public inbox for rust-for-linux@vger.kernel.org
 help / color / mirror / Atom feed
From: Simona Vetter <simona.vetter@ffwll.ch>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: "Benno Lossin" <benno.lossin@proton.me>,
	"Miguel Ojeda" <ojeda@kernel.org>,
	"Alex Gaynor" <alex.gaynor@gmail.com>,
	"Boqun Feng" <boqun.feng@gmail.com>,
	"Gary Guo" <gary@garyguo.net>,
	"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
	"Andreas Hindborg" <a.hindborg@kernel.org>,
	"Alice Ryhl" <aliceryhl@google.com>,
	"Trevor Gross" <tmgross@umich.edu>,
	"Simona Vetter" <simona.vetter@ffwll.ch>,
	rust-for-linux@vger.kernel.org
Subject: Re: [PATCH v2 0/2] Untrusted Data Abstraction
Date: Mon, 9 Dec 2024 15:56:01 +0100	[thread overview]
Message-ID: <Z1cFAaQ3TtRVoeKo@phenom.ffwll.local> (raw)
In-Reply-To: <2024120512-tuition-overcome-0939@gregkh>

On Thu, Dec 05, 2024 at 10:06:19AM +0100, Greg KH wrote:
> On Wed, Sep 25, 2024 at 08:52:57PM +0000, Benno Lossin wrote:
> > Enable marking certain data as untrusted. For example data coming from
> > userspace, hardware or any other external data source.
> > 
> > This idea originates from a discussion with Greg at Kangrejos. As far as I
> > understand the rationale, it is to prevent accidentally reading untrusted data
> > and using it for *logic* within the kernel. For example reading the length from
> > the hardware and not validating that it isn't too big. This is a big source for
> > logic bugs that later turn into vulnerabilities.
> > 
> > The API introduced in this series is not a silver bullet, users are still able
> > to access the untrusted value (otherwise how would they be able to validate
> > it?). But it provides additional guardrails to remind users that they ought to
> > validate the value before using it.
> > 
> > There are still some things to iron out on the Rust side:
> > - allow better handling of `Untrusted<T>`, for example allow comparing
> >   `Untrusted<[u8]>` for equality (we should do this via a trait extending
> >   `PartialEq`)
> > - rebase this on Gary's patch to enable arbitrary self types.
> > - get more feedback as to what `Untrusted` should make available
> > 
> > In this version I removed the API showcase using tarfs. I did this,
> > because I have added the API to `uaccess.rs`. Also, this version
> > requires [1] to compile the doctests.
> > 
> > [1]: https://lore.kernel.org/rust-for-linux/DM4PR14MB7276E6948E67B3B23D8EA847E9652@DM4PR14MB7276.namprd14.prod.outlook.com/
> 
> This patch series just came up again (well, to be fair I mentioned it),
> so I was curious as to what the status of it was?

I kinda dropped the ball a bit the last weeks :-/

> Also, I think we need to add this to the userslice stuff to mark all
> data coming from userspace as untrusted, so tieing that in soon would be
> good so we don't have to churn a lot of existing code that ends up being
> merged soon (i.e. misc drivers).

Yeah I agree that's going to be the main entry point for untrusted data.
-Sima
-- 
Simona Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

      parent reply	other threads:[~2024-12-09 14:56 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-25 20:52 [PATCH v2 0/2] Untrusted Data Abstraction Benno Lossin
2024-09-25 20:53 ` [PATCH v2 1/2] rust: add untrusted data abstraction Benno Lossin
2024-09-26  7:08   ` Dirk Behme
2024-09-26 10:40   ` Simona Vetter
2024-09-30 14:04     ` Benno Lossin
2024-11-26  8:05       ` Simona Vetter
2024-09-26 20:31   ` kernel test robot
2024-09-26 21:40     ` Benno Lossin
2024-09-26 21:56       ` Miguel Ojeda
2024-09-26 22:15         ` Benno Lossin
2024-09-27  8:39           ` Miguel Ojeda
2024-09-27  9:06             ` Benno Lossin
2024-09-26 21:57       ` Miguel Ojeda
2024-09-25 20:53 ` [PATCH v2 2/2] rust: switch uaccess to untrusted data API Benno Lossin
2024-09-26 11:09   ` Simona Vetter
2024-09-26 23:56   ` kernel test robot
2024-12-05  9:06 ` [PATCH v2 0/2] Untrusted Data Abstraction Greg KH
2024-12-09 12:25   ` Benno Lossin
2024-12-09 14:56   ` Simona Vetter [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Z1cFAaQ3TtRVoeKo@phenom.ffwll.local \
    --to=simona.vetter@ffwll.ch \
    --cc=a.hindborg@kernel.org \
    --cc=alex.gaynor@gmail.com \
    --cc=aliceryhl@google.com \
    --cc=benno.lossin@proton.me \
    --cc=bjorn3_gh@protonmail.com \
    --cc=boqun.feng@gmail.com \
    --cc=gary@garyguo.net \
    --cc=gregkh@linuxfoundation.org \
    --cc=ojeda@kernel.org \
    --cc=rust-for-linux@vger.kernel.org \
    --cc=tmgross@umich.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox