| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <48DE7016.5040209@redhat.com> Date: Sat, 27 Sep 2008 20:40:38 +0300 From: Avi Kivity <avi@...hat.com> To: Arjan van de Ven <arjan@...radead.org> CC: Andrew Morton <akpm@...ux-foundation.org>, viro@...IV.linux.org.uk, linux-kernel@...r.kernel.org Subject: Re: [PATCH 0/3][RFC] ioctl dispatcher Arjan van de Ven wrote: > >> While ioctls are officially ugly, they are the best choice for some >> use cases, not to mention compatibility issues. Currently ioctl >> writers face the following hurdles: >> >> - if the ioctl uses a data buffer, the ioctl handler must allocate >> kernel memory for this buffer >> - the memory may be allocated on the heap or on the stack, >> depending on the buffer size >> - handle any errors from the operation >> - copy the data from userspace, if necessary >> - handle any errors from the operation >> - actually perform the operation >> - copy the data back to userspace, if necessary >> - handle any errors from the operation >> - free the buffer, if allocated from the heap >> >> The first patch automates these operations, only requiring the caller >> to supply the ioctl number and a callback in a table. >> >> > this doesn't seem to be much different from the way the DRM code deals > with ioctls. Or the V4L code. > Personally I hate that code though..... > > There is a fine balance here; between driver writers screwing something > up they shouldn't be doing in the first place and us being able to > clearly see what the code is doing; your patch kinda hides some key > elements of the ioctl path... Which key elements? It hides the big switch (ioctl), memory allocation, and error handling, and exposes the actual ioctl-specific code, which I thought was the key element. Why are we interested in boilerplate? > I'm afraid it gives a false sense of > security though. Not having to deal with one aspect of security just to > have to deal with the rest.... > It reduces the number of potential mistakes a driver author can make. > Lets put it this way: if the driver author has to type "copy_from_user" > there's a chance that he'll remember that the data comes from the user > and isn't to be trusted on face value. > I'll rename the argp variable to argp_user_supplied. I can't believe you think writing the copy code from scratch (or worse, copy/paste) each time helps security. -- I have a truly marvellous patch that fixes the bug which this signature is too narrow to contain. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists