lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 9 Feb 2024 11:40:24 +0100
From: Alice Ryhl <aliceryhl@...gle.com>
To: Valentin Obst <kernel@...entinobst.de>
Cc: a.hindborg@...sung.com, akpm@...ux-foundation.org, alex.gaynor@...il.com, 
	arnd@...db.de, arve@...roid.com, benno.lossin@...ton.me, 
	bjorn3_gh@...tonmail.com, boqun.feng@...il.com, brauner@...nel.org, 
	cmllamas@...gle.com, gary@...yguo.net, gregkh@...uxfoundation.org, 
	joel@...lfernandes.org, keescook@...omium.org, linux-kernel@...r.kernel.org, 
	linux-mm@...ck.org, maco@...roid.com, ojeda@...nel.org, 
	rust-for-linux@...r.kernel.org, surenb@...gle.com, tkjos@...roid.com, 
	viro@...iv.linux.org.uk, wedsonaf@...il.com
Subject: Re: [PATCH v2 3/4] rust: uaccess: add typed accessors for userspace pointers

On Thu, Feb 8, 2024 at 11:57 PM Valentin Obst <kernel@...entinobst.de> wrote:
>
> > +/// If a struct implements this trait, then it is okay to copy it byte-for-byte
> > +/// to userspace. This means that it should not have any padding, as padding
> > +/// bytes are uninitialized. Reading uninitialized memory is not just undefined
> > +/// behavior, it may even lead to leaking sensitive information on the stack to
> > +/// userspace.
>
> This feels a bit too restrictive to me. Isn't it okay to copy types with
> padding if it is ensured that the padding is always initialized?
>
> I recall that in C one occasionally does a `memset` for structs that are
> copied to user space. I imagine that one could have a Rust
> abstraction/macro that makes it easy to define custom types that can
> always guarantee that all padding bytes are initialized. Such types
> would then qualify for being copied to user space if all field do so as
> well.
>
> This could be a significant quality-of-life improvement for drivers
> as it can be tedious to define struct without padding.

I don't think we should go that route. For example:

let struct_1 = ..;
memset(&mut struct_1, 0);
let struct_2 = struct_1;

Even though struct_1 has its padding zeroed here, that is not the case
for struct_2. When Rust performs a typed copy/move, the padding is not
copied.

Anyway, there is a work-around. Define your struct with MaybeUninit:

// INVARIANT: All bytes always initialized.
struct MyWrapper(MaybeUninit<bindings::c_struct>);

impl Default for MyWrapper {
    fn default() -> Self {
        MyWrapper(MaybeUninit::zeroed())
    }
}

Unlike the bare struct, things wrapped in MaybeUninit always have
their padding preserved. Then, you can implement the trait for this
wrapper, since its padding is always initialized even if that is not
true for the wrapped struct.

Alice

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ