Re: [PATCH] x86: polish __{get,put}_user_{,no}check()

xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed

From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Jan Beulich <JBeulich@suse.com>,
	xen-devel <xen-devel@lists.xenproject.org>
Cc: Julien Grall <julien.grall@arm.com>
Subject: Re: [PATCH] x86: polish __{get,put}_user_{,no}check()
Date: Tue, 2 May 2017 15:28:53 +0100	[thread overview]
Message-ID: <e7d41a4b-f17b-126c-fd15-11c0f056d495@citrix.com> (raw)
In-Reply-To: <5908A48B0200007800155CF7@prv-mh.provo.novell.com>

On 02/05/17 14:23, Jan Beulich wrote:
> The primary purpose is correcting a latent bug in __get_user_check()
> (the macro has no active user at present): The access_ok() check should
> be before the actual access, or else any PV guest could initiate MMIO
> reads with side effects.
>
> Clean up all four macros at once:
> - all arguments evaluated exactly once
> - build the "check" flavor using the "nocheck" ones, instead of open
>   coding them
> - "int" is wide enough for error codes
> - name local variables without using underscores as prefixes
> - avoid pointless parentheses
> - add blanks after commas separating parameters or arguments
> - consistently use tabs for indentation

Could we use spaces?  This file is already half and half style, and
these bits of code are a long way removed from their Linux heritage.

>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> ---
> This corrects the code which would have resulted in an XSA on Xen 4.2
> and older, if those were still security supported. For that reason I at
> least want to explore whether this is a change we want to take for 4.9.
>
> --- a/xen/include/asm-x86/uaccess.h
> +++ b/xen/include/asm-x86/uaccess.h
> @@ -104,37 +104,35 @@ extern void __put_user_bad(void);
>  #define __put_user(x,ptr) \
>    __put_user_nocheck((__typeof__(*(ptr)))(x),(ptr),sizeof(*(ptr)))
>  
> -#define __put_user_nocheck(x,ptr,size)				\
> -({								\
> -	long __pu_err;						\
> -	__put_user_size((x),(ptr),(size),__pu_err,-EFAULT);	\
> -	__pu_err;						\
> +#define __put_user_nocheck(x, ptr, size)				\
> +({									\
> +	int err_; 							\
> +	__put_user_size(x, ptr, size, err_, -EFAULT);			\
> +	err_;								\
>  })
>  
> -#define __put_user_check(x,ptr,size)					\
> +#define __put_user_check(x, ptr, size)					\
>  ({									\
> -	long __pu_err = -EFAULT;					\
> -	__typeof__(*(ptr)) __user *__pu_addr = (ptr);			\
> -	if (access_ok(__pu_addr,size))					\
> -		__put_user_size((x),__pu_addr,(size),__pu_err,-EFAULT);	\
> -	__pu_err;							\
> +	__typeof__(*(ptr)) __user *ptr_ = (ptr);			\
> +	__typeof__(size) size_ = (size);				\
> +	access_ok(ptr_, size_) ? __put_user_nocheck(x, ptr_, size_)	\
> +			       : -EFAULT;				\
>  })							

Can you clobber the trailing whitespace on this line, like you did with
__get_user_check() ?

Otherwise, Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

>  
> -#define __get_user_nocheck(x,ptr,size)                          \
> -({                                                              \
> -	long __gu_err;                                          \
> -	__get_user_size((x),(ptr),(size),__gu_err,-EFAULT);     \
> -	__gu_err;                                               \
> +#define __get_user_nocheck(x, ptr, size)				\
> +({									\
> +	int err_; 							\
> +	__get_user_size(x, ptr, size, err_, -EFAULT);			\
> +	err_;								\
>  })
>  
> -#define __get_user_check(x,ptr,size)                            \
> -({                                                              \
> -	long __gu_err;                                          \
> -	__typeof__(*(ptr)) __user *__gu_addr = (ptr);           \
> -	__get_user_size((x),__gu_addr,(size),__gu_err,-EFAULT); \
> -	if (!access_ok(__gu_addr,size)) __gu_err = -EFAULT;     \
> -	__gu_err;                                               \
> -})							
> +#define __get_user_check(x, ptr, size)					\
> +({									\
> +	__typeof__(*(ptr)) __user *ptr_ = (ptr);			\
> +	__typeof__(size) size_ = (size);				\
> +	access_ok(ptr_, size_) ? __get_user_nocheck(x, ptr_, size_)	\
> +			       : -EFAULT;				\
> +})
>  
>  struct __large_struct { unsigned long buf[100]; };
>  #define __m(x) (*(const struct __large_struct *)(x))
>
>
>


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

next prev parent reply	other threads:[~2017-05-02 14:28 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-05-02 13:23 [PATCH] x86: polish __{get,put}_user_{,no}check() Jan Beulich
2017-05-02 14:28 ` Andrew Cooper [this message]
2017-05-02 14:40   ` Jan Beulich
2017-05-03 19:05     ` Andrew Cooper
2017-05-04  8:52 ` Julien Grall
2017-05-04 17:52   ` Andrew Cooper
2017-05-04 17:53     ` Julien Grall

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e7d41a4b-f17b-126c-fd15-11c0f056d495@citrix.com \
    --to=andrew.cooper3@citrix.com \
    --cc=JBeulich@suse.com \
    --cc=julien.grall@arm.com \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).