| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 16 Mar 2024 14:16:11 +0000 From: Benno Lossin <benno.lossin@...ton.me> To: Alice Ryhl <aliceryhl@...gle.com>, Miguel Ojeda <ojeda@...nel.org>, Matthew Wilcox <willy@...radead.org>, Al Viro <viro@...iv.linux.org.uk>, Andrew Morton <akpm@...ux-foundation.org>, Kees Cook <keescook@...omium.org> Cc: Alex Gaynor <alex.gaynor@...il.com>, Wedson Almeida Filho <wedsonaf@...il.com>, Boqun Feng <boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>, Björn Roy Baron <bjorn3_gh@...tonmail.com>, Andreas Hindborg <a.hindborg@...sung.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Arve Hjønnevåg <arve@...roid.com>, Todd Kjos <tkjos@...roid.com>, Martijn Coenen <maco@...roid.com>, Joel Fernandes <joel@...lfernandes.org>, Carlos Llamas <cmllamas@...gle.com>, Suren Baghdasaryan <surenb@...gle.com>, Arnd Bergmann <arnd@...db.de>, linux-mm@...ck.org, linux-kernel@...r.kernel.org, rust-for-linux@...r.kernel.org, Christian Brauner <brauner@...nel.org> Subject: Re: [PATCH v3 1/4] rust: uaccess: add userspace pointers On 3/11/24 11:47, Alice Ryhl wrote: > From: Wedson Almeida Filho <wedsonaf@...il.com> > > A pointer to an area in userspace memory, which can be either read-only > or read-write. > > All methods on this struct are safe: invalid pointers return `EFAULT`. > Concurrent access, *including data races to/from userspace memory*, is > permitted, because fundamentally another userspace thread/process could > always be modifying memory at the same time (in the same way that > userspace Rust's `std::io` permits data races with the contents of > files on disk). In the presence of a race, the exact byte values > read/written are unspecified but the operation is well-defined. > Kernelspace code should validate its copy of data after completing a > read, and not expect that multiple reads of the same address will return > the same value. > > These APIs are designed to make it difficult to accidentally write > TOCTOU bugs. Every time you read from a memory location, the pointer is > advanced by the length so that you cannot use that reader to read the > same memory location twice. Preventing double-fetches avoids TOCTOU > bugs. This is accomplished by taking `self` by value to prevent > obtaining multiple readers on a given `UserSlicePtr`, and the readers > only permitting forward reads. If double-fetching a memory location is > necessary for some reason, then that is done by creating multiple > readers to the same memory location. > > Constructing a `UserSlicePtr` performs no checks on the provided > address and length, it can safely be constructed inside a kernel thread > with no current userspace process. Reads and writes wrap the kernel APIs > `copy_from_user` and `copy_to_user`, which check the memory map of the > current process and enforce that the address range is within the user > range (no additional calls to `access_ok` are needed). > > This code is based on something that was originally written by Wedson on > the old rust branch. It was modified by Alice by removing the > `IoBufferReader` and `IoBufferWriter` traits, and various other changes. > > Signed-off-by: Wedson Almeida Filho <wedsonaf@...il.com> > Co-developed-by: Alice Ryhl <aliceryhl@...gle.com> > Signed-off-by: Alice Ryhl <aliceryhl@...gle.com> Reviewed-by: Benno Lossin <benno.lossin@...ton.me>
Powered by blists - more mailing lists