| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <254496ac-bc5f-4622-99c4-9e2ada27e069@proton.me>
Date: Mon, 30 Sep 2024 14:04:06 +0000
From: Benno Lossin <benno.lossin@...ton.me>
To: Miguel Ojeda <ojeda@...nel.org>, Alex Gaynor <alex.gaynor@...il.com>, Boqun Feng <boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>, Björn Roy Baron <bjorn3_gh@...tonmail.com>, Andreas Hindborg <a.hindborg@...nel.org>, Alice Ryhl <aliceryhl@...gle.com>, Trevor Gross <tmgross@...ch.edu>, Greg KH <gregkh@...uxfoundation.org>, linux-kernel@...r.kernel.org, rust-for-linux@...r.kernel.org
Subject: Re: [PATCH v2 1/2] rust: add untrusted data abstraction
On 26.09.24 12:40, Simona Vetter wrote:
> On Wed, Sep 25, 2024 at 08:53:05PM +0000, Benno Lossin wrote:
>> + /// Sets the underlying untrusted value.
>> + ///
>> + /// # Examples
>> + ///
>> + /// ```
>> + /// use kernel::validate::Untrusted;
>> + ///
>> + /// let mut untrusted = Untrusted::new(42);
>> + /// untrusted.write(24);
>> + /// ```
>> + pub fn write(&mut self, value: impl Init<T>) {
>> + let ptr: *mut T = &mut self.0 .0;
>> + // SAFETY: `ptr` came from a mutable reference and the value is overwritten before it is
>> + // read.
>> + unsafe { ptr::drop_in_place(ptr) };
>> + // SAFETY: `ptr` came from a mutable reference and the initializer cannot error.
>> + match unsafe { value.__init(ptr) } {
>> + Ok(()) => {}
>> + }
>> + }
>
> So I think this doesn't work for a few reasons:
>
> - there's a lot of unsafe both here and when using this (even without
> MaybeUninit), at least if I understand things correctly. And forcing
> unsafe for something that inheritedly does not break any of the rust
> memory safety rules feels silly.
>
> - it also looks awkward, because you have the special versions
> write_uninit and write_uninit_slice, and imo if our write isn't good
> enought to just work with abritrary box/container types, it's not good.
>
> - it doesn't actually work for one of the main uaccess.rs use-cases beyond
> just enabling the current interface. Example in pseudo-rust:
>
> struct IoctlParams {
> input: u32,
> ouptut: u32,
> }
>
> The thing is that ioctl that use the struct approach like drm does, use
> the same struct if there's both input and output paramterers, and
> furthermore we are not allowed to overwrite the entire struct because
> that breaks ioctl restarting. So the flow is roughly
>
> let userptr : UserSlice;
> let params : Untrusted<IoctlParams>;
>
> userptr.read(params));
>
> // validate params, do something interesting with it params.input
>
> // this is _not_ allowed to overwrite params.input but must leave it
> // unchanged
>
> params.write(|x| { x.output = 42; });
>
> userptr.write(params);
>
> Your current write doesn't allow this case, and I think that's not good
> enough.
I see. One thing that makes this API work better is field projections
(it's a rust language feature for which we do have a PoC macro
implementation and which I am working on getting into the language):
To only overwrite a part of a struct you would do
params->output.write(42);
The `->` syntax "projects" the `output` field, turning
`Untrusted<IoctlParams>` into `Untrusted<u32>`.
I think that this would solve your problem with the API. (we probably
need a stop gap solution though until field projections are part of the
language).
> The one I propsed in private does:
>
> Untrusted<T>::write(&mut self, Fn(&mut T)->())
>
> It's not perfect because it allows you to do other stuff than writing,
> but it's still pretty good by limiting any potentially dangerous code to
> the provided closure. And with these of protection apis we need to
> strike the right balance between as much protection as possible while
> still allowing users to get the job done.
Ideally I would like to avoid exposing the value.
> Now I guess you can do this with your write too using a copy constructor
> approach, but that will result in less efficient code and it's probably
> also too much functional programming design for kernel developers to
> cope with.
Agreed.
>> +
>> + /// Turns a slice of untrusted values into an untrusted slice of values.
>> + pub fn transpose_slice(slice: &[Untrusted<T>]) -> &Untrusted<[T]>
>> + where
>> + T: Sized,
>> + {
>> + let ptr = slice.as_ptr().cast::<T>();
>> + // SAFETY: `ptr` and `len` come from the same slice reference.
>> + let slice = unsafe { slice::from_raw_parts(ptr, slice.len()) };
>> + Untrusted::new_ref(slice)
>> + }
>> +
>> + /// Turns a slice of uninitialized, untrusted values into an untrusted slice of uninitialized
>> + /// values.
>> + pub fn transpose_slice_uninit(
>> + slice: &[MaybeUninit<Untrusted<T>>],
>> + ) -> &Untrusted<[MaybeUninit<T>]>
>
> So these and some of the related functions to handle slice of box vs box
> of slice feel a bit awkward. I think we can do better if we rename
> Untrusted and Unvalidated to UntrustedBox and UnvalidatedBox, and then
> make Untrusted and Unvalidated traits, with implementations for
> UntrustedBox<T>, [Untrusted<T>], and all the others we want.
Hmm that might work for `Untrusted`, I will see how that looks. For
`Unvalidated` I am less confident.
> I expect that in the future we'll get more boxes with special semantics
> that we want to use together with Untrusted, not just [] and MaybeUninit.
> One example would be when the Untrusted data is shared with userspace
> (mmap()ed into both kernel and userspace for example for a ringbuffer), in
> which case the data is both Untrusted but also SharedUnsafe or whatever
> we'll call memory that's fundamentally breaking the rust memory model
> because there's no exclusive access (userspace can always do whatever it
> feels like), and all access has to go through at least
> READ_ONCE/WRITE_ONCE from the C side, or often even full blown atomics.
I don't think that we need to wrap that in `Untrusted`, instead the type
representing shared data between kernel and userspace should return
`Untrusted<u8>` instead of `u8`.
> And that memory is not MaybeUninit, because we have to initialize it
> before userspace can mmap it, for otherwise it's an information leak and
> hence security issue.
>
> tldr; I think going with traits for Untrusted and Unvalidated here will be
> worth it, even if a bit more pain at first. Plus cleaner interfaces.
>
>> + where
>> + T: Sized,
>> + {
>> + let ptr = slice.as_ptr().cast::<MaybeUninit<T>>();
>> + // SAFETY: `ptr` and `len` come from the same mutable slice reference.
>> + let slice = unsafe { slice::from_raw_parts(ptr, slice.len()) };
>> + Untrusted::new_ref(slice)
>> + }
[...]
>> +/// Validates untrusted data.
>> +///
>> +/// # Examples
>> +///
>> +/// The simplest way to validate data is to just implement `Validate<&Unvalidated<[u8]>>` for the
>> +/// type that you wish to validate:
>> +///
>> +/// ```
>> +/// use kernel::{
>> +/// error::{code::EINVAL, Error},
>> +/// str::{CStr, CString},
>> +/// validate::{Unvalidated, Validate},
>> +/// };
>> +///
>> +/// struct Data {
>> +/// flags: u8,
>> +/// name: CString,
>> +/// }
>> +///
>> +/// impl Validate<&Unvalidated<[u8]>> for Data {
>> +/// type Err = Error;
>> +///
>> +/// fn validate(unvalidated: &Unvalidated<[u8]>) -> Result<Self, Self::Err> {
>> +/// let raw = unvalidated.raw();
>> +/// let (&flags, name) = raw.split_first().ok_or(EINVAL)?;
>> +/// let name = CStr::from_bytes_with_nul(name)?.to_cstring()?;
>> +/// Ok(Data { flags, name })
>> +/// }
>> +/// }
>> +/// ```
>> +///
>> +/// This approach copies the data and requires allocation. If you want to avoid the allocation and
>> +/// copying the data, you can borrow from the input like this:
>> +///
>> +/// ```
>> +/// use kernel::{
>> +/// error::{code::EINVAL, Error},
>> +/// str::CStr,
>> +/// validate::{Unvalidated, Validate},
>> +/// };
>> +///
>> +/// struct Data<'a> {
>> +/// flags: u8,
>> +/// name: &'a CStr,
>> +/// }
>> +///
>> +/// impl<'a> Validate<&'a Unvalidated<[u8]>> for Data<'a> {
>> +/// type Err = Error;
>> +///
>> +/// fn validate(unvalidated: &'a Unvalidated<[u8]>) -> Result<Self, Self::Err> {
>> +/// let raw = unvalidated.raw();
>> +/// let (&flags, name) = raw.split_first().ok_or(EINVAL)?;
>> +/// let name = CStr::from_bytes_with_nul(name)?;
>> +/// Ok(Data { flags, name })
>> +/// }
>> +/// }
>> +/// ```
>> +///
>> +/// If you need to in-place validate your data, you currently need to resort to `unsafe`:
>> +///
>> +/// ```
>> +/// use kernel::{
>> +/// error::{code::EINVAL, Error},
>> +/// str::CStr,
>> +/// validate::{Unvalidated, Validate},
>> +/// };
>> +/// use core::mem;
>> +///
>> +/// // Important: use `repr(C)`, this ensures a linear layout of this type.
>> +/// #[repr(C)]
>> +/// struct Data {
>> +/// version: u8,
>> +/// flags: u8,
>> +/// _reserved: [u8; 2],
>> +/// count: u64,
>> +/// // lots of other fields...
>> +/// }
>> +///
>> +/// impl Validate<&Unvalidated<[u8]>> for &Data {
>> +/// type Err = Error;
>> +///
>> +/// fn validate(unvalidated: &Unvalidated<[u8]>) -> Result<Self, Self::Err> {
>> +/// let raw = unvalidated.raw();
>> +/// if raw.len() < mem::size_of::<Data>() {
>> +/// return Err(EINVAL);
>> +/// }
>> +/// // can only handle version 0
>> +/// if raw[0] != 0 {
>> +/// return Err(EINVAL);
>> +/// }
>> +/// // version 0 only uses the lower 4 bits of flags
>> +/// if raw[1] & 0xf0 != 0 {
>> +/// return Err(EINVAL);
>> +/// }
>> +/// let ptr = raw.as_ptr();
>> +/// // CAST: `Data` only contains integers and has `repr(C)`.
>> +/// let ptr = ptr.cast::<Data>();
>> +/// // SAFETY: `ptr` came from a reference and the cast above is valid.
>> +/// Ok(unsafe { &*ptr })
>> +/// }
>> +/// }
>> +/// ```
>> +///
>> +/// To be able to modify the parsed data, while still supporting zero-copy, you can implement
>> +/// `Validate<&mut Unvalidated<[u8]>>`:
>> +///
>> +/// ```
>> +/// use kernel::{
>> +/// error::{code::EINVAL, Error},
>> +/// str::CStr,
>> +/// validate::{Unvalidated, Validate},
>> +/// };
>> +/// use core::mem;
>> +///
>> +/// // Important: use `repr(C)`, this ensures a linear layout of this type.
>> +/// #[repr(C)]
>> +/// struct Data {
>> +/// version: u8,
>> +/// flags: u8,
>> +/// _reserved: [u8; 2],
>> +/// count: u64,
>> +/// // lots of other fields...
>> +/// }
>> +///
>> +/// impl Validate<&mut Unvalidated<[u8]>> for &Data {
>> +/// type Err = Error;
>
> I think we should make that one the default, but not sure that's doable
> with associated types instead of generics.
There is the `associated_type_defaults` unstable feature:
https://github.com/rust-lang/rust/issues/29661
But I actually think that we should get away from making the `Error`
type the return error of Rust functions. It's much better to have
function-specific errors, since they can be more descriptive. In cases
where we have to return to userspace or C, sure use the existing
`Error`.
> The input parameter should definitely default to the output paramter,
> because often they're just exactly the same e.g. when validating ioctl
> input structures.
I don't understand what you mean by this? The input parameter has to be
some sort of `..Untrusted..` and the output shouldn't have that.
> On this version you've also left out the in-place validation (originally
> validate_bytes), but we can add that later on when a need arises I guess.
> Or do you think it's just not a good idea in general?
This version supports in-place validation, this example and the one
above showcase how you would implement `Validate` in that case.
You can then call `.vaildate()` on an `&[mut ]Unvalidated<[u8]>` and you
get a `&Data` that borrows from the unvalidated data without copying the
data.
---
Cheers,
Benno
>> +///
>> +/// fn validate(unvalidated: &mut Unvalidated<[u8]>) -> Result<Self, Self::Err> {
>> +/// let raw = unvalidated.raw_mut();
>> +/// if raw.len() < mem::size_of::<Data>() {
>> +/// return Err(EINVAL);
>> +/// }
>> +/// match raw[0] {
>> +/// 0 => {},
>> +/// 1 => {
>> +/// // version 1 implicitly sets the first bit.
>> +/// raw[1] |= 1;
>> +/// },
>> +/// // can only handle version 0 and 1
>> +/// _ => return Err(EINVAL),
>> +/// }
>> +/// // version 0 and 1 only use the lower 4 bits of flags
>> +/// if raw[1] & 0xf0 != 0 {
>> +/// return Err(EINVAL);
>> +/// }
>> +/// if raw[1] == 0 {}
>> +/// let ptr = raw.as_ptr();
>> +/// // CAST: `Data` only contains integers and has `repr(C)`.
>> +/// let ptr = ptr.cast::<Data>();
>> +/// // SAFETY: `ptr` came from a reference and the cast above is valid.
>> +/// Ok(unsafe { &*ptr })
>> +/// }
>> +/// }
>> +/// ```
>> +pub trait Validate<I: ValidateInput>: Sized {
>> + /// Validation error.
>> + type Err;
>> +
>> + /// Validate the given untrusted data and parse it into the output type.
>> + fn validate(unvalidated: I) -> Result<Self, Self::Err>;
>> +}
Powered by blists - more mailing lists