lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <a2c781bbd5c44fd19483076fd0296943@AcuMS.aculab.com>
Date:   Tue, 31 Mar 2020 13:51:44 +0000
From:   David Laight <David.Laight@...LAB.COM>
To:     Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
CC:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: [RFC PATCH 00/12] Changes to code that reads iovec from userspace

This is RFC because we seem to be in a merge window.

The canonical code to read iov[] is currently:
	struct iovec iovstack[UIO_FASTIOV];
	struct iovec *iov;
	...
	iov = iovstack;
	rc = import_iovec(..., UIO_FASTIOV, &iov, &iter);
	if (rc < 0)
		return rc;
	...
	kfree(iov);

Note that the 'iov' parameter is used for two different things.
On input it is an iov[] can can be used.
On output it is an iov[] array that must be freed.

If 'iovstack' is passed, the count is actually always UIO_FASTIOV (8)
although in some places the array definition is in a different file
(never mind function) from the constant used.

import_iovec() itself is just a wrapper to rw_copy_check_uvector().
So everything is passed through to a second function.
Several items are 'passed by reference' - adding to the code paths.

On success import_iovec() returned the transfer count.
Only one caller looks at it, the count is also in iter.count.

The new canonical code is:
	struct iov_cache cache;
	struct iovec *iov;
	...
	iov = iovec_import(..., &cache, &iter);
	if (IS_ERR(iov))
		return PTR_ERR(iov);
	...
	kfree(iov);

Since 'struct iov_cache' is a fixed size there is no need to pass in
a length (correct or not!). It can still be NULL (used by the scsi code).

iovec_import() contains the code that used to be in rw_copy_check_uvector()
and then sets up the iov_iter.

rw_copy_check_uvector() is no more.
The only other caller was in mm/process_vm_access.c when reading the
iov[] for the target process addresses when copying from a differ process.
This can extract the iov[] from an extra 'struct iov_iter'.

In passing I noticed an access_ok() call on each fragment.
I hope this is just there to bail out early!
It is also skipped in process_vm_rw(). I did a quick look but couldn't
see an obvious equivalent check.

Patches 1 and 2 tidy up existing code.
Patches 3 and 4 add the new interface.
Patches 5 through 10 change all the callers.
Patch 11 removes a 'hack' that allowed fs/io_uring be updated before the socket code.
Patch 12 removes the old interface.

I suspect the changes need to trickle through a merge window.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ