| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20110226123522.GA4416@redhat.com>
Date: Sat, 26 Feb 2011 13:35:22 +0100
From: Oleg Nesterov <oleg@...hat.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>,
LKML <linux-kernel@...r.kernel.org>,
linux-mm <linux-mm@...ck.org>, pageexec@...email.hu,
Solar Designer <solar@...nwall.com>,
Eugene Teo <eteo@...hat.com>,
Brad Spengler <spender@...ecurity.net>,
Roland McGrath <roland@...hat.com>,
Milton Miller <miltonm@....com>
Subject: Re: [PATCH 0/4 RESEND] exec: unify compat/non-compat code
On 02/25, Linus Torvalds wrote:
>
> On Fri, Feb 25, 2011 at 9:52 AM, Oleg Nesterov <oleg@...hat.com> wrote:
> >> On 12/01, Milton Miller wrote:
> >> >
> >> > > +#ifdef CONFIG_COMPAT
> >> > > +int compat_do_execve(char * filename,
> >> > > + compat_uptr_t __user *argv,
> >> > > + compat_uptr_t __user *envp,
> >> > > + struct pt_regs * regs)
> >> > > +{
> >> > > + return do_execve_common(filename,
> >> > > + (void __user*)argv, (void __user*)envp,
> >> >
> >> > Shouldn't these be compat_ptr(argv)? (makes a difference on s390)
>
> Indeed. The "compat_uptr_t __user *argv" is wrong, and it should be just
>
> compat_uptr_t argv;
>
> and then every time you turn it into a pointer, it should use
> "compat_ptr(argv)".
Oh, perhaps, and I was thinking about this too. But this is another
issue, no? Or I misunderstood.
First of all, I agree that perhaps it makes sense to change the
signature of compat_do_execve()
- compat_do_execve(compat_uptr_t __user *argv)
+ compat_do_execve(compat_uptr_t argv)
but this has nothing to do with this series. We can do this before
or after ("after" seems simpler").
> - user passes "compat_uptr_t"
Yes,
> - the kernel can turn that into "compat_uptr_t __user *" by doing
>
> compat_uptr_t __user *pptr;
> pptr = compat_ptr(argv);
Yes! and the kernel already does this before it calls compat_do_execve(),
iow compat_do_execve() gets the result of compat_ptr(compat_ptr_from_user).
> - the kernel needs to fetch the individual entries with
>
> compat_uptr_t cuptr = get_user(pptr);
>
> - the kernel can then turn _those_ into the actual pointers to the string with
>
> const char __user *str = compat_ptr(cuptr);
Yes, and this is exactly what get_arg_ptr(compat => true) does.
> > So, once again, this should not (and can not) be compat_ptr(argv) afaics.
>
> It can be, and probably should.
Only if we change the signature of compat_do_execve(). With the current
code yet another compat_ptr() is not needed and it is simply wrong, this
is what I meant when I replied to Milton.
> But the low-level s390 wrapper
> function may have done one of the levels already. It probably
> shouldn't, and we _should_ do the "compat_ptr()" thing a the generic C
> level.
Agreed, but currently this compat_ptr() thing belongs to the caller.
IOW. Lets look at the current code. arch/ calls
compat_do_execve(compat_uptr_t __user *argv)->compat_count(argv) which
does get_user(argv) without any conversion, because argv was already
converted or arch/ is buggy.
Both do_execve() and compat_do_execve() accept the valid pointer
which does not need any conversion. But this pointer points to different
things, either to "char*" of "compat_uptr_t".
However, please see my reply to 2-3/5, I agree that this is confusing
and can be cleanuped.
Or do you think I missed something else?
Oleg.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists