> + n = _copy_from_user(to, from, n);
> + else if(__builtin_constant_p(n))
> + copy_from_user_overflow();
this part I am not so sure about.
the original intent was that even if n is not constant, the compiler must still be able
to prove that it is smaller than sz using the range tracking feature in gcc!
In fact, that was the whole point.
The code (at the time, they're all fixed) found cases where the checks done to "n" were off by one
etc...
by requiring "n" to be constant for these checks you remove that layer of checking.
if you have found cases where this matters... maybe you found a new security issue...
so while I like the cleanup part of your patch.... not convinced on this part yet
next prev parent reply other threads:[~2013-10-16 14:00 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-16 11:36 [PATCH] x86: unify copy_from_user() checking Jan Beulich
2013-10-16 14:00 ` Arjan van de Ven [this message]
2013-10-16 15:03 ` Jan Beulich
2013-10-16 17:05 ` Arjan van de Ven
2013-10-17 9:45 ` Jan Beulich
2013-10-17 15:45 ` Arjan van de Ven
2013-10-17 15:53 ` Jan Beulich
2013-10-17 16:04 ` Arjan van de Ven
2013-10-17 16:08 ` Jan Beulich
2013-10-17 16:16 ` Arjan van de Ven
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=525E9BF7.7020706@linux.intel.com \
--to=arjan@linux.intel.com \
--cc=JBeulich@suse.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=mingo@elte.hu \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox