Re: [PATCH v2 0/2] Untrusted Data Abstraction

public inbox for rust-for-linux@vger.kernel.org
 help / color / mirror / Atom feed

From: Benno Lossin <benno.lossin@proton.me>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: "Miguel Ojeda" <ojeda@kernel.org>,
	"Alex Gaynor" <alex.gaynor@gmail.com>,
	"Boqun Feng" <boqun.feng@gmail.com>,
	"Gary Guo" <gary@garyguo.net>,
	"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
	"Andreas Hindborg" <a.hindborg@kernel.org>,
	"Alice Ryhl" <aliceryhl@google.com>,
	"Trevor Gross" <tmgross@umich.edu>,
	"Simona Vetter" <simona.vetter@ffwll.ch>,
	rust-for-linux@vger.kernel.org
Subject: Re: [PATCH v2 0/2] Untrusted Data Abstraction
Date: Mon, 09 Dec 2024 12:25:59 +0000	[thread overview]
Message-ID: <1bd50122-bd7d-462e-86e5-0d2ba040ab4c@proton.me> (raw)
In-Reply-To: <2024120512-tuition-overcome-0939@gregkh>

On 05.12.24 10:06, Greg KH wrote:
> On Wed, Sep 25, 2024 at 08:52:57PM +0000, Benno Lossin wrote:
>> Enable marking certain data as untrusted. For example data coming from
>> userspace, hardware or any other external data source.
>>
>> This idea originates from a discussion with Greg at Kangrejos. As far as I
>> understand the rationale, it is to prevent accidentally reading untrusted data
>> and using it for *logic* within the kernel. For example reading the length from
>> the hardware and not validating that it isn't too big. This is a big source for
>> logic bugs that later turn into vulnerabilities.
>>
>> The API introduced in this series is not a silver bullet, users are still able
>> to access the untrusted value (otherwise how would they be able to validate
>> it?). But it provides additional guardrails to remind users that they ought to
>> validate the value before using it.
>>
>> There are still some things to iron out on the Rust side:
>> - allow better handling of `Untrusted<T>`, for example allow comparing
>>   `Untrusted<[u8]>` for equality (we should do this via a trait extending
>>   `PartialEq`)
>> - rebase this on Gary's patch to enable arbitrary self types.
>> - get more feedback as to what `Untrusted` should make available
>>
>> In this version I removed the API showcase using tarfs. I did this,
>> because I have added the API to `uaccess.rs`. Also, this version
>> requires [1] to compile the doctests.
>>
>> [1]: https://lore.kernel.org/rust-for-linux/DM4PR14MB7276E6948E67B3B23D8EA847E9652@DM4PR14MB7276.namprd14.prod.outlook.com/
> 
> This patch series just came up again (well, to be fair I mentioned it),
> so I was curious as to what the status of it was?
> 
> Also, I think we need to add this to the userslice stuff to mark all
> data coming from userspace as untrusted, so tieing that in soon would be
> good so we don't have to churn a lot of existing code that ends up being
> merged soon (i.e. misc drivers).

Sorry for the delay. I have been busy with a lot of other stuff, maybe
over the holidays I can work on this, but I'm not sure. If someone wants
to pick it up, I'm fine with that.

---
Cheers,
Benno

> 
> thanks,
> 
> greg k-h

next prev parent reply	other threads:[~2024-12-09 12:26 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-25 20:52 [PATCH v2 0/2] Untrusted Data Abstraction Benno Lossin
2024-09-25 20:53 ` [PATCH v2 1/2] rust: add untrusted data abstraction Benno Lossin
2024-09-26  7:08   ` Dirk Behme
2024-09-26 10:40   ` Simona Vetter
2024-09-30 14:04     ` Benno Lossin
2024-11-26  8:05       ` Simona Vetter
2024-09-26 20:31   ` kernel test robot
2024-09-26 21:40     ` Benno Lossin
2024-09-26 21:56       ` Miguel Ojeda
2024-09-26 22:15         ` Benno Lossin
2024-09-27  8:39           ` Miguel Ojeda
2024-09-27  9:06             ` Benno Lossin
2024-09-26 21:57       ` Miguel Ojeda
2024-09-25 20:53 ` [PATCH v2 2/2] rust: switch uaccess to untrusted data API Benno Lossin
2024-09-26 11:09   ` Simona Vetter
2024-09-26 23:56   ` kernel test robot
2024-12-05  9:06 ` [PATCH v2 0/2] Untrusted Data Abstraction Greg KH
2024-12-09 12:25   ` Benno Lossin [this message]
2024-12-09 14:56   ` Simona Vetter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1bd50122-bd7d-462e-86e5-0d2ba040ab4c@proton.me \
    --to=benno.lossin@proton.me \
    --cc=a.hindborg@kernel.org \
    --cc=alex.gaynor@gmail.com \
    --cc=aliceryhl@google.com \
    --cc=bjorn3_gh@protonmail.com \
    --cc=boqun.feng@gmail.com \
    --cc=gary@garyguo.net \
    --cc=gregkh@linuxfoundation.org \
    --cc=ojeda@kernel.org \
    --cc=rust-for-linux@vger.kernel.org \
    --cc=simona.vetter@ffwll.ch \
    --cc=tmgross@umich.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox