From: Christian Schrefl <chrisi.schrefl@gmail.com>
To: Alice Ryhl <aliceryhl@google.com>,
Miguel Ojeda <ojeda@kernel.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Arnd Bergmann <arnd@arndb.de>
Cc: "Andrew Morton" <akpm@linux-foundation.org>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <benno.lossin@proton.me>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Trevor Gross" <tmgross@umich.edu>,
"Danilo Krummrich" <dakr@kernel.org>,
rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] uaccess: rust: use newtype for user pointers
Date: Tue, 27 May 2025 21:03:27 +0200 [thread overview]
Message-ID: <83969228-bc7c-4eda-8531-53681e7f6600@gmail.com> (raw)
In-Reply-To: <20250527-userptr-newtype-v2-1-a789d266f6b0@google.com>
Hi Alice,
On 27.05.25 3:53 PM, Alice Ryhl wrote:
> In C code we use sparse with the __user annotation to detect cases where
> a user pointer is mixed up with other things. To replicate that, we
> introduce a new struct UserPtr that serves the same purpose using the
> newtype pattern.
>
> The UserPtr type is not marked with #[derive(Debug)], which means that
> it's not possible to print values of this type. This avoids ASLR
> leakage.
>
> The type is added to the prelude as it is a fairly fundamental type
> similar to c_int. The wrapping_add() method is renamed to
> wrapping_byte_add() for consistency with the method name found on raw
> pointers.
>
> Signed-off-by: Alice Ryhl <aliceryhl@google.com>
> ---
> This is based on top of the strncpy_from_user for Rust patch.
> ---
> Changes in v2:
> - Change usize to raw pointer.
> - Make field private.
> - Rename wrapping_add to wrapping_byte_add.
> - Add to prelude.
> - Rebase on v4 of strncpy_from_user
> - Link to v1: https://lore.kernel.org/r/20250506-userptr-newtype-v1-1-a0f6f8ce9fc5@google.com
> ---
> rust/kernel/prelude.rs | 2 ++
> rust/kernel/uaccess.rs | 68 +++++++++++++++++++++++++++++++++-------
> samples/rust/rust_misc_device.rs | 2 ++
> 3 files changed, 60 insertions(+), 12 deletions(-)
>
> diff --git a/rust/kernel/prelude.rs b/rust/kernel/prelude.rs
> index baa774a351ceeb995a2a647f78a27b408d9f3834..081af5bc07b0bcefb1da16e5a81fc611b3178aea 100644
> --- a/rust/kernel/prelude.rs
> +++ b/rust/kernel/prelude.rs
> @@ -41,3 +41,5 @@
> pub use super::init::InPlaceInit;
>
> pub use super::current;
> +
> +pub use super::uaccess::UserPtr;
> diff --git a/rust/kernel/uaccess.rs b/rust/kernel/uaccess.rs
> index e6534b52a1920254d61f8349426d4cdb38286089..02e0561eb1c6f4d813a4ab13a124bfac2d2a5c75 100644
> --- a/rust/kernel/uaccess.rs
> +++ b/rust/kernel/uaccess.rs
> @@ -14,8 +14,48 @@
> };
> use core::mem::{size_of, MaybeUninit};
>
> -/// The type used for userspace addresses.
> -pub type UserPtr = usize;
> +/// A pointer into userspace.
> +///
> +/// This is the Rust equivalent to C pointers tagged with `__user`.
> +#[repr(transparent)]
> +#[derive(Copy, Clone)]
> +pub struct UserPtr(*mut c_void);
> +
> +impl UserPtr {
> + /// Create a `UserPtr` from an integer representing the userspace address.
> + pub fn from_addr(addr: usize) -> Self {
> + Self(addr as *mut c_void)
> + }
> +
> + /// Create a `UserPtr` from a pointer representing the userspace address.
> + pub fn from_ptr(addr: *mut c_void) -> Self {
> + Self(addr)
> + }
> +
> + /// Cast this userspace pointer to a raw const void pointer.
> + ///
> + /// It is up to the caller to use the returned pointer correctly.
> + #[inline]
> + pub fn as_const_ptr(self) -> *const c_void {
> + self.0
> + }
> +
> + /// Cast this userspace pointer to a raw mutable void pointer.
> + ///
> + /// It is up to the caller to use the returned pointer correctly.
> + #[inline]
> + pub fn as_mut_ptr(self) -> *mut c_void {
> + self.0
> + }
> +
> + /// Increment this user pointer by `add` bytes.
> + ///
> + /// This addition is wrapping, so wrapping around the address space does not result in a panic
> + /// even if `CONFIG_RUST_OVERFLOW_CHECKS` is enabled.
> + pub fn wrapping_byte_add(self, add: usize) -> UserPtr {
> + UserPtr(self.0.wrapping_add(add))
Why use `ptr::wrapping_add` instead of `ptr::wrapping_byte_add`?
Should not really matter in this case, because `c_void` is
`repr(u8)`, but I find it a bit weird to use `wrapping_add` here.
With that fixed:
Reviewed-by: Christian Schrefl <chrisi.schrefl@gmail.com>
> + }
> +}
>
> /// A pointer to an area in userspace memory, which can be either read-only or read-write.
> ///
> @@ -179,7 +219,7 @@ impl UserSliceReader {
> pub fn skip(&mut self, num_skip: usize) -> Result {
> // Update `self.length` first since that's the fallible part of this operation.
> self.length = self.length.checked_sub(num_skip).ok_or(EFAULT)?;
> - self.ptr = self.ptr.wrapping_add(num_skip);
> + self.ptr = self.ptr.wrapping_byte_add(num_skip);
> Ok(())
> }
>
> @@ -226,11 +266,11 @@ pub fn read_raw(&mut self, out: &mut [MaybeUninit<u8>]) -> Result {
> }
> // SAFETY: `out_ptr` points into a mutable slice of length `len`, so we may write
> // that many bytes to it.
> - let res = unsafe { bindings::copy_from_user(out_ptr, self.ptr as *const c_void, len) };
> + let res = unsafe { bindings::copy_from_user(out_ptr, self.ptr.as_const_ptr(), len) };
> if res != 0 {
> return Err(EFAULT);
> }
> - self.ptr = self.ptr.wrapping_add(len);
> + self.ptr = self.ptr.wrapping_byte_add(len);
> self.length -= len;
> Ok(())
> }
> @@ -264,14 +304,14 @@ pub fn read<T: FromBytes>(&mut self) -> Result<T> {
> let res = unsafe {
> bindings::_copy_from_user(
> out.as_mut_ptr().cast::<c_void>(),
> - self.ptr as *const c_void,
> + self.ptr.as_const_ptr(),
> len,
> )
> };
> if res != 0 {
> return Err(EFAULT);
> }
> - self.ptr = self.ptr.wrapping_add(len);
> + self.ptr = self.ptr.wrapping_byte_add(len);
> self.length -= len;
> // SAFETY: The read above has initialized all bytes in `out`, and since `T` implements
> // `FromBytes`, any bit-pattern is a valid value for this type.
> @@ -384,11 +424,11 @@ pub fn write_slice(&mut self, data: &[u8]) -> Result {
> }
> // SAFETY: `data_ptr` points into an immutable slice of length `len`, so we may read
> // that many bytes from it.
> - let res = unsafe { bindings::copy_to_user(self.ptr as *mut c_void, data_ptr, len) };
> + let res = unsafe { bindings::copy_to_user(self.ptr.as_mut_ptr(), data_ptr, len) };
> if res != 0 {
> return Err(EFAULT);
> }
> - self.ptr = self.ptr.wrapping_add(len);
> + self.ptr = self.ptr.wrapping_byte_add(len);
> self.length -= len;
> Ok(())
> }
> @@ -411,7 +451,7 @@ pub fn write<T: AsBytes>(&mut self, value: &T) -> Result {
> // is a compile-time constant.
> let res = unsafe {
> bindings::_copy_to_user(
> - self.ptr as *mut c_void,
> + self.ptr.as_mut_ptr(),
> (value as *const T).cast::<c_void>(),
> len,
> )
> @@ -419,7 +459,7 @@ pub fn write<T: AsBytes>(&mut self, value: &T) -> Result {
> if res != 0 {
> return Err(EFAULT);
> }
> - self.ptr = self.ptr.wrapping_add(len);
> + self.ptr = self.ptr.wrapping_byte_add(len);
> self.length -= len;
> Ok(())
> }
> @@ -444,7 +484,11 @@ fn raw_strncpy_from_user(dst: &mut [MaybeUninit<u8>], src: UserPtr) -> Result<us
>
> // SAFETY: `dst` is valid for writing `dst.len()` bytes.
> let res = unsafe {
> - bindings::strncpy_from_user(dst.as_mut_ptr().cast::<c_char>(), src as *const c_char, len)
> + bindings::strncpy_from_user(
> + dst.as_mut_ptr().cast::<c_char>(),
> + src.as_const_ptr().cast::<c_char>(),
> + len,
> + )
> };
>
> if res < 0 {
> diff --git a/samples/rust/rust_misc_device.rs b/samples/rust/rust_misc_device.rs
> index c881fd6dbd08cf4308fe1bd37d11d28374c1f034..e7ab77448f754906615b6f89d72b51fa268f6c41 100644
> --- a/samples/rust/rust_misc_device.rs
> +++ b/samples/rust/rust_misc_device.rs
> @@ -176,6 +176,8 @@ fn open(_file: &File, misc: &MiscDeviceRegistration<Self>) -> Result<Pin<KBox<Se
> fn ioctl(me: Pin<&RustMiscDevice>, _file: &File, cmd: u32, arg: usize) -> Result<isize> {
> dev_info!(me.dev, "IOCTLing Rust Misc Device Sample\n");
>
> + // Treat the ioctl argument as a user pointer.
> + let arg = UserPtr::from_addr(arg);
> let size = _IOC_SIZE(cmd);
>
> match cmd {
>
> ---
> base-commit: f34da179a4517854b2ffbe4bce8c3405bd9be04e
> change-id: 20250506-userptr-newtype-2f060985c33b
> prerequisite-change-id: 20250424-strncpy-from-user-1f2d06b0cdde:v4
> prerequisite-patch-id: d35c479ddb84bacc541dbb226c7911e5a22cad7e
> prerequisite-patch-id: e0c345945dabfa18e9ca11f7fe11f8178d071285
>
> Best regards,
next prev parent reply other threads:[~2025-05-27 19:03 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-27 13:53 [PATCH v2] uaccess: rust: use newtype for user pointers Alice Ryhl
2025-05-27 14:42 ` Greg Kroah-Hartman
2025-05-27 15:20 ` Boqun Feng
2025-05-27 15:22 ` Alice Ryhl
2025-05-27 19:03 ` Christian Schrefl [this message]
2025-05-27 19:09 ` Alice Ryhl
2025-05-27 22:12 ` Al Viro
2025-05-27 23:13 ` Boqun Feng
2025-05-28 10:48 ` Alice Ryhl
2025-05-28 15:38 ` Benno Lossin
2025-05-28 16:02 ` Boqun Feng
2025-05-28 10:47 ` Alice Ryhl
2025-05-28 17:45 ` Al Viro
2025-05-28 20:01 ` Al Viro
2025-05-28 20:35 ` Benno Lossin
2025-05-28 10:52 ` Danilo Krummrich
2025-05-28 16:55 ` Benno Lossin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=83969228-bc7c-4eda-8531-53681e7f6600@gmail.com \
--to=chrisi.schrefl@gmail.com \
--cc=a.hindborg@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=aliceryhl@google.com \
--cc=arnd@arndb.de \
--cc=benno.lossin@proton.me \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=dakr@kernel.org \
--cc=gary@garyguo.net \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=tmgross@umich.edu \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).