lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2adc77e1-e84d-f303-fd88-133ec950c33f@iogearbox.net>
Date:   Tue, 7 Apr 2020 11:03:23 +0200
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Christoph Hellwig <hch@...radead.org>
Cc:     Alexei Starovoitov <ast@...nel.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Masami Hiramatsu <mhiramat@...nel.org>, x86@...nel.org,
        linux-kernel@...r.kernel.org, bpf@...r.kernel.org,
        bgregg@...flix.com
Subject: Re: Question on "uaccess: Add strict non-pagefault kernel-space read
 function"

On 4/4/20 11:31 AM, Christoph Hellwig wrote:
> On Fri, Apr 03, 2020 at 04:20:24PM +0200, Daniel Borkmann wrote:
>> With crazy old functions I presume you mean the old bpf_probe_read()
>> which is mapped to BPF_FUNC_probe_read helper or something else entirely?
> 
> I couldn't care less about bpf, this is about the kernel API.
> 
> What I mean is that your new probe_kernel_read_strict and
> strncpy_from_unsafe_strict helpers are good and useful.  But for this
> to actually make sense we need to get rid of the non-strict versions,
> and we also need to get rid of some of the weak alias magic.

Yeah agree, the probe_kernel_read() should do the strict checks by default
and there would need to be some way to opt-out for the legacy helpers to
not break. So it would end up looking like the below ...

long __probe_kernel_read(void *dst, const void *src, size_t size)
{
         long ret = -EFAULT;
         mm_segment_t old_fs = get_fs();

         set_fs(KERNEL_DS);
         if (kernel_range_ok(src, size))
                 ret = probe_read_common(dst, (__force const void __user *)src, size);
         set_fs(old_fs);

         return ret;
}

... where archs with non-overlapping user and kernel address range would
only end up having to implementing kernel_range_ok() check. Or, instead of
a generic kernel_range_ok() this could perhaps be more probing-specific as
in probe_kernel_range_ok() where this would then also cover the special
cases we seem to have in parisc and um. Then, this would allow to get rid
of all the __weak aliasing as well which may just be confusing. I could look
into coming up with something along these lines. Thoughts?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ