lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 16 Apr 2024 09:53:23 +0000
From: Alice Ryhl <aliceryhl@...gle.com>
To: boqun.feng@...il.com
Cc: a.hindborg@...sung.com, akpm@...ux-foundation.org, alex.gaynor@...il.com, 
	aliceryhl@...gle.com, arnd@...db.de, arve@...roid.com, benno.lossin@...ton.me, 
	bjorn3_gh@...tonmail.com, brauner@...nel.org, cmllamas@...gle.com, 
	gary@...yguo.net, gregkh@...uxfoundation.org, joel@...lfernandes.org, 
	keescook@...omium.org, linux-kernel@...r.kernel.org, linux-mm@...ck.org, 
	maco@...roid.com, ojeda@...nel.org, rust-for-linux@...r.kernel.org, 
	surenb@...gle.com, tkjos@...roid.com, viro@...iv.linux.org.uk, 
	wedsonaf@...il.com, willy@...radead.org
Subject: Re: [PATCH v5 1/4] rust: uaccess: add userspace pointers

Boqun Feng <boqun.feng@...il.com> writes:
> On Mon, Apr 15, 2024 at 07:13:53AM +0000, Alice Ryhl wrote:
>> From: Wedson Almeida Filho <wedsonaf@...il.com>
>> 
>> A pointer to an area in userspace memory, which can be either read-only
>> or read-write.
>> 
>> All methods on this struct are safe: attempting to read or write on bad
>> addresses (either out of the bound of the slice or unmapped addresses)
>> will return `EFAULT`. Concurrent access, *including data races to/from
>> userspace memory*, is permitted, because fundamentally another userspace
>> thread/process could always be modifying memory at the same time (in the
>> same way that userspace Rust's `std::io` permits data races with the
>> contents of files on disk). In the presence of a race, the exact byte
>> values read/written are unspecified but the operation is well-defined.
>> Kernelspace code should validate its copy of data after completing a
>> read, and not expect that multiple reads of the same address will return
>> the same value.
>> 
>> These APIs are designed to make it difficult to accidentally write
>> TOCTOU bugs. Every time you read from a memory location, the pointer is
>> advanced by the length so that you cannot use that reader to read the
>> same memory location twice. Preventing double-fetches avoids TOCTOU
>> bugs. This is accomplished by taking `self` by value to prevent
>> obtaining multiple readers on a given `UserSlicePtr`, and the readers
>> only permitting forward reads. If double-fetching a memory location is
>> necessary for some reason, then that is done by creating multiple
>> readers to the same memory location.
>> 
>> Constructing a `UserSlicePtr` performs no checks on the provided
>> address and length, it can safely be constructed inside a kernel thread
>> with no current userspace process. Reads and writes wrap the kernel APIs
>> `copy_from_user` and `copy_to_user`, which check the memory map of the
>> current process and enforce that the address range is within the user
>> range (no additional calls to `access_ok` are needed).
>> 
>> This code is based on something that was originally written by Wedson on
>> the old rust branch. It was modified by Alice by removing the
>> `IoBufferReader` and `IoBufferWriter` traits, and various other changes.
>> 
>> Signed-off-by: Wedson Almeida Filho <wedsonaf@...il.com>
>> Co-developed-by: Alice Ryhl <aliceryhl@...gle.com>
>> Signed-off-by: Alice Ryhl <aliceryhl@...gle.com>
> 
> Thanks!
> 
> Reviewed-by: Boqun Feng <boqun.feng@...il.com>

Thanks for taking a look!

>> ---
>>  rust/helpers.c         |  14 +++
>>  rust/kernel/lib.rs     |   1 +
>>  rust/kernel/uaccess.rs | 304 +++++++++++++++++++++++++++++++++++++++++++++++++
>>  3 files changed, 319 insertions(+)
>> 
> [...]
>> +    /// Reads raw data from the user slice into a kernel buffer.
>> +    ///
>> +    /// Fails with `EFAULT` if the read happens on a bad address.
> 
> ... we probably want to mention that `out` may get modified even in
> failure cases.

Will do.

>> +    pub fn read_slice(&mut self, out: &mut [u8]) -> Result {
>> +        // SAFETY: The types are compatible and `read_raw` doesn't write uninitialized bytes to
>> +        // `out`.
>> +        let out = unsafe { &mut *(out as *mut [u8] as *mut [MaybeUninit<u8>]) };
>> +        self.read_raw(out)
>> +    }
>> +
> [...]
>> +
>> +impl UserSliceWriter {
> [...]
>> +
>> +    /// Writes raw data to this user pointer from a kernel buffer.
>> +    ///
>> +    /// Fails with `EFAULT` if the write happens on a bad address.
> 
> Same here, probably mention that: the userspace memory may be modified
> even in failure cases.

Will do.

> Anyway, they are not correctness critical, so we can do these in later
> patches.

It looks like I'll have to send another version anyway due to the
conflict with [1], so I can take care of it.

Alice

[1]: https://lore.kernel.org/rust-for-linux/20240328013603.206764-1-wedsonaf@gmail.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ